An anonymous reader quotes a report from Ars Technica: There's a new Linux distro on the scene today, and it's a bit specialized. Its development was led by the automotive electronics supplier Elektrobit, and it's the first open source OS that complies with the automotive industry's functional safety requirements. [...] With Elektrobit's EB corbos Linux for Safety Applications (that sure is a long name), there's an open source Linux distro that finally fits the bill, having just been given the thumbs up by the German organization TUV Nord. (It also complies with the IEC 61508 standard for safety applications.) "The beauty of our concept is that you don't even need to safety-qualify Linux itself," said Moritz Neukirchner, a senior director at Elektrobit overseeing SDVs. Instead, an external safety monitor runs in a hypervisor, intercepting and validating kernel actions.

"When you look at how safety is typically being done, look at communication -- you don't safety-certify the communication specs or Ethernet stack, but you do a checker library on top, and you have a hardware anchor for checking down below, and you insure it end to end but take everything in between out of the certification path. And we have now created a concept that allows us to do exactly that for an operating system," Neukirchner told me. "So in the end, since we take Linux out of the certification path and make it usable in a safety-related context, we don't have any problems in keeping up to speed with the developer community," he explained. "Because if you start it off and say, 'Well, we're going to do Linux as a one-shot for safety,' you're going to have the next five patches and you're off [schedule] again, especially with the security regulation that's now getting toward effect now, starting in July with the UNECE R155 that requires continuous cybersecurity management vulnerability scanning for all software that ends up in the vehicle."

"In the end, we see roughly 4,000 kernel security patches within eight years for Linux. And this is the kind of challenge that you're being put up to if you want to participate in that speed of innovation of an open source community as rich as that of Linux and now want to combine this with safety-related applications," Neukirchner said. Elektrobit developed EB corbos Linux for Safety Applications together with Canonical, and together they will share the maintenance of keeping it compliant with safety requirements over time.

An anonymous reader quotes a report from Ars Technica: Home Assistant, until recently, has been a wide-ranging and hard-to-define project. The open smart home platform is an open source OS you can run anywhere that aims to connect all your devices together. But it's also bespoke Raspberry Pi hardware, in Yellow and Green. It's entirely free, but it also receives funding through a private cloud services company, Nabu Casa. It contains tiny board project ESPHome and other inter-connected bits. It has wide-ranging voice assistant ambitions, but it doesn't want to be Alexa or Google Assistant. Home Assistant is a lot.

After an announcement this weekend, however, Home Assistant's shape is a bit easier to draw out. All of the project's ambitions now fall under the Open Home Foundation, a non-profit organization that now contains Home Assistant and more than 240 related bits. Its mission statement is refreshing, and refreshingly honest about the state of modern open source projects. "We've done this to create a bulwark against surveillance capitalism, the risk of buyout, and open-source projects becoming abandonware," the Open Home Foundation states in a press release. "To an extent, this protection extends even against our future selves -- so that smart home users can continue to benefit for years, if not decades. No matter what comes." Along with keeping Home Assistant funded and secure from buy-outs or mission creep, the foundation intends to help fund and collaborate with external projects crucial to Home Assistant, like Z-Wave JS and Zigbee2MQTT.

Home Assistant's ambitions don't stop with money and board seats, though. They aim to "be an active political advocate" in the smart home field, toward three primary principles:

- Data privacy, which means devices with local-only options, and cloud services with explicit permissions
- Choice in using devices with one another through open standards and local APIs
- Sustainability by repurposing old devices and appliances beyond company-defined lifetimes

Notably, individuals cannot contribute modest-size donations to the Open Home Foundation. Instead, the foundation asks supporters to purchase a Nabu Casa subscription or contribute code or other help to its open source projects. Further reading: The Verge's interview with Home Assistant founder Paulus Schoutsen

Long-time Slashdot reader tippen shared this report from the Register: AI agents, which combine large language models with automation software, can successfully exploit real world security vulnerabilities by reading security advisories, academics have claimed.

In a newly released paper, four University of Illinois Urbana-Champaign (UIUC) computer scientists — Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang — report that OpenAI's GPT-4 large language model (LLM) can autonomously exploit vulnerabilities in real-world systems if given a CVE advisory describing the flaw. "To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the CVE description," the US-based authors explain in their paper. "When given the CVE description, GPT-4 is capable of exploiting 87 percent of these vulnerabilities compared to 0 percent for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit)...."

The researchers' work builds upon prior findings that LLMs can be used to automate attacks on websites in a sandboxed environment. GPT-4, said Daniel Kang, assistant professor at UIUC, in an email to The Register, "can actually autonomously carry out the steps to perform certain exploits that open-source vulnerability scanners cannot find (at the time of writing)."
The researchers wrote that "Our vulnerabilities span website vulnerabilities, container vulnerabilities, and vulnerable Python packages. Over half are categorized as 'high' or 'critical' severity by the CVE description...."

"Kang and his colleagues computed the cost to conduct a successful LLM agent attack and came up with a figure of $8.80 per exploit"

Remember when Apple filed a lawsuit against chip startup Rivos (saying that in one year Rivos hired more than 40 former Apple employees to work on competing system-on-a-chip technology)? Apple settled that suit in February.

And now Tuesday Rivos announced that it raised $250 million, according to Reuters, "in a funding round that will enable it to manufacture its first server chip geared for artificial intelligence," combining a CPU with an AI-accelerating component optimized for LLMs and data analytics. Nvidia gobbled up more than 80% market share of AI chips in 2023. But a host of startups and chip giants have started to launch competing products, such as Intel's Gaudi 3 and Meta's inference chip — both unveiled last week. Rivos is tight-lipped about the specifics of the product, but has disclosed that its plans include designing chips based on the RISC-V architecture, which is an open source alternative to the architectures made by Arm, Intel, and Advanced Micro Devices.. [U]sing the open source alternative means Rivos does not have to pay a license fee to Arm. "RISC-V doesn't have a (large) software ecosystem, so I decided to form a company and then build software-defined hardware — just like what CUDA did with Nvidia," said Lip-Bu Tan, founding managing partner at Walden Catalyst, one of Rivos' investors.
Meanwhile, there's a rumor that Allen Wu, former chief executive of Arm China, has founded a new company that will develop chips based on RISC-V. Tom's Hardware writes: Under the leadership of the controversial Allen Wu, Zhongzhi Chip is reportedly attracting a notable influx of talent, including numerous former employees of Arm, indicating the new company's serious ambitions in the chip sector... [T]he company's operational focus remains partially unclear, with speculation around whether it will primarily engage in its own R&D initiatives or represent Tenstorrent in China as its agent... which develops HPC CPUs and AI processors based on the RISC-V ISA... Based on the source report, Zhongzhi Chip is leveraging its connections and forming alliances with several other leading global RISC-V chip developers.

It's "the new generation of Tablet for simplicity and privacy..." according to its Kickstarter page. "Top-tier performance, lightweight design and completely Google-free." And it's already reached its funding goal of $53,312 — climbing to over $75,000 from 115 backers with another 26 days still to go. 9to5Linux reports: Volla, the maker of the Volla Phone smartphones, has launched a crowdfunding campaign on Kickstarter for their first tablet device, the Volla Tablet, which will also support the Ubuntu Touch mobile OS.

Featuring a 12.3-inch Quad HD display with 2650Ã--1600 pixel resolution, the Volla Tablet uses a powerful MediaTek Gaming G99 8-core processor, 12 GB RAM, and 256 GB internal storage. It also comes with a long-lasting 10,000 mAh battery, 2G/3G/4G cellular network support, Wi-Fi, Bluetooth, and a 13+5 MP main camera.

By default, Volla Tablet ships with Volla OS 13, Volla's in-house operating system based on the free Android Open Source Project (AOSP), but users will be able to buy the tablet with Ubuntu Touch featuring built-in convergence and support for Android apps with WayDroid container.
"Users will also be able to use desktop apps like Firefox or LibreOffice thanks to the help of the Libertine container," according to the article. ("Volla says that Volla Tablet with Ubuntu Touch is ideal for Linux enthusiasts and minimalists seeking a simplified, efficient, and familiar operating system experience.")

Its Kickstarter page points out the tablet even offers options like "hide.me VPN" and private speech recognition that's "cloud-independent for secure, confidential interactions."

("For U.S. users, please note that only roaming SIM cards from abroad can be used.")

SiliconANGLE reports that to help organizations detect vulnerabilities earlier, Red Hat has "announced updates to its Trusted Software Supply Chain that enable organizations to shift security 'left' in the software supply chain." Red Hat announced Trusted Software Supply Chain in May 2023, pitching it as a way to address the rising threat of software supply chain attacks. The service secures software pipelines by verifying software origins, automating security processes and providing a secure catalog of verified open-source software packages. [Thursday's updates] are aimed at advancing the ability for customers to embed security into the software development life cycle, thereby increasing software integrity earlier in the supply chain while also adhering to industry regulations and compliance standards.

They start with a new tool called Red Hat Trust Artifact Signer. Based on the open-source Sigstore project [founded at Red Hat and now part of the Open Source Security Foundation], Trust Artifact Signer allows developers to sign and verify software artifacts cryptographically without managing centralized keys, to enhance trust in the software supply chain. The second new release, Red Hat Trusted Profile Analyzer, provides a central source for security documentation such as Software Bill of Materials and Vulnerability Exploitability Exchange. The tool simplifies vulnerability management by enabling proactive identification and minimization of security threats.

The final new release, Red Hat Trusted Application Pipeline, combines the capabilities of the Trusted Profile Analyzer and Trusted Artifact Signer with Red Hat's internal developer platform to provide integrated security-focused development templates. The feature aims to standardize and accelerate the adoption of secure development practices within organizations.
Specifically, Red Hat's announcement says organizations can use their new Trust Application Pipeline feature "to verify pipeline compliance and provide traceability and auditability in the CI/CD process with an automated chain of trust that validates artifact signatures, and offers provenance and attestations."

Linus Torvalds, discussing the AI hype, in a conversation with Dirk Hohndel, Verizon's Head of the Open Source Program Office: Torvalds snarked, "It's hilarious to watch. Maybe I'll be replaced by an AI model!" As for Hohndel, he thinks most AI today is "autocorrect on steroids." Torvalds summed up his attitude as, "Let's wait 10 years and see where it actually goes before we make all these crazy announcements."

That's not to say the two men don't think AI will be helpful in the future. Indeed, Torvalds noted one good side effect already: "NVIDIA has gotten better at talking to Linux kernel developers and working with Linux memory management," because of its need for Linux to run AI's large language models (LLMs) efficiently.

Torvalds is also "looking forward to the tools actually to find bugs. We have a lot of tools, and we use them religiously, but making the tools smarter is not a bad thing. Using smarter tools is just the next inevitable step. We have tools that do kernel rewriting, with very complicated scripts, and pattern recognition. AI can be a huge help here because some of these tools are very hard to use because you have to specify things at a low enough level." Just be careful, Torvalds warns of "AI BS." Hohndel quickly quipped, "He meant beautiful science. You know, "Beautiful science in, beautiful science out."

An anonymous reader shares a report: iPerf is a fairly popular cross-platform tool that is used by many to measure network performance and diagnose any potential issues in this area. The open-source utility is maintained by an organization called Energy Sciences Network (ESnet) and officially supports Linux, Unix, and Windows. However, Microsoft has now published a detailed blog post explaining why you should not use the latest version, iPerf3, on Windows installations.

Microsoft has highlighted three key reasons to discourage the use of iPerf3 on Windows. The first is that ESnet does not support this version on Windows, and recommends iPerf2 instead. On its website, ESnet has emphasized that CentOS 7 Linux, FreeBSD 11, and macOS 10.12 are the only supported platforms. Another very important reason not to use iPerf3 on Windows is that it does not make native OS calls. Instead, it leverages Cygwin as an emulation layer, which obviously comes with a performance penalty. This alone means that iPerf3 on Windows isn't really an ideal candidate for benchmarking your network. While Microsoft has praised the maintainers who are trying to get iPerf3 to run on Windows via emulation, another flaw with this approach is that some advanced networking options simply aren't available on Windows or may behave in unexpected ways.

Meta debuted a new version of its powerful Llama AI model, its latest effort to keep pace with similar technology from companies like OpenAI, X and Google. The company describes Llama 3 8B and Llama 3 70B, containing 8 billion and 70 billion parameters respectively, as a "major leap" in performance compared to their predecessors.

Meta claims that the Llama 3 models, trained on custom-built 24,000 GPU clusters, are among the best-performing generative AI models available for their respective parameter counts. The company supports this claim by citing the models' scores on popular AI benchmarks such as MMLU, ARC, and DROP, which attempt to measure knowledge, skill acquisition, and reasoning abilities. Despite the ongoing debate about the usefulness and validity of these benchmarks, they remain one of the few standardized methods for evaluating AI models. Llama 3 8B outperforms other open-source models like Mistral's Mistral 7B and Google's Gemma 7B on at least nine benchmarks, showcasing its potential in various domains such as biology, physics, chemistry, mathematics, and commonsense reasoning.

TechCrunch adds: Now, Mistral 7B and Gemma 7B aren't exactly on the bleeding edge (Mistral 7B was released last September), and in a few of benchmarks Meta cites, Llama 3 8B scores only a few percentage points higher than either. But Meta also makes the claim that the larger-parameter-count Llama 3 model, Llama 3 70B, is competitive with flagship generative AI models including Gemini 1.5 Pro, the latest in Google's Gemini series.

AltStore PAL has become one of the first alternative app marketplaces to launch in the European Union. Developed by Riley Testut, AltStore PAL is marketed as an open-source project designed to distribute apps from independent developers. MacRumors reports: At launch, it features two apps, including Testut's Delta game emulator and clipboard manager app Clip. Delta is also being simultaneously released in the App Store outside of the European Union, but it looks like EU customers will need to download it from AltStore. Testut says that once AltStore PAL is "running smoothly," third-party app developers will be able to submit their apps for distribution outside of the App Store. The app marketplace is designed to be decentralized with no directory, so developers will need to self-promote their apps and direct users to their websites to install an app through AltStore.

Distributing apps through AltStore is free of charge, but it is worth noting that apps that see more than one million first annual installs will need to pay Apple an 0.50 euro Core Technology Fee. App marketplaces have to pay the fee for every install with no free allowance, so AltStore is charged 0.50 euros each time it is installed. To afford the fee, Testut is charging 1.50 euros per year for AltStore PAL access. Testut has been working on AltStore PAL since Apple announced plans to support alternative app marketplaces in iOS 17.4. It is open to all apps, but Testut says that it makes the most sense for "smaller, indie apps that otherwise couldn't exist due to App Store rules." AltStore PAL is equipped with Patreon integration to allow developers to monetize their apps. Developers can offer their apps to just their patrons, and this method of distribution also allows for a sub-1 million cap on those who can subscribe to use an app.

Microsoft's Beijing-based research group published a new open source AI model on Tuesday, only to remove it from the internet hours later after the company realized that the model hadn't gone through adequate safety testing. From a report: The team that published the model, which is comprised of China-based researchers in Microsoft Research Asia, said in a tweet on Tuesday that they "accidentally missed" the safety testing step that Microsoft requires before models can be published.

Microsoft's AI policies require that before any AI models can be published, they must be approved by the company's Deployment Safety Board, which tests whether the models can carry out harmful tasks such as creating violent or disturbing content, according to an employee familiar with the process. In a now-deleted blog post, the researchers behind the model, dubbed WizardLM-2, said that it could carry out tasks like generating text, suggesting code, translating between different languages, or solving some math problems.

The U.S. government is warning that smart locks securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. Krebs on SecurityL: The lock's maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp's parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents. On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with "low attack complexity" in Chirp Systems smart locks.

"Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access," CISA's alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). "Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability." Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp's app to get in and out of their apartments.

An anonymous reader shares a report: Over the weekend, developer Mattia La Spina launched iGBA as one of the first retro game emulators legitimately available on the iOS App Store following Apple's rules change regarding such emulators earlier this month. As of Monday morning, though, iGBA has been pulled from the App Store following controversy over the unauthorized reuse of source code from a different emulator project.

iOS 8.1 plugs security hole that made it easy to install emulators Shortly after iGBA's launch, some people on social media began noticing that the project appeared to be based on the code for GBA4iOS, a nearly decade-old emulator that developer Riley Testut and a partner developed as high-schoolers (and distributed via a temporary security hole in the iOS App store). Testut took to social media Sunday morning to call iGBA a "knock-off" of GBA4iOS. "I did not give anyone permission to do this, yet it's now sitting at the top of the charts (despite being filled with ads + tracking)," he wrote.

GBA4iOS is an open source program released under the GNU GPLv2 license, with licensing terms that let anyone "use, modify, and distribute my original code for this project without fear of legal consequences." But those expansive licensing terms only apply "unless you plan to submit your app to Apple's App Store, in which case written permission from me is explicitly required."

The Linux Foundation-backed project OpenTofu "has gotten legal pushback from HashiCorp," according to a report — just seven months after forking OpenTofu's code from HashiCorp's IT deployment software Terraform: On April 3, HashiCorp issued a strongly-worded Cease and Desist letter to OpenTofu, accusing that the project has "repeatedly taken code HashiCorp provided only under the Business Software License (BSL) and used it in a manner that violates those license terms and HashiCorp's intellectual property rights." It goes on to note that "In at least some instances, OpenTofu has incorrectly re-labeled HashiCorp's code to make it appear as if it was made available by HashiCorp originally under a different license." Last August, HashiCorp announced that it would be transitioning its software from the open source Mozilla Public License (MPL 2.0) to the Business Source License (BSL), a license that permits the source to be viewed, but not run in production environments without explicit approval by the license owner. HashiCorp gave OpenTofu until April 10 to remove any allegedly copied code from the OpenTofu repository, threatening litigation if the project fails to do so.
Others are also covering the fracas, including Steven J. Vaughan-Nichols at DevOps.com: OpenTofu replied, "The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp's BSL code. All such statements have zero basis in facts." In addition, it said, HashiCorp's claims of copyright infringement are completely unsubstantiated. As for the code in question, OpenTofu claims it can clearly be shown to have been copied from older code under the Mozilla Public License (MPL) 2.0. "HashiCorp seems to have copied the same code itself when they implemented their version of this feature. All of this is easily visible in our detailed SCO analysis, as well as their own comments."

In a detailed source code origination (SCO) examination of the problematic source code, OpenTofu stated that HashiCorp was mistaken. "We believe that this is just a case of a misunderstanding where the code came from." OpenTofu maintains the code was originally licensed under the MPL, not the BSL. If so, then OpenTofu was perfectly within its right to use the code in its codebase...

[OpenTofu's lawyer] concluded, "In the future, if you should have any concerns or questions about how source code in OpenTofu is developed, we would ask that you contact us first. Immediately issuing DMCA takedown notices and igniting salacious negative press articles is not the most helpful path to resolving concerns like this."

An anonymous reader quotes a report from The Guardian: Hospitals -- despite being places where people implicitly expect to have their personal details kept private -- frequently use tracking technologies on their websites to share user information with Google, Meta, data brokers, and other third parties, according to research published today. Academics at the University of Pennsylvania analyzed a nationally representative sample of 100 non-federal acute care hospitals -- essentially traditional hospitals with emergency departments -- and their findings were that 96 percent of their websites transmitted user data to third parties. Additionally, not all of these websites even had a privacy policy. And of the 71 percent that did, 56 percent disclosed specific third-party companies that could receive user information.

The researchers' latest work builds on a study they published a year ago of 3,747 US non-federal hospital websites. That found 98.6 percent tracked and transferred visitors' data to large tech and social media companies, advertising firms, and data brokers. To find the trackers on websites, the team checked out each hospitals' homepage on January 26 using webXray, an open source tool that detects third-party HTTP requests and matches them to the organizations receiving the data. They also recorded the number of third-party cookies per page. One name in particular stood out, in terms of who was receiving website visitors' information. "In every study we've done, in any part of the health system, Google, whose parent company is Alphabet, is on nearly every page, including hospitals," [Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania] observed. "From there, it declines," he continued. "Meta was on a little over half of hospital webpages, and the Meta Pixel is notable because it seems to be one of the grabbier entities out there in terms of tracking."

Both Meta and Google's tracking technologies have been the subject of criminal complaints and lawsuits over the years -- as have some healthcare companies that shared data with these and other advertisers. In addition, between 20 and 30 percent of the hospitals share data with Adobe, Friedman noted. "Everybody knows Adobe for PDFs. My understanding is they also have a tracking division within their ad division." Others include telecom and digital marketing companies like The Trade Desk and Verizon, plus tech giants Oracle, Microsoft, and Amazon, according to Friedman. Then there's also analytics firms including Hotjar and data brokers such as Acxiom. "And two thirds of hospital websites had some kind of data transfer to a third-party domain that we couldn't even identify," he added. Of the 71 hospital website privacy policies that the team found, 69 addressed the types of user information that was collected. The most common were IP addresses (80 percent), web browser name and version (75 percent), pages visited on the website (73 percent), and the website from which the user arrived (73 percent). Only 56 percent of these policies identified the third-party companies receiving user information. In lieu of any federal data privacy law in the U.S., Friedman recommends users protect their personal information via the browser-based tools Ghostery and Privacy Badger, which identify and block transfers to third-party domains.

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

Liam Proven reports via The Register: Bad news for those who want to play with OpenVMS in non-production use. Older versions are disappearing, and the terms are getting much more restrictive. The corporation behind the continued development of OpenVMS, VMS Software, Inc. -- or VSI to its friends, if it has any left after this -- has announced the latest Updates to the Community Program. The news does not look good: you can't get the Alpha and Itanium versions any more, only a limited x86-64 edition.

OpenVMS is one of the granddaddies of big serious OSes. A direct descendant of the OSes that inspired DOS, CP/M, OS/2, and Windows, as well as the native OS of the hardware on which Unix first went 32-bit, VMS has been around for nearly half a century. For decades, its various owners have offered various flavors of "hobbyist program" under which you could get licenses to install and run it for free, as long as it wasn't in production use. Since Compaq acquired DEC, then HP acquired Compaq, its prospects looked checkered. HP officially killed it off in 2013, then in 2014 granted it a reprieve and sold it off instead. New owner VSI ported it to x86-64, releasing that new version 9.2 in 2022. Around this time last year, we covered VSI adding AMD support and opening a hobbyist program of its own. It seems from the latest announcement that it has been disappointed by the reception: "Despite our initial aspirations for robust community engagement, the reality has fallen short of our expectations. The level of participation in activities such as contributing open source software, creating wiki articles, and providing assistance on forums has not matched the scale of the program. As a result, we find ourselves at a crossroads, compelled to reassess and recalibrate our approach."

Although HPE stopped offering hobbyist licenses for the original VAX versions of OpenVMS in 2020, VSI continued to maintain OpenVMS 8 (in other words, the Alpha and Itanium editions) while it worked on version 9 for x86-64. VSI even offered a Student Edition, which included a freeware Alpha emulator and a copy of OpenVMS 8.4 to run inside it. Those licenses run out in 2025, and they won't be renewed. If you have vintage DEC Alpha or HP Integrity boxes with Itanic chips, you won't be able to get a legal licensed copy of OpenVMS for them, or renew the license of any existing installations -- unless you pay, of course. There will still be a Community license edition, but from now on it's x86-64 only. Although OpenVMS 9 mainly targets hypervisors anyway, it does support bare-metal operations on a single model of HPE server, the ProLiant DL380 Gen10. If you have one of them to play with -- well, tough. Now Community users only get a VM image, supplied as a VMWare .vmdk file. It contains a ready-to-go "OpenVMS system disk with OpenVMS, compilers and development tools installed." Its license runs for a year, after which you will get a fresh copy. This means you won't be able to configure your own system and keep it alive -- you'll have to recreate it, from scratch, annually. The only alternative for those with older systems is to apply to be an OpenVMS Ambassador.

Privacy startup Proton already offers an email app, a VPN tool, cloud storage, a password manager, and a calendar app. In April 2022, Proton acquired SimpleLogin, an open-source product that generates email aliases to protect inboxes from spam and phishing. Today, Proton acquired Standard Notes, advancing its already strong commitment to the open-source community. From a report: Standard Notes is an open-source note-taking app, available on both mobile and desktop platforms, with a user base of over 300,000. [...] Proton founder and CEO Andy Yen makes a point of stating that Standard Notes will remain open-source, will continue to undergo independent audits, will continue to develop new features and updates, and that prices for the app/service will not change. Standard Notes has three tiers: Free, which includes 100MB of storage, offline access, and unlimited device sync; Productivity for $90 per year, which includes features like markdown, spreadsheets with advanced formulas, Daily Notebooks, and two-factor authentication; and Professional for $120 per year, which includes 100GB of cloud storage, sharing for up to five accounts, no file limit size, and more.

Intel on Tuesday unveiled its new "Gaudi 3" AI chip that the company claims is over twice as power-efficient and can run AI models one-and-a-half times faster than Nvidia's H100 GPU. "It also comes in different configurations like a bundle of eight Gaudi 3 chips on one motherboard or a card that can slot into existing systems," adds CNBC. From the report: Intel tested the chip on models like Meta's open-source Llama and the Abu Dhabi-backed Falcon. It said Gaudi 3 can help train or deploy models, including Stable Diffusion or OpenAI's Whisper model for speech recognition. Intel says its chips use less power than Nvidia's. Intel said that the new Gaudi 3 chips would be available to customers in the third quarter, and companies including Dell, Hewlett Packard Enterprise, and Supermicro will build systems with the chips. Intel didn't provide a price range for Gaudi 3.

Gaudi 3 is built on a five nanometer process, a relatively recent manufacturing technique, suggesting that the company is using an outside foundry to manufacture the chips. In addition to designing Gaudi 3, Intel also plans to manufacture AI chips, potentially for outside companies, at a new Ohio factory expected to open in 2027 or 2028, CEO Patrick Gelsinger told reporters last month. "We do expect it to be highly competitive" with Nvidia's latest chips, said Das Kamhout, vice president of Xeon software at Intel, on a call with reporters. "From our competitive pricing, our distinctive open integrated network on chip, we're using industry-standard Ethernet. We believe it's a strong offering."

Meta Platforms is planning to launch two small versions of its forthcoming Llama 3 large-language model next week, The Information has reported [non-paywalled link]. From the report: The models will serve as a precursor to the launch of the biggest version of Llama 3, expected this summer. Release of the two small models will likely help spark excitement for the forthcoming Llama 3, which will be coming out roughly a year after Llama 2 launched last July.

It comes as several companies, including Google, Elon Musk's xAI and Mistral, have released open-source LLMs. Meta hopes Llama 3 will catch up with OpenAI's GPT-4, which can answer questions based on images users upload to the chatbot. The biggest version will be multimodal, which means it will be capable of understanding and generating both texts and images. In contrast, the two small models to be released next week won't be multimodal, the employee said.