Slashdot reader b-dayyy quotes the Linux Security blog: While all Linux 'distros' — or distributed versions of Linux software — are secure by design, certain distros go above and beyond when it comes to protecting users' privacy and security. We've put together a list of our favorite specialized secure Linux distros and spoken with some of their lead developers to find out first-hand what makes these distros so great.
This "favorites" list cites six "excellent specialized secure Linux distros." Some highlights from the article:

• In a conversation with the LinuxSecurity editors, Qubes OS Community Manager Andrew David Wong elaborated, "Rather than attempting to fix all of the security bugs in software, Qubes assumes that all software is buggy and compartmentalizes it accordingly, so that when flaws are inevitably exploited, the damage is contained and the user's most valuable data is protected."

• A Kali Linux contributor provides some insight into the distro's history and the benefits it offers users: "Named after a Hindu goddess, Kali has been around for a long time — but it's still updated weekly, can be run in live mode or installed to a drive, and can also be used on ARM devices like Raspberry Pi."

Obviously there's strong opinions among Slashdot readers. So share your own thoughts in the comments.

What's the best Linux distro for enhanced privacy and security?

Hackaday writes: In the early years of personal computing there were a slew of serious contenders. A PC, a Mac, an Atari ST, an Amiga, and several more that all demanded serious consideration on the general purpose desktop computer market. Of all these platforms, the Amiga somehow stubbornly refuses to die. The Amiga 1200+ from [Jeroen Vandezande] is the latest in a long procession of post-Commodore Amigas, and as its name suggests it provides an upgrade for the popular early-1990s all-in-one Amiga model.

It takes the form of a well-executed open-source printed circuit board that's a drop-in replacement for the original A1200 motherboard... The catch: it does require all the custom Amiga chips from a donor board...

It's fair to say that this is the Amiga upgrade we'd all have loved to see in about 1996 rather than waiting until 2019.
Mike Bouma (Slashdot reader #85,252) shares a recent video showing the latest update of AmigaOS 4 by Hyperion Entertainment, and reminds us of two "also active" Amiga OS clones — AROS and MorphOS.

Further reading: Little Things That Made Amiga Great.

An anonymous reader quotes a report from Ars Technica: Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days. An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft's windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft's cloud-based services, and recovering from crashes.

Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies normally buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen.

Over the course of two weeks, Remy's server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising. "The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it's after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows," he wrote in a post summarizing his findings. "As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken."

An anonymous reader quotes a report from Ars Technica: /e/ OS, the "open-source, pro-privacy, and fully degoogled" fork of Android, is coming to Canada and the USA. Of course, you've always been able to download the software in any region, but now (as first spotted by It's Foss News) the e Foundation will start selling preloaded phones in North America. Previously, /e/ only did business in Europe. Like normal, the e Foundation's smartphone strategy is to sell refurbished Samsung devices with /e/ preloaded. In the US, there are only two phones right now: the Galaxy S9 for $379.99 or a Galaxy S9+ for $429.99. North Americans still have reason to be jealous of Europe, where you can get /e/ preloaded on a Fairphone, which is also Europe-exclusive. These Samsung phones are used devices, but the site says the devices have "been checked and reconditioned to be fully working at our partner's facilities." The phones have a one-year warranty and are described as "Good-as-New" with "no surprises." An /e/ device means you'll be getting a fork of Android 10, and for ongoing support, the e Foundation says, "We aim to support with at least 3 years of software updates and security patches."

/e/ OS was founded by Gael Duval, the creator of Mandrake Linux, and the project describes itself as a "non-profit project in the public interest." /e/ is built a lot like a Linux distribution, in that it takes a curated collection of other open source projects, merges them into a single product, and does its best to fill in the remaining gaps. In this case, /e/ is based on LineageOS, the Android community's open source, device-ready version of Google's Android source code. The primary contribution of /e/ is filling in all the gaps left by the lack of Google apps, so there's an /e/ app store, an /e/ cloud storage and account system, and various Google-replacement apps like a Chromium-based browser, a fork of K-9 Mail for email, contacts, search, photos, etc. The company is even trying to build a Google Assistant replacement. Actually getting regular Android apps to run on a forked version of Android is a challenge. Google Play Services is built into many apps for things like push notifications, and there's a good chance that functionality won't work on /e/ OS. These apps will at least run on /e/ OS instead of exiting outright, thanks to the inclusion of MicroG, an open source project that hijacks Google API calls.

Linux overlord Linus Torvalds has revealed that inclement weather in the USA meant he recently endured six electricity-free days in his Portland, Oregon, home during which he was unable to tend to the kernel. As a result he therefore pondered adding an extra week to the merge window for version 5.12 of the Linux kernel. The Register reports: "As you can tell, I didn't do that," he said in his State of The Kernel update that announced release candidate one of the new kernel cut. "To a large part because people were actually very good about sending in their pull requests, so by the time I finally got power back, everything was nicely lined up and I got things merged up ok." It wasn't just penguinistas behaving well that helped. Torvalds said this version of the kernel has received around 10,000 commits. That's rather fewer than the 12,000 or 13,000 he usually sees.

In case anyone was inconvenienced by blackout-induced inability to merge, Torvalds said he's open to help any kernel devs for whom his unavailability caused problems but is not open to all late pulls. Torvalds rated the new release as offering "a fair amount of historical cleanup" on account of "removing the legacy OPROFILE support (the user tools have been using the "perf" interface for years), and removing several legacy SoC platforms and various drivers that no longer make any sense." Among the big inclusions in 5.12 are Clang Link-Time Optimizations, which make for better compiler performance, and support for Intel's eASIC NX5 silicon that aims to offer an alternative to FPGAs in edge and cloud applications. Qualcomm's Snapdragon 888 5G SoC also gains support.

AmiMoJo shares a report: Last month, the Linux Mint team published a post on the organization's official blog about the importance of installing security updates on machines running the Linux distribution. The essence of the post was that a sizeable number of Linux Mint devices was running outdated applications, packages or even an outdated version of the operating system itself. A sizeable number of devices run on Linux Mint 17.x, according to the blog post, a version of Linux Mint that reached end of support in April 2019. A new blog post, published yesterday, provides information on how the team plans to reduce the update reluctance of Linux Mint users. Next to showing reminders to users, Linux Mint's Update Manager may enforce some of the updates according to the blog post.

"In some cases the Update Manager will be able to remind you to apply updates. In a few of them it might even insist." Upcoming versions will provide information on the implementation, how the "insisting" part may look like, and whether the installation of updates will be enforced. All of this boils down to a single question: how far should operating system developers go when it comes to updates? BetaNews adds: "And now, it seems the Linux Mint developers are taking a page out of Microsoft's playbook by planning to force some updates on its users. Yes, folks, Linux Mint is becoming more like Windows 10."

Catalin Cimpanu, reporting for The Record: A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain. The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018. [...] The vulnerability, which won a Pwnie Award in 2018 for one of the best security bug discoveries of the year, was considered a milestone moment in the evolution and history of the modern CPU. Its discovery, along with the Meltdown bug, effectively forced CPU vendors to rethink their approach to designing processors, making it clear that they cannot focus on performance alone, to the detriment of data security. Software patches were released at the time, but the Meltdown and Spectre disclosures forced Intel to rethink its entire approach to CPU designs going forward.

At the time, the teams behind the Meltdown and Spectre bugs published their work in the form of research papers and some trivial proof-of-concept code to prove their attacks. Shortly after the Meltdown and Spectre publications, experts at AV-TEST, Fortinet, and Minerva Labs spotted a spike in VirusTotal uploads for both CPU bugs. While initially there was a fear that malware authors might be experimenting with the two bugs as a way to steal data from targeted systems, the exploits were classified as harmless variations of the public PoC code published by the Meltdown and Spectre researchers and no evidence was found of in-the-wild attacks. But today, Voisin said he discovered new Spectre exploits -- one for Windows and one for Linux -- different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.

Bill Gates "prefers the more open nature of the Android ecosystem, as it's more 'flexible' about how software interfaces with the OS," reports PC Magazine, citing remarks Gates made on Clubhouse to CNBC's Andrew Ross Sorkin: "I actually use an Android phone," Gates told Sorkin. "Because I want to keep track of everything, I'll often play around with iPhones, but the one I carry around happens to be Android. Some of the Android manufacturers pre-install Microsoft software in a way that makes it easy for me. They're more flexible about how the software connects up with the operating system. So that's what I ended up getting used to. You know, a lot of my friends have iPhone so there's no purity."

In 2019, Gates admitted the way he handled Microsoft's own mobile phone division was his "greatest mistake." Microsoft ended up letting Google transform Android into the only true rival for iPhone. Microsoft missed out on a $400 billion market at the time, something Gates deeply regrets. In 2017, however, he went ahead and adopted an Android phone.

During the interview, Davidson indicated that an Android version of Clubhouse could be on its way. He called it a "top feature," which could mean the iPhone Clubhouse could soon dissipate.

LG will make its webOS software available to other companies. From a report: The proprietary software on LG's own sets will be able to be licensed by outside TV brands, the company announced Wednesday. Notably, TV brands that choose to bring LG's software to their televisions will also get its Magic Motion remote, LG's very good cursor-like wand. It would also see the same voice control tools, algorithms, and apps -- including LG Channels -- included on those displays as well, the company said. "By welcoming other manufacturers to join the webOS TV ecosystem, we are embarking on a new path that allows many new TV owners to experience the same great UX and features that are available on LG TVs. We look forward to bringing these new customers into the incredible world of webOS TV," Park Hyoung-sei, president of the LG Home Entertainment Company, said in a statement.

Android users can now take advantage of the Password Checkup feature that Google first introduced in its Chrome web browser in late 2019, the OS maker announced today. From a report: On Android, the Password Checkup feature is now part of the "Autofill with Google" mechanism, which the OS uses to select text from a cache and fill in forms. The idea is that the Password Checkup feature will take passwords stored in the Android OS password manager and check them against a database containing billions of records from public data breaches and see if the password has been previously leaked online. If it has, a warning is shown to the user.

Samsung is upping the ante on Android updates and offering four years of security updates on many of its Android devices. The company's full update package is now three years of major OS updates and four years of security updates, besting even what Google offers on the Pixel line. From a report: In the announcement, Samsung says, "Over the past decade, Samsung has made significant progress in streamlining and speeding up its regular security updates. Samsung worked closely with its OS and chipset partners, as well as over 200 carriers around the world, to ensure that billions of Galaxy devices receive timely security patches." Samsung has experimented with bringing four years of updates to its own Exynos SoC devices, but now it looks like the company is getting Qualcomm models on board as well. Keep in mind that these are not necessarily monthly security updates. Samsung says it's delivering four years of "monthly or quarterly" updates, depending on the age of the device. Samsung's current security bulletin page has the Galaxy S9 (2018) on the monthly update plan, while the Galaxy S8 is on the quarterly plan. So it sounds like three years of monthly security updates and one more year of quarterly updates.

Microsoft's security team said today it has formally completed its investigation into its SolarWinds-related breach and found no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers. From a report: The OS maker began investigating the breach in mid-December after it was discovered that Russian-linked hackers breached software vendor SolarWinds and inserted malware inside the Orion IT monitoring platform, a product that Microsoft had also deployed internally. In a blog post published on December 31, Microsoft said it discovered that hackers used the access they gained through the SolarWinds Orion app to pivot to Microsoft's internal network, where they accessed the source code of several internal projects. "Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts," the company said today, in its final report into the SolarWinds-related breach.

Microsoft has begun deploying this week KB4577586, a Windows update that permanently removes the Adobe Flash Player software from Windows devices. From a report: The update was formally announced last year at the end of October when Microsoft and other browser makers were preparing for the impending Flash end-of-life, scheduled for the end of 2020. According to a support document published at the time, the update was initially supposed to be optional. System administrators who wanted to remove Flash before the EOL date could access the Microsoft Update Catalog, download the KB4577586 packages, and remove Flash to avoid any security-related issues. But this week, multiple Windows 10 users reported that Microsoft is now forcibly installing KB4577586 on their devices and removing Flash support from the OS. While users might think this would cause issues for some enterprises, it actually does not. Last year, Adobe introduced a time bomb in the Flash Player code that prevents the Flash Player app from playing content after January 12.

New numbers show 2020 was the first year that Chromebooks outsold Macs, posting impressive market share gains at the expense of Windows. From a report: Computers powered by Google's Chrome OS have outsold Apple's computers in individual quarters before, but 2020 was the first full year that Chrome OS took second place. Microsoft's Windows still retained majority market share, but also took a big hit as both Chrome OS and macOS gained share. The milestone is based on numbers provided by IDC, which doesn't typically break out sales based on device operating system. But when we went looking to see how the pandemic may have impacted the PC market, IDC analyst Mike Shirer confirmed the findings to GeekWire. This is a big win for Google and a warning for both Apple and Microsoft. It also signals to app and game developers that Chrome OS can no longer be ignored. Frankly, any business that provides a product or service over the internet should be setting aside resources to ensure the Chrome OS experience is comparable to Windows and macOS.

If you're one of the few people still using a PC with an x86 processor more than 15 years old, here's another reason to upgrade: the devices will not work with future Chrome releases, starting with version 89 of the world's most popular browser. TechSpot reports: The Chromium development team announced that CPUs older than the Intel Core 2 Duo and AMD Athlon 64 would not work with Chrome 89 and future versions as they do not meet the new minimum instruction set requirement of SSE3 (Supplemental Streaming SIMD Extensions 3) support. So, if you are still sporting an Intel Atom or Celeron M CPU, you'll soon be counting Chrome as one of the many programs that are incompatible with your potato-like rig. The devices will no longer attempt to install the browser, while running it will result in the software crashing. It's noted that the change only affects Windows as Chrome OS, Android and, Mac already require SSE3 support.

An anonymous reader quotes a report from Ars Technica: The final version of Android 12 should be released sometime in September, but the first developer preview is expected any day now. Our first hint of what Google's new release might have in store comes to us from XDA Developers' Mishaal Rahman, who has some pictures of what looks like a major UI overhaul for Android 12. According to the report, these images represent mockups, not screenshots, of Android 12. The mockups appear in a document describing the new features of Android 12, and the document is being passed around to partners as a heads-up before the public rollout.

The first thing that jumps out to me is the weird sepia-tone color scheme, like someone left night mode on permanently. This color scheme looks like a huge change compared to the all-white color scheme of Android 11, but it's probably completely up to the user. [...] Even if we ignore the colors, the notification panel is still pretty different, which is totally on brand for Android, as the notification panel gets revamped in every release. Starting at the top, the weird black status bar is gone, replaced with a single sheet that serves as a notification background. It's not transparent here, but that could just be a mockup inaccuracy. The time and date have swapped places, with the date on top now. The quick settings are no longer in a box, and they've been cut down to four instead of six (booo!). The Quick Settings shapes have been configurable in the past, but it now looks like there's a mix of shapes, with disabled settings having a square background and enabled settings getting a circle.

There's also a new "Privacy" settings screen, which gives you what looks like systemwide kill switches for the camera, microphone, and location. None of these switches is new, but you get easy, more obvious access to them now. This privacy screen also seems to show a new design for the settings. In addition to the new color scheme, it looks like Google is taking after Samsung and some other Android OEMs in designing settings screens with reachability in mind. There's a huge "Privacy" banner at the top, with lots of white space above it, pushing the start of the list down from the very top of the phone. Most good implementations of this feature shrink the top banner once you start scrolling. The final new item in the mockups is a "conversations" widget. This seems to show a person or group chat and recent messages or calls from that person. It appears to combine messages from multiple apps into a single widget, which would be possible through the existing notification APIs.

Thanks to the hard work of the SwitchRoot team, it's now possible to enjoy an Android 10-based LineageOS 17.1 port on your Nintendo Switch console. XDA Developers reports: The Android 10 release is based on the LineageOS 17.1 build for the NVIDIA SHIELD TV and brings many improvements over the previous release, including a much-needed deep sleep mode so the OS doesn't murder your console's battery life. It's also generally faster and more responsive than the previous Android 8.1 Oreo version, according to the SwitchRoot team.

The ROM comes in two flavors: a Tablet build that offers a standard Android UI with support for all apps and an Android TV build that supports both docked and undocked use cases but has more limited app support. The former is recommended if you primarily use your Nintendo Switch while undocked, while the latter will offer a much-better docked experience. As for bugs and broken things, the developer says games built for the SHIELD (Half-Life 2, Tomb Raider, etc.) aren't supported, and you might notice some stuttering with Bluetooth audio. Some apps also may not support the Joy-Con D-Pad.

In order to install this build, you'll need an RCM-exploitable Nintendo Switch, a USB-C cable, a high-speed microSD card (formatted to FAT32), and a PC. If you already have the Android 8.1 Oreo build installed on your SD card, just make sure to back up your data before installing the Android 10 build, as flashing this new ROM will wipe all data. After installing the ROM itself, be sure to flash the Google Apps package, Alarm Disable ZIP, and Xbox Joycon Layout ZIP if you use an Xbox controller. You can download LineageOS 17.1 for Nintendo Switch here.

Microsoft is working on adding a new security alert to the dashboard of Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) that will notify companies when their employees are being targeted by nation-state threat actors. From a report: The feature was added on Saturday to the Microsoft 365 roadmap website. The idea behind the feature is not new. Since 2016, Microsoft began tracking nation-state hacking groups and the attacks they orchestrate against Microsoft email accounts. If a user is targeted or compromised in one of these attacks, Microsoft sends them an email about the attack, along with basic advice they need to take to re-secure their inbox and devices. Microsoft said in 2019 that it usually notifies around 10,000 users per year of nation-state attacks. But the problem with this notification procedure is that it relies on users reading their email and taking action, which doesn't always happen. Users don't read their emails daily, or it might sometimes take hours before the user reaches the notification in crowded inboxes, a time during which attackers could use to steal sensitive documents. For organizations who are customers of Microsoft's Office 365 service, the OS maker now plans to add these notifications inside the dashboard of Microsoft Defender for Office 365, the cloud-based security platform that scans a company's Office 365 accounts for threats.

It's been estimated that there are 24 million developers in the world. 14 million of them now use Microsoft's Visual Studio Code (VS Code) as their IDE, reports ZDNet, with five million new users arriving in 2020.

Julia Liuson, corporate vice president of Microsoft's developer division, tells them why: "The strategy for VS Code is really to support our any, any, any strategy. You can be a developer working with any programming language, working on any operating system and develop any kind of software." VS Code runs on macOS, Windows 10, and multiple distributions of Linux, it supports Arm64 on Linux, and runs on Raspberry Pi and Chromebooks. It's also available in preview form
Part of VS Code's popularity is the breadth of language extensions for C++, C#, Python and various Python libraries for data scientists, Java, and JavaScript/Typescript... "We have almost two million Python developers using VS Code and well over a million C++ developers using VS Code," said Liuson. "And even our Java usage is approaching one million...."

Liuson also talked about Microsoft's inner source approach to software development. The company doubled down on inner source in 2019, and recently highlighted its inner-source approach as a factor that mitigated the threat of the SolarWinds hackers accessing its source code. Microsoft didn't make up the term inner source and the approach means taking open-source development practices and applying them inside a single organization. GitHub and GitHub's Enterprise Server fits snuggly with this approach to help organizations collaborate but do so in private.

"Inner source means if you have private IP, but you're inviting other teams within the company to collaborate with you. That's the fundamental difference between open source and inner source. Today, it's very common in large enterprise..."

Slashdot reader rushtobugment quotes a story from Hot Hardware: One of the software options for running a Raspberry Pi module is Raspberry Pi OS (formerly Raspbian), the officially supported Debian-based operating system put out by The Raspberry Pi Foundation. It has been around since 2015 without too much complaint. However, a recent update has some Raspberry Pi OS users up in arms over a key change involving Microsoft.

The latest update installs a Microsoft apt respository on all any machine running Raspberry Pi OS, and does it without any admin consent. As discovered by Reddit user fortysix_n_2, the official reason is an endorsement of Microsoft's integrated development environment, Visual Studio Code, which is fine and dandy. However, it's claimed this even gets installed on headless devices that used a light image without a GUI. As a result, every time you do an "apt update" on your Pi device, the OS pings Microsoft.

"By having this repo, every time an install of Raspberry Pi OS is updated it will ping a Microsoft server. Microsoft will know you're using Raspberry Pi OS/likely Raspberry Pi owner and your IP address...." fortysix_n_2 explains.
Or, as a headline explains on the Windows Central blog, "Microsoft repo silently added to Raspberry Pi OS, folks begin the freak out..."

"As one particularly vocal commenter pointed out, modifying the sources.list in Linux without consent just doesn't happen. It also doesn't just apply to new images, it has been built out to be added to existing machines, too."

UPDATE: An anonymous Slashdot reader spotted Raspberry Pi founder Eben Upton's response to the controversy on Twitter. When asked if the foundation could be more transparent, like publishing a blog post about the repositories to be included, Upton responded:

"I can't understand why you think this was a controversial thing to do. We do things of this sort all the time without putting out a blog post about how to opt out."