Luciano

Long-time Slashdot reader internet-redstar shares an interestging response to "the recent wave of Linux kernel privilege escalation vulnerabilities like 'Copy Fail' and 'Dirty Frag'": Belgian Linux sysadmin and Tesla Hacker "Jasper Nuyens" got tired of the idea of manually blacklisting dozens or even hundreds of obscure kernel modules across large fleets of Linux systems in the near future. So he wrote ModuleJail, a GPLv3 shell script that scans a running Linux system and automatically blacklists currently unused kernel modules, reducing kernel attack surface without requiring a reboot. The idea is simple: many modern Linux privilege escalation bugs target obscure or rarely used kernel functionality that is still enabled by default on servers that do not actually need it. ModuleJail works across major distributions including Debian, Ubuntu, RHEL, Fedora, AlmaLinux and Arch Linux, generating 1 modprobe blacklist rules file while preserving commonly-used modules. Nuyens argues that the increasing speed of AI-assisted vulnerability discovery will likely turn kernel hardening and attack surface reduction into a much bigger operational priority for sysadmins over the next few weeks and months.

Read more of this story at Slashdot.

The Document Foundation (TDF), the non-profit entity behind LibreOffice, welcomes the inclusion of the Open Document Format (ODF) as a mandated standard format in Germany’s Deutschland-Stack, the federal government’s sovereign digital infrastructure framework for all public administrations. The Stack, published by the German Federal Ministry for Digital and State Modernisation

Airspace over Iran and the Gulf remains severely restricted following missile strikes, putting additional pressure on airlines.

The admission from the married Republican, Tony Gonzales, comes after a House panel launched an ethics investigation.

The O-1B visa, a work permit reserved for individuals deemed to possess "extraordinary ability" in the arts, has become the pathway of choice for social media influencers and OnlyFans models seeking to build careers in the United States. Immigration attorneys told the Financial Times that influencers now make up more than half their clientele for O-1B applications, a shift that has accelerated since the Covid-19 pandemic as lawyers and talent managers have adapted the visa's criteria -- originally designed for traditional artists -- to fit the metrics of online fame. High follower counts and substantial earnings can establish commercial success under the visa's requirements, landing a brand promotion contract can qualify as an endorsement of talent, and appearing at a store opening can count as performing in a "distinguished production." The total number of O-1 visas granted annually increased by more than 50% between 2014 and 2024, even as overall non-immigrant visa issuance grew by just 10%. Fewer than 20,000 O-1 visas were granted in 2024. Some attorneys said they worry the fixation on algorithm-driven metrics could disadvantage traditionally trained artists whose work doesn't generate viral attention.

Read more of this story at Slashdot.

The Danish government has accused Russia of being behind two "destructive and disruptive" cyberattacks in what it describes as "very clear evidence" of a hybrid war. From a report: The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyberattack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites in the lead-up to the municipal and regional council elections in November. The first, it said, was carried out by the pro-Russian group known as Z-Pentest and the second by NoName057(16), which has links to the Russian state. "The Russian state uses both groups as instruments of its hybrid war against the west," DDIS said in a statement. "The aim is to create insecurity in the targeted countries and to punish those that support Ukraine. Russia's cyber operations form part of a broader influence campaign intended to undermine western support for Ukraine." It added: "The DDIS assesses that the Danish elections were used as a platform to attract public attention -- a pattern that has been observed in several other European elections."

Read more of this story at Slashdot.

Direct navigation — the act of visiting a website by manually typing a domain name in a web browser — has never been riskier: A new study finds the vast majority of “parked” domains — mostly expired or dormant domain names, or common misspellings of popular websites — are now configured to redirect visitors to sites that foist scams and malware.

When Internet users try to visit expired domain names or accidentally navigate to a lookalike “typosquatting” domain, they are typically brought to a placeholder page at a domain parking company that tries to monetize the wayward traffic by displaying links to a number of third-party websites that have paid to have their links shown.

A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.

But in a series of experiments over the past few months, researchers at the security firm Infoblox say they discovered the situation is now reversed, and that malicious content is by far the norm now for parked websites.

“In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the ‘click’ was sold from the parking company to advertisers, who often resold that traffic to yet another party,” Infoblox researchers wrote in a paper published today.

Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address. For example, Scotiabank.com customers who accidentally mistype the domain as scotaibank[.]com will see a normal parking page if they’re using a VPN, but will be redirected to a site that tries to foist scams, malware or other unwanted content if coming from a residential IP address. Again, this redirect happens just by visiting the misspelled domain with a mobile device or desktop computer that is using a residential IP address.

According to Infoblox, the person or entity that owns scotaibank[.]com has a portfolio of nearly 3,000 lookalike domains, including gmai[.]com, which demonstrably has been configured with its own mail server for accepting incoming email messages. Meaning, if you send an email to a Gmail user and accidentally omit the “l” from “gmail.com,” that missive doesn’t just disappear into the ether or produce a bounce reply: It goes straight to these scammers. The report notices this domain also has been leveraged in multiple recent business email compromise campaigns, using a lure indicating a failed payment with trojan malware attached.

Infoblox found this particular domain holder (betrayed by a common DNS server — torresdns[.]com) has set up typosquatting domains targeting dozens of top Internet destinations, including Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).

David Brunsdon, a threat researcher at Infoblox, said the parked pages send visitors through a chain of redirects, all while profiling the visitor’s system using IP geolocation, device fingerprinting, and cookies to determine where to redirect domain visitors.

“It was often a chain of redirects — one or two domains outside the parking company — before threat arrives,” Brunsdon said. “Each time in the handoff the device is profiled again and again, before being passed off to a malicious domain or else a decoy page like Amazon.com or Alibaba.com if they decide it’s not worth targeting.”

Brunsdon said domain parking services claim the search results they return on parked pages are designed to be relevant to their parked domains, but that almost none of this displayed content was related to the lookalike domain names they tested.

Infoblox said a different threat actor who owns domaincntrol[.]com — a domain that differs from GoDaddy’s name servers by a single character — has long taken advantage of typos in DNS configurations to drive users to malicious websites. In recent months, however, Infoblox discovered the malicious redirect only happens when the query for the misconfigured domain comes from a visitor who is using Cloudflare’s DNS resolvers (1.1.1.1), and that all other visitors will get a page that refuses to load.

The researchers found that even variations on well-known government domains are being targeted by malicious ad networks.

“When one of our researchers tried to report a crime to the FBI’s Internet Crime Complaint Center (IC3), they accidentally visited ic3[.]org instead of ic3[.]gov,” the report notes. “Their phone was quickly redirected to a false ‘Drive Subscription Expired’ page. They were lucky to receive a scam; based on what we’ve learnt, they could just as easily receive an information stealer or trojan malware.”

The Infoblox report emphasizes that the malicious activity they tracked is not attributed to any known party, noting that the domain parking or advertising platforms named in the study were not implicated in the malvertising they documented.

However, the report concludes that while the parking companies claim to only work with top advertisers, the traffic to these domains was frequently sold to affiliate networks, who often resold the traffic to the point where the final advertiser had no business relationship with the parking companies.

Infoblox also pointed out that recent policy changes by Google may have inadvertently increased the risk to users from direct search abuse. Brunsdon said Google Adsense previously defaulted to allowing their ads to be placed on parked pages, but that in early 2025 Google implemented a default setting that had their customers opt-out by default on presenting ads on parked domains — requiring the person running the ad to voluntarily go into their settings and turn on parking as a location.

The International Association of Cryptologic Research (IACR) was forced to cancel its leadership election after a trustee lost their portion of the Helios voting system's decryption key, making it impossible to reveal or verify the final results. Ars Technica reports: The IACR said Friday that the votes were submitted and tallied using Helios, an open source voting system that uses peer-reviewed cryptography to cast and count votes in a verifiable, confidential, and privacy-preserving way. Helios encrypts each vote in a way that assures each ballot is secret. Other cryptography used by Helios allows each voter to confirm their ballot was counted fairly. "Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share," the IACR said. "As a result, Helios is unable to complete the decryption process, and it is technically impossible for us to obtain or verify the final outcome of this election." The IACR will switch to a two-of-three private key system to prevent this sort of thing from happening again. Moti Yung, the trustee responsible for the incident, has resigned and is being replaced by Michael Abdalla.

Read more of this story at Slashdot.

Shohei Ohtani deliverers one of the greatest performances in baseball history as defending champions the Los Angeles Dodgers beat the Milwaukee Brewers to reach the World Series.

"Next time Amazon hypes its Prime Days savings, remember this: The prices during the sale aren't always better," writes a Washington Post technology columnist. "I've got the receipts to prove it." I would have saved, on average, almost nothing during Amazon's recent fall "Prime Big Deal Days" — and for some big-ticket purchases, I would have actually paid amore. For the sale that took place Oct. 7 and 8, my family went in prepared. We had a shopping list with prices we'd been tracking... A TV stand he'd been watching jumped 38 percent to $379, from $275 on Oct. 2. Same story for a few other big-ticket items on his list — another console went up from $219.99 to $299. Those products weren't listed as "big deals" on the site, but we certainly didn't expect their prices to spike during Prime Days. And in other cases, Amazon marketed discounts that turned out to be the exact price it had charged in recent weeks. One example: an Oral-B electric toothbrush was listed as 39 percent off, but actually the same price as in August... Other consumer advocates have warned one common trick is for Amazon to feature artificially inflated "before" prices to make discounts appear larger than they are. Ahead of Amazon's 2017 Prime Day, the nonprofit Consumer Watchdog reported that 61 percent of reference prices on Amazon were higher than any price the company had charged for those items in the prior 90 days... I found products listed as Prime Day discounts that cost the same as I'd paid less than a month earlier. For example, a pack of coronavirus tests I bought on Sept. 12 was the same price on Oct. 8, but listed as "39 percent off." Amazon said I'd gotten a particularly good deal in September, and the Prime Big Deal Days price offers "meaningful savings compared to the typical price customers have paid on Amazon over the last 90 days...." To actually get a good deal on Amazon, go in with a plan. I use a free website called CamelCamelCamel, which tracks Amazon's historical prices. You can see what's really a discount — and set alerts when prices drop to your target. The reporter checked every non-grocery purchase they'd made on Amazon for six months. Purchasing the same products on Amazon's "Big Deal Days" would have brought savings of just 0.6%. "And that doesn't include the $139 annual fee to be a member of Amazon Prime."

Read more of this story at Slashdot.

"Freelance developers and entire companies are making a business out of fixing shoddy vibe coded software," writes 404 Media, interviewing one of the "dozens of people on Fiverr... now offering services specifically catering to people with shoddy vibe coded projects." Hamid Siddiqi, who offers to "review, fix your vibe code" on Fiverr, told the 404 Media that "Currently, I work with around 15-20 clients regularly, with additional one-off projects throughout the year. ("Siddiqi said common issues he fixes in vibe coded projects include inconsistent UI/UX design in AI-generated frontends, poorly optimized code that impacts performance, misaligned branding elements, and features that function but feel clunky or unintuitive," as well as work o color schemes, animations, and layouts.) And others coders are also pursuing the "vibe coded mess" market: Swatantra Sohni, who started VibeCodeFixers.com, a site for people with vibe coded projects who need help from experienced developers to fix or finish their projects, says that almost 300 experienced developers have posted their profiles to the site. He said so far VibeCodeFixers.com has only connected between 30-40 vibe code projects with fixers, but that he hasn't done anything to promote the service and at the moment is focused on adding as many software developers to the platform as possible... "Most of these vibe coders, either they are product managers or they are sales guys, or they are small business owners, and they think that they can build something," Sohni told me. "So for them it's more for prototyping..." Another big issue Sohni identified is "credit burn," meaning the money vibe coders waste on AI usage fees in the final 10-20 percent stage of developing the app, when adding new features breaks existing features. Sohni told me he thinks vibe coding is not going anywhere, but neither are human developers. "I feel like the role [of human developers] would be slightly limited, but we will still need humans to keep this AI on the leash," he said. The article also notes that established software development companies like Ulam Labs, now say "we clean up after vibe coding. Literally." "Built something fast? Now it's time to make it solid," Ulam Labs pitches on its site," suggesting that for their potential customers "the tech debt is holding you back: no tests, shaky architecture, CI/CD is a dream, and every change feels like defusing a bomb. That's where we come in."

Read more of this story at Slashdot.

It is a big week for Xi Jinping, who will host Vladimir Putin and Kim Jong Un in Beijing at a massive military parade.

A Nature survey of more than 1,100 physicists reveals fundamental disagreements about quantum mechanics' relationship to reality, despite the theory's century-long track record as one of science's most successful frameworks. The survey, conducted to mark quantum mechanics' 100th anniversary, found 36% of researchers favor the Copenhagen interpretation while 17% prefer epistemic approaches that treat quantum states as information rather than physical reality. Another 15% support the many-worlds interpretation. Researchers split evenly on whether a boundary exists between quantum and classical worlds -- 45% said yes, 45% said no. When asked about the wavefunction's nature, 47% called it a mathematical tool while 36% considered it a representation of physical reality. Only 24% of respondents expressed confidence their chosen interpretation was correct, with others viewing their preference as merely adequate or useful in certain circumstances. The survey contacted over 15,000 researchers whose recent papers involved quantum mechanics, plus attendees of a centenary meeting on Heligoland island. Despite quantum mechanics enabling technologies from computer chips to medical imaging, physicists remain divided on the physical reality underlying the mathematics.

Read more of this story at Slashdot.

Jason Allen, correspondent at the BBC's US partner CBS, reports from Kerrville, Texas.

Microsoft is previewing a new Windows Update orchestration platform that lets third-party apps schedule and manage updates alongside system updates, "aiming to centralize update scheduling across Windows 11 devices," reports The Register. From the report: On Tuesday, Redmond announced it's allowing a select group of developers and product teams to hook into the Windows 11 update framework. The system doesn't push updates itself but allows apps to register their own update logic via WinRT APIs and PowerShell, enabling centralized scheduling, logging, and policy enforcement. "Updates across the Windows ecosystem can feel like a fragmented experience," wrote Angie Chen, a product manager at the Borg, in a blog post. "To solve this, we're building a vision for a unified, intelligent update orchestration platform capable of supporting any update (apps, drivers, etc.) to be orchestrated alongside Windows updates." As with other Windows updates, the end user or admin will be able to benefit from intelligent scheduling, with updates deferred based on user activity, system performance, AC power status, and other environmental factors. For example, updates may install when the device is idle or plugged in, to minimize disruption. All update actions will be logged and surfaced through a unified diagnostic system, helping streamline troubleshooting. Microsoft says the platform will support MSIX/APPX apps, as well as Win32 apps that include custom installation logic, provided developers integrate with the offered Windows Runtime (WinRT) APIs and PowerShell commands. At the moment, the orchestration platform is available only as a private preview. Developers must contact unifiedorchestrator@service.microsoft.com to request access. Redmond is taking a cautious approach, given the risk of update conflicts, but may broaden availability depending on how the preview performs. Meanwhile, Windows Backup for Organizations, first unveiled at Microsoft Ignite in November 2024, has entered limited public preview. Redmond touts the service as a way to back up Windows 10 and 11 devices and restore them with the same settings in place. It's saying it'll be a big help in migrating systems to the more recent operating systems after Windows 10 goes end of life in October. "With Windows Backup for Organizations, get your users up and running as quickly as possible with their familiar Windows settings already in place," Redmond wrote in a blog post on Tuesday. "It doesn't matter if they're experiencing a device reimage or reset."

Read more of this story at Slashdot.

Via an article about a Free Software initiative hoping to capitalise on the discontinuation of Microsoft Windows 10, I saw that the consumerists at Which? had published their own advice. Predictably, it mostly emphasises workarounds that merely perpetuate the kind of bad choices Which? has promoted over the years along with yet more shopping opportunities.

Those workarounds involve either continuing to delegate control to the same company whose abandonment of its users is the very topic of the article, or to switch to another surveillance economy supplier who will inevitably do the same when they deem it convenient. Meanwhile, the shopping opportunities involve buying a new computer – as one would entirely expect from Which? – or upgrading your existing computer, but only “if you’re using a desktop”. I guess adding more memory to a laptop or switching to solid-state media, both things that have rejuvenated a laptop from over a decade ago that continues to happily runs Linux, is beyond comprehension at Which? headquarters.

Only eventually do they suggest Ubuntu, presumably because it is the only Linux distribution they have heard of. I personally suggest Debian. That laptop happily running Linux was running Ubuntu, since that is what it was shipped with, but then Ubuntu first broke upgrades in an unhelpful way, hawking commercial support in the update interface to the confusion of the laptop’s principal user (and, by extension, to my confusion as I attempted to troubleshoot this anomalous behaviour), and also managed to put out a minor release of Dippy Dragon, or whatever it was, that was broken and rendered the machine unbootable without appropriate boot media.

Despite this being a known issue, they left this broken image around for people to download and use instead of fixing their mess and issuing a further update. That this also happened during the lockdown years when I wasn’t able to personally go and fix the problem in person, and when the laptop was also needed for things like interacting with public health services, merely reinforced my already dim view of some of Ubuntu’s release practices. Fortunately, some Debian installation media rescued the situation, and a switch to Debian was the natural outcome. It isn’t as if Ubuntu actually has any real benefits over Debian any more, anyway. If anything, the dubious custodianship of Ubuntu has made Debian the more sensible choice.

As for Which? and their advice, had the organisation actually used its special powers to shake up the corrupt computing industry, instead of offering little more than consumerist hints and tips, all the while neglecting the fundamental issues of trust, control, information systems architecture, sustainability and the kind of fair competition that the organisation is supposed to promote, then their readers wouldn’t be facing down an October deadline to fix a computer that Which? probably recommended in the first place, loaded up with anti-virus nonsense and other workarounds for the ecosystem they have lazily promoted over the years.

And maybe the British technology sector would be more than just the odd “local computer repair shop” scratching a living at one end of the scale, a bunch of revenue collectors for the US technology industry pulling down fat public sector contracts and soaking up unlimited amounts of taxpayer money at the other, and relatively little to mention in between. But that would entail more than casual shopping advice and fist-shaking at the consequences of a consumerist culture that the organisation did little to moderate, at least while it could consider itself both watchdog and top dog.

After gaining attention from Neowin and DistroWatch last week, the sole maintainer behind AnduinOS 1.3 -- a Linux distribution styled to resemble Windows 11 -- decided to reveal himself. He turns out to be Anduin Xue, a Microsoft software engineer, who has been working on the project as a personal, non-commercial endeavor built on Ubuntu. Neowin reports: As a Software Engineer 2 at Microsoft (he doesn't work on Windows), Anduin Xue says he's financially stable and sees no need to commercialize AnduinOS. Explaining the financial aspects of the project, he said: "Many have asked why I don't accept donations, how I profit, and if I plan to commercialize AnduinOS. Truthfully, I haven't thoroughly considered these issues. It's not my main job, and I don't plan to rely on it for a living. Each month, I dedicate only a few hours to maintaining it. Perhaps in the future, I might consider providing enterprise solutions based on AnduinOS, but I won't compromise its original simplicity. It has always been about providing myself with a comfortably themed Ubuntu." In our coverage of the AnduinOS 1.3 release last week, one commenter pointed out that the distro is from China. For some, this will raise issues, but Anduin Xue addressed this in his blog post, too, saying that the source code is available to the public. For this reason, he told lacing the operating system with backdoors for the Chinese government would be "irrational and easily exposed." For those worried that the distribution may be abandoned, Anduin Xue said that he intends to continue supporting it and may even maintain it full-time if sponsorship or corporate cooperation emerges.

Read more of this story at Slashdot.

Longtime Slashdot reader frank_adrian314159 writes: According to an article in Wired, Elon Musk has appointed a team of technologists from DOGE to "rewrite the code that runs the SSA in months." This codebase has over 60 million lines of COBOL and handles record keeping for all American workers and payments for all Social Security recipients. Given that the code has to track the byzantine regulations dealing with Social Security, it's no wonder that the codebase is this large. What is in question though is whether a small team can rewrite this code "in months." After all, what could possibly go wrong? "The project is being organized by Elon Musk lieutenant Steve Davis ... and aims to migrate all SSA systems off COBOL ... and onto a more modern replacement like Java within a scheduled tight timeframe of a few months," notes Wired. "Under any circumstances, a migration of this size and scale would be a massive undertaking, experts tell WIRED, but the expedited deadline runs the risk of obstructing payments to the more than 65 million people in the US currently receiving Social Security benefits." In 2017, SSA announced a plan to modernize its core systems with a timeline of around five years. However, the work was "pivoted away" because of the pandemic.

Read more of this story at Slashdot.

New York City's Metropolitan Transportation Authority and Google have successfully tested technology that uses smartphone sensors to detect subway track defects, the MTA said Thursday. The four-month experiment, dubbed TrackInspect, mounted six Google Pixel phones on four A train subway cars traversing Manhattan and Queens. The phones' accelerometers, magnetometers, gyroscopes and external microphones collected 335 million sensor readings and 1,200 hours of audio data, which were processed through 200 prediction models. The system identified 92% of defects later confirmed by human inspectors, including broken rails and loose bolts. "The goal with this [project] is to find issues before they become a major issue in terms of service," said Demetrius Crichlow, the agencyâ(TM)s president. Following the successful trial, the MTA plans to expand to a full pilot where Google will build a production version for track inspectors.

Read more of this story at Slashdot.

A tweet from Argentina's president Javier Milei promoted a memecoin called Libra, which he described as a "private project [that] will [be] dedicated to encouraging the growth of the Argentine economy by funding small Argentine businesses and startups". The token quickly soared in price as traders poured in.

However, within hours of the launch, insiders began selling off their holdings of the token. The token had been highly concentrated among insiders, with around 82% of the token held in a small cluster of apparently insider addresses. Those insiders cashed out around $107 million, crashing the token price by around 95%.

After the crash, Milei deleted his tweet promoting the project. He later claimed he was "not aware of the details of the project and after having become aware of it I decided not to continue spreading the word (that is why I deleted the tweet)."

• Tweet by Lookonchain
• Tweet by Javier Milei

For quite some time I have been on the lookout for a cheap, small virtual server for one or two toy projects. My unspoken requirements were the ability to install OpenBSD, having IPv6, and that the hoster is not completely shady.

While lowering the bar for “cheap”, picking all three seems to become quite difficult. Unfortunately, since most hosters use some Linux QEMU/KVM stack nowadays, OpenBSD’s installability was almost always the least problematic.

Without further ado, except, of course, stating that I have not received any money from this hoster for this post, I will name them once and then only describe technical details, hopefully transferable to other hosting scenarios.

The hoster is STRATO, one of the bigger and older ones in Germany, and they offer so called “Budget Linux V-Servers”, where the cheapest, VC 1-1, comes with 1 vCore, 1G RAM, 10G storage, and one IPv4 plus one IPv6 address for one Euro per month.

This may sound weak by today’s standards, but it is enough for me. Maybe a little more storage would be nice, but for one Euro I cannot complain (or even buy a bread roll anymore).

Install OpenBSD From Linux

Most hoster offer a selection of (sometimes outdated) GNU/Linux distributions, but a BSD option is uncommon. This, however, is no problem as one can utilize a Linux - I prefer Debian - to install OpenBSD.

The used technique is not novel and I have read variants in various places, noticeable this older misc@ mailing list post.

Start by booting the (still Linux) VM and download the bsd.rd file of the latest OpenBSD release.

root@debian:~# wget -O /openbsd.rd \
  https://cdn.openbsd.org/pub/OpenBSD/7.5/amd64/bsd.rd

Then take a look at the partitions and find out which partition of which “disk” contains /openbsd.rd.

root@debian:~# fdisk -l
[snip]

Device      Start      End  Sectors  Size Type
/dev/vda1  262144 20971486 20709343  9.9G Linux root (x86-64)
/dev/vda14   2048     8191     6144    3M BIOS boot
/dev/vda15   8192   262143   253952  124M EFI System

For me, there is only one disk and the entire Linux file system resides on the first partition.

This information is enough to create a new GRUB boot record, stating that on

• the first disk (zero-based) - hd0 -
• the first partition (one-based now, of course) - hd0,1-
• contains a file named /openbsd.rd.

With this information, a boot entry like the following can be appended to /etc/grub.d/40_custom.

root@debian:~# tail -n4 /etc/grub.d/40_custom
menuentry "OpenBSD" {
  set root=(hd0,1)
  kopenbsd /openbsd.rd
}

Since a human being will be using GRUB later, the GRUB_TIMEOUT should be a reasonable number. For me, a later overwrite in /etc/default/grub.d/15_timeout.cfg set this variable to zero. As the last file wins, make sure it contains GRUB_TIMEOUT=10.

root@debian:~# vi /etc/default/grub{,.d/*}

Finalize the setup on the Linux side by updating GRUB based on the changes just made.

root@debian:~# update-grub

Install From GRUB

Now is the perfect moment to launch the hoster’s web-based VNC console. When it is up and running - showing the Debian login - type a final reboot in your session and wait for the VNC console to show GRUB. If it shows up, select “OpenBSD” and proceed.

For me, the installation wizard just worked and I mostly went with the suggestions.

The only limitation - perhaps due to an incorrect keyboard layout - was the unavailability of the “Shift” modifier key, but only for special characters. So I was unable to get a list of all mirror servers, just went with the first one by typing 1.

Finishing Touch on OpenBSD

After the installation succeeded, reboot into your freshly installed OpenBSD. Congratulations!

There are a few things one might want to do first, like, e.g., installing patches via syspatch or configuring sshd to only accept public key-based logins via PasswordAuthentication no. But this is out of this post’s scope.

However, at least for my specific hosting situation, one tweak to the network configuration was necessary. On OpenBSD (at least for now, being at 7.5), the dynamic address configuration supports DHCP for IPv4 and SLAAC for IPv6. My hoster, however, stated that DHCPv6 is necessary for the IPv6 configuration. Not wanting to install another DHCP client just for that, I searched the web for older documentation and found a configuration without the need for DHCPv6.

Setting the IPv6 address shown in the hoster’s web interface with a prefix length of 128 - being one address, not a block - and using fe80::1 as the gateway was enough to make it work. Interestingly, a very similar setup was necessary for another machine at a totally different hoster.

user@openbsd:~> doas cat /etc/hostname.vio0
inet autoconf
inet6 2001:db8::1 128  # Put your IPv6 address here!
!route add -inet6 default fe80::1%vio0

Outlook

The new server is running smoothly so far. I have not experienced any hiccups, network issues or the like. Since one of its first tasks is hosting this blog, find out how it works in the future.

Since November, British telecom O2 has deployed an AI chatbot masquerading as a 78-year-old grandmother to waste scammers' time. The bot, named Daisy, engages fraudsters by discussing knitting patterns, recipes, and asking about tea preferences while feigning computer illiteracy. The Guardian has an update this week: In tests over several weeks, Daisy has kept individual scammers occupied for up to 40 minutes, with one case showing her being passed between four different callers. An excerpt from the story: "When a third scammer tries to get her to download the Google Play Store, she replies: 'Dear, did you say pastry? I'm not really on the right page.' She then complains that her screen has gone blank, saying it has 'gone black like the night sky'."

Read more of this story at Slashdot.

A security researcher discovered and fixed a critical domain name server misconfiguration in Mastercard's systems that persisted undetected for nearly five years, potentially exposing the credit card giant to traffic interception risks. Philippe Caturegli, founder of security firm Seralys, found that one of Mastercard's five DNS servers incorrectly pointed to "akam.ne" instead of "akam.net" from June 2020 to January 2025. He spent $300 to register the domain through Niger's domain authority to prevent potential exploitation. Mastercard said the typo has been corrected, insisting there was "not a risk to our systems."

Read more of this story at Slashdot.

Wednesday OpenAI CEO Sam Altman announced "12 Days of OpenAI," promising that "Each weekday, we will have a livestream with a launch or demo..." And sure enough, today he announced the launch of two things: - "o1, the smartest model in the world. Smarter, faster, and more features (e.g. multimodality) than o1-preview. Live in ChatGPT now, coming to API soon." - "ChatGPT Pro. $200/month. Unlimited usage and even-smarter mode for using o1. More benefits to come!" Altman added this update later: For extra clarity: o1 is available in our plus tier, for $20/month. With the new pro tier ($200/month), it can think even harder for the hardest problems. Most users will be very happy with o1 in the plus tier! VentureBeat points out that subscribers "also gain access to GPT-4o, known for its advanced natural language generation capabilities, and the Advanced Voice feature for speech-based interactions." And even for non-subscribers, ChatGPT can now also analyze images, points out VentureBeat, "a hugely helpful feature upgrade as it enables users to upload photos and have the AI chatbot respond to them, giving them detailed plans on how to build a birdhouse entirely from a single candid photo of one, for one fun example." In another, potentially more serious and impressive example, it is now capable of helping design data centers from sketches... o1 represents a significant evolution in reasoning model capabilities, including better handling of complex tasks, image-based reasoning, and enhanced accuracy. Enterprise and Education users will gain access to the model next week... OpenAI's updates also include safety enhancements, with the o1-preview scoring 84 on a rigorous safety test, compared to 22 for its predecessor... To encourage the use of AI in societal-benefit fields, OpenAI has announced the ChatGPT Pro Grant Program. The initiative will initially award 10 grants to leading medical researchers, providing free access to ChatGPT Pro tools. In a video Altman displays graphs showing o1 dramatically outperforms gpt4o on math questions, on competition coding at CodeForces, and on PhD-level science questions.

Read more of this story at Slashdot.

The singer says she was "heartbroken" by the destruction wrought in the US by the powerful storm.

Long-time Slashdot reader dmitrygr writes: Debian Linux booted on a 4-bit intel microprocessor from 1971 — the first microprocessor in the world — the 4004. It is not fast, but it is a real Linux kernel with a Debian rootfs on a real board whose only CPU is a real intel 4004 from the 1970s. There's a detailed blog post about the experiment. (Its title? "Slowly booting full Linux on the intel 4004 for fun, art, and absolutely no profit.") In the post dmitrygr describes testing speed optimizations with an emulator where "my initial goal was to get the boot time under a week..."

Read more of this story at Slashdot.

The creator of an open source project that scraped the internet to determine the ever-changing popularity of different words in human language usage says that they are sunsetting the project because generative AI spam has poisoned the internet to a level where the project no longer has any utility. 404 Media: Wordfreq is a program that tracked the ever-changing ways people used more than 40 different languages by analyzing millions of sources across Wikipedia, movie and TV subtitles, news articles, books, websites, Twitter, and Reddit. The system could be used to analyze changing language habits as slang and popular culture changed and language evolved, and was a resource for academics who study such things. In a note on the project's GitHub, creator Robyn Speer wrote that the project "will not be updated anymore." "Generative AI has polluted the data," she wrote. "I don't think anyone has reliable information about post-2021 language usage by humans." She said that open web scraping was an important part of the project's data sources and "now the web at large is full of slop generated by large language models, written by no one to communicate nothing. Including this slop in the data skews the word frequencies." While there has always been spam on the internet and in the datasets that Wordfreq used, "it was manageable and often identifiable. Large language models generate text that masquerades as real language with intention behind it, even though there is none, and their output crops up everywhere," she wrote.

Read more of this story at Slashdot.