Feed aggregator

How we reduced Linux boot time on iMX93 to 1.8s  Hackster.io

7 Reasons Windows Subsystem for Linux Works For Me  How-To Geek

There's no such thing as a beginner Linux distro (and there never will be)  How-To Geek

An anonymous reader quotes a report from BleepingComputer: Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. The disclosure follows widespread reports over the past four days from users who were unable to access SoundCloud when connecting via VPN, with attempts resulting in the site displaying 403 "forbidden" errors. In a statement shared with BleepingComputer, SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and activated its incident response procedures. SoundCloud acknowledged that a threat actor accessed some of its data but said the exposure was limited in scope. [...] BleepingComputer has learned that the breach affects 20% of SoundCloud's users, which, based on publicly reported user figures, could impact roughly 28 million accounts. The company said it is confident that all unauthorized access to SoundCloud systems has been blocked and that there is no ongoing risk to the platform. "We understand that a purported threat actor group accessed certain limited data that we hold," SoundCloud told BleepingComputer. "We have completed an investigation into the data that was impacted, and no sensitive data (such as financial or password data) has been accessed. The data involved consisted only of email addresses and information already visible on public SoundCloud profiles."

Read more of this story at Slashdot.

Emmabuntüs Debian Edition 6 Is Now Available Based on Debian 13 “Trixie”  9to5Linux

The 5 best Linux apps for students  How-To Geek

After Decades, Linux Finally Gains Stable GPIB Support  Hackaday

Dual-PCB Linux computer with 843 components designed by AI boots on first attempt — Project Speedrun was made in just one week and required less than 40 hours of human work  Tom's Hardware

Poly Bridge developer’s next game is Poly Bricks - a LEGO-like cozy, creative brick-building game  GamingOnLinux

I use these 5 grep options to find anything fast  How-To Geek

12 eBPF-Powered CLI Utilities That Every Modern Linux Sysadmin Should Master  It's FOSS

PayPal has applied to become a US bank by forming a Utah-chartered industrial loan company, signaling a push to deepen its financial services "as companies rush to capitalize on a friendly regulatory environment under the Trump administration," reports Reuters. From the report: If approved, the move will help PayPal to strengthen its lending offerings to small businesses in the U.S. as well as reduce its reliance on third parties. "Securing capital remains a significant hurdle for small businesses striving to grow and scale," said PayPal CEO Alex Chriss. "Establishing PayPal Bank will strengthen our business and improve our efficiency, enabling us to better support small business growth and economic opportunities across the U.S." PayPal also plans to offer interest-bearing savings accounts to customers. The company has provided over $30 billion in loans and capital since 2013, it said. [...] PayPal has selected Mara McNeill to serve as PayPal Bank's president. She comes with over two decades of experience in banking and commercial lending, and has previously served as the CEO of Toyota Financial Savings Bank.

Read more of this story at Slashdot.

Microsoft Update Breaks VPS Access for Windows Subsystem for Linux Users  Cyber Press

React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors  The Hacker News

Microsoft Update Disrupts VPS Access for Windows Subsystem for Linux Users  gbhackers.com

A new study warns that glaciers in the European Alps will hit their peak extinction rate within eight years, with global glacier loss accelerating toward thousands per year unless emissions are rapidly cut. "Glaciers in the western US and Canada are forecast to reach their peak year of loss less than a decade later, with more than 800 disappearing each year by then," adds the Guardian. From the report: About 200,000 glaciers remain worldwide, with about 750 disappearing each year. However, the research indicates this pace will accelerate rapidly as emissions from burning fossil fuels continue to be released into the atmosphere. Current climate action plans from governments are forecast to push global temperatures to about 2.7C above preindustrial levels, supercharging extreme weather. Under this scenario, glacier losses would peak at about 3,000 a year in 2040 and plateau at that rate until 2060. By the end of the century, 80% of today's glaciers will have gone. By contrast, rapid cuts to carbon emissions to keep global temperature rise to 1.5C would cap annual losses at about 2,000 a year in 2040, after which the rate would decline. [...] The new study, published in Nature Climate Change, analyzed more than 200,000 glaciers from a database of outlines derived from satellite images. The researchers used three global glacier models to assess their fate under different heating scenarios. Regions with the smallest and fastest-melting glaciers were found to be the most vulnerable. The study estimates the 3,200 glaciers in central Europe would shrink by 87% by 2100 -- even if global temperature rise is limited to 1.5C, rising to 97% under 2.7C of heating. In the western US and Canada, including Alaska, about 70% of today's 45,000 glaciers are projected to vanish under 1.5C of heating, and more than 90% under 2.7C. The Caucasus and southern Andes are also expected to face devastating losses. Larger glaciers take longer to melt, with those in Greenland reaching their peak extinction rate in about 2063 -- losing 40% by 2100 under 1.5C of heating and 59% under 2.7C. However, the melting is forecast to continue beyond 2100. The researchers said the peak loss dates represent more than a numerical milestone. "They mark turning points with profound implications for ecosystems, water resources and cultural heritage," they wrote. "[It is] a human story of vanishing landscapes, fading traditions and disrupted daily routines."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...] Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions. To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...] Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions. To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

Read more of this story at Slashdot.

Fidelity has a number of useful Tools & Calculators, most of which are open to everyone to use. However, their Tax-Loss Harvesting Tool (login required) is meant for Fidelity taxable brokerage customers, as it is based on your personal data and shows the size of your expected capital gains this year, while also helping you identify capital losses that you can “harvest” if you wanted.

You’ll need to provide your marginal tax rates (make an estimate with current brackets here). The tool can even help you place the (market) order to sell those shares with just a couple clicks.

This Fidelity article How to reduce investment taxes contains a lot of details on the practice of tax-loss harvesting:

An investment loss can be used for 2 different things:

– The losses can be used to offset investment gains.
– Remaining losses can offset $3,000 of income on a tax return in one year. (For married individuals filing separately, the deduction is $1,500.)

[…] There are 2 types of gains and losses: short-term and long-term.

– Short-term capital gains and losses are those realized from the sale of investments that you have owned for one year or less.
– Long-term capital gains and losses are realized after selling investments held longer than one year.
The key difference between short- and long-term gains is the rate at which they are taxed.

Short-term capital gains are taxed at your marginal tax rate as ordinary income. The top marginal federal tax rate on ordinary income is 37%.

Wash sale warning: The tool can’t cross-reference all your other non-Fidelity trades, and also doesn’t even account for your Fidelity trades within tax-deferred accounts. If a wash sale occurs, your loss will be disallowed. Here’s the warning provided:

Wash sale warning: Estimated savings based on tax-loss harvesting assumes that you will not have a wash sale that would defer your tax loss.

If you sell shares at a loss and you purchase additional shares of the same or a substantially identical security (in the same or a different account) within the 61-day period that begins 30 days before and ends 30 days after the trade date of the sale, the purchase may result in a wash sale. If a wash sale occurs, the loss from the transaction will be “disallowed” for tax purposes, and the amount of the loss will be added to the cost basis of your shares in the same security. Fidelity adjusts cost basis information related to shares in the same security when a wash sale occurs within an account as the result of an identical security purchase.

You must check your own records across all of your Fidelity and non-Fidelity accounts to ensure that you are correctly accounting for losses related to any wash sales.

ETFs are often the easiest way to harvest a tax loss. Even if you buy-and-hold ETFs, consider ETF tax-loss harvesting (my post from 2008?!) as you can harvest the loss from the sale of an ETF, and then immediately buy a similar but not “substantially identical” ETF without triggering a wash sale. This has become common industry practice. There’s a Fidelity article on this too.

When evaluating your ETFs against the wash-sale rule, compare the issuer, index, and underlying holdings between the two ETFs being swapped. The more dissimilar these are, the more likely it is that you won’t trigger a wash sale.

Even Vanguard does ETF tax-loss harvesting in their advisory services using “surrogate ETFs”.

Surrogate funds are the ETFs (exchange?traded funds) Vanguard Personal Advisor uses toreplace investments sold to harvest losses. They are Vanguard ETFs® with similar asset and sub?asset allocations to the funds we’re replacing.

There may not be as many opportunities to harvest a tax loss this year since most things are up (a good thing!), but something to keep in mind down the road.

The usual disclaimer: I do not provide legal or tax advice. The information herein is general and educational in nature and should not be considered legal or tax advice.

BusenLabs Boron vs. Bohdi Linux: Which lightweight distro is right for you?  ZDNET