In this week's episode of which popular service will reduce its offerings to the non-paying users, Trello said it will have a go. From a report: Trello, a Kanban-inspired project management app organized around the idea of boards containing cards with attachments, to-do items, and comments, is getting a few much-needed improvements. Today, the Trello team announced that Trello Enterprise, a corporate-class subscription tier launched in 2015, will gain 13 new features this week, including improved admin controls, a new visibility setting, and compliance certifications.

It's the largest product update in Trello Enterprise's history, the Atlassian subsidiary says, but it's a tad bittersweet -- a new restriction will be imposed on teams that use the free version of Trello. Moving forward, they'll be limited to a maximum of 10 open boards at any given time. (Enterprise and Trello Business Class users get unlimited boards, and existing free teams will be able to add up to 10 additional boards until May 1, 2019.) Last week, it was Dropbox that introduced some limits to its non-paying users.

An anonymous reader quotes a report from ZDNet: Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices -- smart signage TVs and wireless presentation systems. This new strain is being used by a new IoT botnet that security researchers from Palo Alto Networks have spotted earlier this year. The botnet's author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits. Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment. Furthermore, the botnet operator has also expanded Mirai's built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default creds, researchers said in a report published earlier today.

The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices. The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems. The new Mirai botnet is specifically targeting LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.

Business communications and collaboration service Slack said today that it is launching Enterprise Key Management (EKM) for Slack, a new tool that enables customers to control their encryption keys in the enterprise version of the communications app. The keys are managed in the AWS KMS key management tool. From a report: Geoff Belknap, chief security officer (CSO) at Slack, says that the new tool should appeal to customers in regulated industries, who might need tighter control over security. "Markets like financial services, health care and government are typically underserved in terms of which collaboration tools they can use, so we wanted to design an experience that catered to their particular security needs," Belknap told TechCrunch. Slack currently encrypts data in transit and at rest, but the new tool augments this by giving customers greater control over the encryption keys that Slack uses to encrypt messages and files being shared inside the app.

He said that regulated industries in particular have been requesting the ability to control their own encryption keys including the ability to revoke them if it was required for security reasons. "EKM is a key requirement for growing enterprise companies of all sizes, and was a requested feature from many of our Enterprise Grid customers. We wanted to give these customers full control over their encryption keys, and when or if they want to revoke them," he said. Further reading: Slack Doesn't Have End-to-End Encryption Because Your Boss Doesn't Want It.

Long-time Slashdot reader skdffff quotes ZDnet: F5 Networks on Monday announced that it will acquire NGINX, which provides popular open-source software of the same name, for $670 million. The deal advances F5's aim of capitalizing on the trend toward multi-cloud deployments.

F5 plans to enhance NGINX's current offerings with F5 security solutions and will integrate F5 cloud-native technology with NGINX's software load balancing technology. This should accelerate F5's time to market of application services for containerized applications. Meanwhile, NGINX will benefit from F5's global salesforce, channel infrastructure and partner ecosystem.

The acquisition adds "the power of NGINX's open source innovation to F5's ADC leadership and enterprise reach," NGINX CEO Gus Robertson said in a statement

Long-time Slashdot reader jasenj1 and Striek both shared news of a growing open source controversy. "Amazon Web Services on Monday announced that it's partnering with Netflix and Expedia to champion a new Open Distro for Elasticsearch due to concerns of proprietary code being mixed into the open source Elasticsearch project," reports Datanami.

"Elastic, the company behind Elasticsearch, responded by accusing Amazon of copying code, inserting bugs into the community code, and engaging with the company under false pretenses..." In a blog post, Adrian Cockcroft, the vice president of cloud architecture strategy for AWS, says the new project is a "value added" distribution that's 100% open source, and that developers working on it will contribute any improvements or fixes back to the upstream Elasticsearch project. "The new advanced features of Open Distro for Elasticsearch are all Apache 2.0 licensed," Cockroft writes. "With the first release, our goal is to address many critical features missing from open source Elasticsearch, such as security, event monitoring and alerting, and SQL support...." Cockroft says there's no clear documentation in the Elasticsearch release notes over what's open source and what's proprietary. "Enterprise developers may inadvertently apply a fix or enhancement to the proprietary source code," he wrote. "This is hard to track and govern, could lead to breach of license, and could lead to immediate termination of rights (for both proprietary free and paid)."

Elastic CEO Shay Banon responded Tuesday to AWS in a blog post, in which he leveled a variety of accusations at the cloud giant. "Our products were forked, redistributed and rebundled so many times I lost count," Banon wrote. "There was always a 'reason' [for the forks, redistributions, and rebundling], at times masked with fake altruism or benevolence. None of these have lasted. They were built to serve their own needs, drive confusion, and splinter the community." Elastic's commercial code may have provided an "inspiration" for others to follow, Banon wrote, but that inspiration didn't necessarily make for clean code. "It has been bluntly copied by various companies and even found its way back to certain distributions or forks, like the freshly minted Amazon one, sadly, painfully, with critical bugs," he wrote.

Mark Wilson writes: Anyone who is still using Windows 7 doesn't have much longer until the operating system is no longer supported by Microsoft. Come January 14, 2020 only those enterprise customers who are willing to pay for Extended Security Updates will receive any kind of support. Microsoft has already done a lot to encourage Windows 7 diehards to make the move to Windows 10, and now it is stepping things up a gear. Throughout 2019, the company will show pop-up notifications in Windows 7 about making the switch to the latest version of Windows.

AmiMoJo quotes Computerworld: Microsoft plans to start selling its Windows 7 add-on support beginning April 1. Labeled "Extended Security Updates" (ESU), the post-retirement support will give enterprise customers more time to purge their environments of Windows 7. From Windows 7's Jan. 14, 2020 end of support, ESU will provide security fixes for uncovered or reported vulnerabilities in the OS.

Patches will be issued only for bugs rated "Critical" or "Important" by Microsoft, the top two rankings in a four-step scoring system. ESU will be dealt out in one-year increments for up to three years and support will be sold on a per-device basis, rather than the per-user approach Microsoft has pushed for Windows 10 licensing. Costs for ESU will start out low — $25 or $50 per year per device — but will double each year, ending at $100 or $200 per device for the third and final year

Security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database containing 150GB of detailed, plaintext marketing data -- including hundreds of millions of unique email addresses. An anonymous Slashdot reader shares Diachenko's findings, which were made public today: On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of data was much more detailed than just the email address and included personally identifiable information (PII). This database contained four separate collections of data and combined was an astounding 808,539,939 records. As part of the verification process I cross-checked a random selection of records with Troy Hunt's HaveIBeenPwned database. Based on the results, I came to conclusion that this is not just another "Collection" of previously leaked sources but a completely unique set of data. Although, not all records contained the detailed profile information about the email owner, a large amount of records were very detailed. We are still talking about millions of records.

In addition to the email databases, this unprotected Mongo instance also uncovered details on the possible owner of the database -- a company named "Verifications.io" -- which offered the services of "Enterprise Email Validation." Unfortunately, it appears that once emails were uploaded for verification they were also stored in plain text. Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication.

Big cloud companies are "strip-mining open-source technologies and companies," complains Michael Howard, CEO of MariaDB. At their developer conference, Howard accused "big cloud" of "really abusing the license and privilege [of open source], by not giving back to the community." ZDNet reports: Even as MariaDB grows by leaps and bounds in enterprise computing at Oracle's expense, Howard sees Oracle and Amazon fighting against it. "Oracle as the example of on-premise lock-in and Amazon being the example of cloud lock-in. You could interchange the names, you can honestly say now that Amazon should just be called Oracle Prime...."

In the first keynote, Austin Rutherford, MariaDB's VP of Customer Success, showed the result of a HammerDB benchmark on AWS EC2... In these tests, AWS's default MariaDB instances did poorly, while AWS homebrew Aurora, which is built on top of MySQL, consistently beat them. The top-performing database management system of all was MariaDB Managed Services on AWS. "My first reaction when I looked at the benchmarks," said Howard, was "maybe there's incompetence going on. Maybe they just don't know how to optimize a DBMS." He observed that one MariaDB customer, one of the biggest retail drug companies in the world, had told MariaDB that "Amazon offers the most vanilla MariaDB around. There's nothing enterprise about it. We could just install MariaDB from source on EC2 and do as well."

He then "began to wonder, Is there something that they're deliberately crippling?" Howard wouldn't go so far as to say AWS is consciously doing a poor job of implementing its MariaDB instances. Howard did say, "And then it became clear that, however, you want to articulate this, there is something not kosher happening." Howard doesn't have much against AWS promoting its own brands... But, if AWS's going out of its way to make a rival service look inferior to its own, well, Howard's not happy about that.
ZDNet adds that "it's also quite possible that unoptimized generic MariaDB instance will simply lag behind AWS-optimized Aurora.

"That said, even in this most innocent take on the benchmark results, cloud customers would be wise to take into consideration that cloud instances of any specific software service may not be created equal."

Josh Constine, writing for TechCrunch: Facebook has changed its story after initially trying to downplay how it targeted teens with its Research program that a TechCrunch investigation revealed was paying them gift cards to monitor all their mobile app usage and browser traffic. "Less than 5 percent of the people who chose to participate in this market research program were teens," a Facebook spokesperson told TechCrunch and many other news outlets in a damage control effort 7 hours after we published our report on January 29th. At the time, Facebook claimed that it had removed its Research app from iOS. The next morning we learned that wasn't true, as Apple had already forcibly blocked the Facebook Research app for violating its Enterprise Certificate program that supposed to reserved for companies distributing internal apps to employees.

It turns out that wasn't the only time Facebook deceived the public in its response regarding the Research VPN scandal. TechCrunch has obtained Facebook's unpublished February 21st response to questions about the Research program in a letter from Senator Mark Warner. [...] In the response from Facebook's VP of US public policy Kevin Martin, the company admits that "At the time we ended the Facebook Research App on Apple's iOS platform, less than 5 percent of the people sharing data with us through this program were teens. Analysis shows that number is about 18 percent when you look at the complete lifetime of the program, and also add people who had become inactive and uninstalled the app."

Slashdot reader technology_dude writes in response to an Engadget report about Boeing's plans to develop an autonomous fighter jet: In Season 1, Episode 23 of Star Trek, the Enterprise visits two worlds that are at continuous war. The war is ran via computers, and people that are victims in a "hit" report to a facility to be terminated. Kirk tells the world's leaders that there can be no peace if there is no cost to the war. We avoid war because of its cost and ugliness. Remove that and you remove the reason to stop. It looks like we may need the Captain to intervene here on planet earth. We seem hellbent on automating our militaries. The report says Boeing's recently unveiled autonomous fighter jet, called the Boeing Airpower Teaming System, is expected to arrive as soon as 2020. "The aircraft is designed to fly alongside crewed jets during combat, performing early warning tests, intelligence gathering, surveillance and reconnaissance," reports Engadget. The company says the jets will cost a "fraction" of a manned fighter.

A pair of Hewlett Packard Enterprise servers sent up to the International Space Station in August 2017 as an experiment have still not come back to Earth, three months after their intended return. From a report: Together they make up the Spaceborne Computer, a Linux system that has supercomputer processing power. They were sent up to see how durable they would be in space with minimal specialist treatment. After 530 days, they are still working. Their return flight was postponed after a Russian rocket failed in October 2018. HPE senior content architect Adrian Kasbergen said they may return in June 2019 if there is space on a flight but "right now they haven't got a ticket." The company is working with Nasa to be "computer-ready" for the first manned Mars flight, estimated to take place in about 2030. The company is also working with Elon Musk's SpaceX.

Artem S. Tashkinov writes: Hailed as a third wave of computing, Microsoft has made the HoloLens 2 mixed-reality headset available for preorder for a staggering $3,500 and it's expected to be shipped later this year. It will be sold only to enterprise customers. Compared to the first generation HoloLens, the second version is better in almost every important way: it's more comfortable to wear, it offers a much wider field of view, it contains powerful recognition software that can detect real world physical objects and allow you to seamlessly interact with them using hand and finger gestures. It features new components like the Azure Kinect sensor, SnapDragon 850 SoC, eye-tracking sensors, an entirely different display system with 2K resolution for each eye, a couple of speakers, and an 8-megapixel front-facing camera for video conferencing. It's also capable of full 6 degrees of tracking, and it also uses USB-C to charge.

An anonymous reader quotes a report from TechCrunch: Facebook will end its unpaid market research programs and proactively take its Onavo VPN app off the Google Play store in the wake of backlash following TechCrunch's investigation about Onavo code being used in a Facebook Research app the sucked up data about teens. The Onavo Protect app will eventually shut down, and will immediately cease pulling in data from users for market research though it will continue operating as a Virtual Private Network in the short-term to allow users to find a replacement. Facebook has also ceased to recruit new users for the Facebook Research app that still runs on Android but was forced off of iOS by Apple after we reported on how it violated Apple's Enterprise Certificate program for employee-only apps. Existing Facebook Research app studies will continue to run, though. Onavo billed itself as a way to "limit apps from using background data and use a secure VPN network for your personal info" but also noted it would collect the "Time you spend using apps, mobile and Wi-Fi data you use per app, the websites you visit, and your country, device and network type." A Facebook spokesperson confirmed the change and provided this statement: "Market research helps companies build better products for people. We are shifting our focus to reward-based market research which means we're going to end the Onavo program."

A group of researchers say that it will be difficult to avoid Spectre bugs in the future unless CPUs are dramatically overhauled. From a report: Google researchers say that software alone is not enough to prevent the exploitation of the Spectre flaws present in a variety of CPUs. The team of researchers -- including Ross McIlroy, Jaroslav Sevcik, Tobias Tebbi, Ben L Titzer and Toon Verwaest -- work on Chrome's V8 JavaScript engine. The researchers presented their findings in a paper distributed through ArXiv and came to the conclusion that all processors that perform speculative execution will always remain susceptible to various side-channel attacks, despite mitigations that may be discovered in future.

An anonymous reader shares a report: Employees and contractors are exposing confidential and sensitive information online and in the cloud in some 98 percent of organizations. This is found primarily in Dropbox, Google, and Microsoft SharePoint. This is among the findings of a new report from insider threat specialist Dtex Systems which has analyzed information from work-issued endpoints and more than 300,000 employee and contractor accounts.

All of the assessments detected employees and contractors transferring confidential and sensitive data via unencrypted USB drives, personal email accounts, and cloud applications, an increase of 10 percent over 2018. In addition 97 percent of assessments detected employees and contractors who were flight risks, a class of insider threat that often steals data and IP. This is an increase of 59 percent over 2018. 95 percent detected employees and contractors attempting to bypass or circumvent security controls via anonymous browsing, VPN and TOR usage, up 35 percent over 2018.

Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps, a report said Thursday. From the report: Illicit software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to use digital certificates to get access to a program Apple introduced to let corporations distribute business apps to their employees without going through Apple's tightly controlled App Store. Using so-called enterprise developer certificates, these pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue. By doing so, the pirate app distributors are violating the rules of Apple's developer programs, which only allow apps to be distributed to the general public through the App Store. Downloading modified versions violates the terms of service of almost all major apps.

Facebook and Google were far from the only developers openly abusing Apple's Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple's oversight. From the report: The developers passed Apple's weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino's traditional safeguards designed to keep iOS family friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple's content policies. The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories.

An anonymous reader quotes a report from ZDNet: One of the great security fears about containers is that an attacker could infect a container with a malicious program, which could escape and attack the host system. Well, we now have a security hole that could be used by such an attack: RunC container breakout, CVE-2019-5736. RunC is the underlying container runtime for Docker, Kubernetes, and other container-dependent programs. It's an open-source command-line tool for spawning and running containers. Docker originally created it. Today, it's an Open Container Initiative (OCI) specification. It's widely used. Chance are, if you're using containers, you're running them on runC.

According to Aleksa Sarai, a SUSE container senior software engineer and a runC maintainer, security researchers Adam Iwaniuk and Borys Popawski discovered a vulnerability, which "allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root." To do this, an attacker has to place a malicious container within your system. But, this is not that difficult. Lazy sysadmins often use the first container that comes to hand without checking to see if the software within that container is what it purports to be. Red Hat technical product manager for containers, Scott McCarty, warned: "The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents."

Writing at Linux Journal, Glyn Moody reports that dozens of government IT systems are switching to open source software.

"The fact that this approach is not already the norm is something of a failure on the part of the Free Software community..." One factor driving this uptake by innovative government departments is the potential to cut costs by avoiding constant upgrade fees. But it's important not to overstate the "free as in beer" element here. All major software projects have associated costs of implementation and support. Departments choosing free software simply because they believe it will save lots of money in obvious ways are likely to be disappointed, and that will be bad for open source's reputation and future projects.

Arguably as important as any cost savings is the use of open standards. This ensures that there is no lock-in to a proprietary solution, and it makes the long-term access and preservation of files much easier. For governments with a broader responsibility to society than simply saving money, that should be a key consideration, even if it hasn't been in the past.... Another is transparency. Recently it emerged that Microsoft has been gathering personal information from 300,000 government users of Microsoft Office ProPlus in the Netherlands, without permission and without documentation.
He includes an inspiring quote from the Free Software Foundation Europe about code produced by the government: "If it is public money, it should be public code as well. But when it comes to the larger issue about the general usage of proprietary vs. non-proprietary software -- what do Slashdot's readers think?

Should all government IT systems be using open source software?