Yesterday, Zoom refused to allow the university to use its service for the discussion — a cancellation praised by FCC Commissioner Brendan Carr, who said there was no “need to hear both sides.” It is not yet clear whether the organizers of the event will switch to another channel of communication.

The advice of the NCSC, as well as Jisc, is very clear: do not pay! A range of reasons are cited, but the prime one is the inability of institutions to be sure that the [attacker] will undo the damage and not exploit the data breach at a later date. Those who pay up justify doing so on the grounds of business criticality and expediency. They also rely on the “honour among thieves” paradigm that [attackers] will stick to their word so that victims of future attacks will also feel confident in paying up.

Such attacks can paralyse an organisation as it weighs up concerns over prolonged business interruption, reputational damage and data protection responsibilities against the financial impact and the ethical implications of capitulating to the demands. The decision to pay or not to pay is very much the question – especially when university budgets are so tight.

Most Linux users are well-acquainted with LibreOffice – many distributions have it pre-installed. Fewer know its powerful alternative: FreeOffice is a full-fledged office solution with full support for Microsoft Office file formats. It consists of a word processor, a spreadsheet and a presentation program. True to its name, FreeOffice is fully free and available for Linux in 32-bit and 64-bit versions. FreeOffice is far from a LibreOffice clone. The software is being developed by a German software company with a history going all the way back to 1987. Due to its background, FreeOffice has far more in common with Microsoft Office than with LibreOffice.

Todoist now has a Kanban board feature similar to that made popular by Trello. Kanban boards are an effective project management tool designed to make it easier to organise tasks within projects and get an overview of overall project status. While Kanban boards aren’t super fancy they are, for some, super useful. “A more visual way to organize your projects. Drag tasks between sections, visualize your progress, and simplify your teamwork,” Todoist say of the feature.

Security: Patches, Ease of Use and Debian Key Signing Security updates for Wednesday Security updates have been issued by openSUSE (libetpan, libqt4, lilypond, otrs, and perl-DBI), Red Hat (kernel-rt), Slackware (seamonkey), SUSE (grafana, libmspack, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and samba), and Ubuntu (debian-lan-config, ldm, libdbi-perl, and netty-3.9).

Balancing Linux security with usability Building an operating system is a difficult balance, and a Linux distribution is no different. You need to consider the out-of-the-box functionality that most people are going to want, and accessibility for a wide swath of administrators' skillsets. If you make your distro very secure, but a newbie sysadmin can't figure out how to work with it…well, they're going to find an easier distribution to go learn on, and now you've lost that admin to another distribution. So it's really no surprise that, right after install time, most Linux distributions need a little bit of tweaking to lock them down. This has gotten better over the years, as the installers themselves have gotten easier to use and more feature-rich. You can craft a pretty custom system right from the GUI installer. A base Red Hat Enterprise Linux (RHEL) system, for example, if you've chosen the base package set, is actually pretty light on unnecessary services and packages. There was a time when that was not true. Can you imagine passwords being hashed, but available in /etc/password for any user to read? Or all system management being carried out over Telnet? SSH wasn't even on, by default. Host-based firewall? Completely optional. So, 20 years ago, locking down a newly installed Linux system meant a laundry list of tasks. Luckily, as computing has matured, so has the default install of just about any operating system.

Key signing in the pandemic era The pandemic has changed many things in our communities, even though distance has always played a big role in free software development. Annual in-person gatherings for conferences and the like are generally paused at the moment, but even after travel and congregating become reasonable again, face-to-face meetings may be less frequent. There are both positives and negatives to that outcome, of course, but some rethinking will be in order if that comes to pass. The process of key signing is something that may need to change as well; the Debian project, which uses signed keys, has been discussing the subject. In early August, Enrico Zini posted a note to the debian-project mailing list about people who are trying to get involved in Debian, but who are lacking the necessary credentials in the form of an OpenPGP key signed by other Debian project members. The requirements for becoming a Debian Maintainer (DM) or Debian Developer (DD) both involve keys with signatures from existing DDs; two signatures for becoming a DD or one for becoming a DM. Those are not the only steps toward becoming formal members of Debian, but they are ones that may be hampering those who are trying to do so right now. DDs and DMs use their keys to sign packages that are being uploaded to the Debian repository, so the project needs to have some assurance that the keys are valid and are controlled by someone that is not trying to undermine the project or its users. In addition, votes in Debian (for project leaders and general resolutions) are made using the keys. They are a fundamental part of the Debian infrastructure.