Former Linux developer Patrick McHardy dropped his Gnu General Public License version 2 (GPLv2) violation case against Geniatech in a German court this week. ZDNet explains why some consider this a big "win": People who find violations typically turn to organizations such as the Free Software Foundation, Software Freedom Conservancy (SFC), and the Software Freedom Law Center to approach violators. These organizations then try to convince violating companies to mend their ways and honor their GPLv2 legal requirements. Only as a last resort do they take companies to court to force them into compliance with the GPLv2. Patrick McHardy, however, after talking with SFC, dropped out from this diplomatic approach and has gone on his own way. Specifically, McHardy has been accused of seeking his own financial gain by approaching numerous companies in German courts. Geniatech claimed McHardy has sued companies for Linux GPLv2 violations in over 38 cases. In one, he'd requested a contractual penalty of €1.8 million. The company also claimed McHardy had already received over €2 million from his actions...

In July 2016, the Netfilter developers suspended him from the core team. They received numerous allegations that he had been shaking down companies. McHardy refused to discuss these issues with them, and he refused to sign off on the Principles of Community-Oriented GPL Enforcement. In October 2017, Greg Kroah-Hartman, Linux kernel maintainer for the stable branch, summed up the Linux kernel developers' position. Kroah-Hartman wrote: "McHardy has sought to enforce his copyright claims in secret and for large sums of money by threatening or engaging in litigation...."

Had McHardy continued on his way, companies would have been more reluctant to use Linux code in their products for fear that a single, unprincipled developer could sue them and demand payment for his copyrighted contributions... McHardy now has to bear all legal costs for both sides of the case. In other words, when McHardy was faced with serious and costly opposition for the first time, he waved a white flag rather than face near certain defeat in the courts.

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

According to media reports, Apple is planning to postpone some new features for iOS and macOS this year to focus on improving reliability, stability and performance of the existing versions. Steven Sinofsky, a former President of the Windows Division, shared his insights into the significance of this development: Several important points are conflated in the broad discussion about Apple and software: Quality, pace of change, features "versus" quality, and innovation. Scanning the landscape, it is important to recognize that in total the work Apple has been doing across hardware, software, services, and even AI/ML, in total -- is breathtaking and unprecedented in scope, scale, and quality. Few companies have done so much for so long with such a high level of consistency. This all goes back to the bet on the NeXT code base and move to Intel for Mac OS plus the iPod, which began the journey to where we are today.

[...] What is lost in all of this recent discussion is the nuance between features, schedule, and quality. It is like having a discussion with a financial advisor over income, risk, and growth. You don't just show up and say you want all three and get a "sure." On the other hand, this is precisely what Apple did so reliably over 20 years. But behind the scenes there is a constant discussion over balancing these three legs of the tripod. You have to have all of them but you "can't" but you have to. This is why they get paid big $.

[...] A massive project like an OS (+h/w +cloud) is like a large investment portfolio and some things will work (in market) and others won't, some things are designed to return right away, some are safe bets, some are long term investments. And some mistakes... Customers don't care about any of that and that's ok. They just look for what they care about. Each evaluates through their own lens. Apple's brilliance is in focusing mostly on two audiences -- Send-users and developers -- tending to de-emphasize the whole "techie" crowd, even IT. When you look at a feature like FaceID and trace it backwards all the way to keychain -- see how much long term thought can go into a feature and how much good work can go unnoticed (or even "fail") for years before surfacing as a big advantage. That's a long term POV AND focus. This approach is rather unique compared to other tech companies that tend to develop new things almost independent of everything else. So new things show up and look bolted on the side of what already exists. (Sure Apple can do that to, but not usually). All the while while things are being built the team is just a dev team and trying to come up with a reliable schedule and fix bug. This is just software development.

An anonymous reader shares a blog post: Razer is a vendor that makes high-end gaming hardware, including laptops, keyboards and mice. I opened a ticket with Razor a few days ago asking them if they wanted to support the LVFS project by uploading firmware and sharing the firmware update protocol used. I offered to upstream any example code they could share under a free license, or to write the code from scratch given enough specifications to do so. This is something I've done for other vendors, and doesn't take long as most vendor firmware updaters all do the same kind of thing; there are only so many ways to send a few kb of data to USB devices. The fwupd project provides high-level code for accessing USB devices, so yet-another-update-protocol is no big deal. I explained all about the LVFS, and the benefits it provided to a userbase that is normally happy to vote using their wallet to get hardware that's supported on the OS of their choice. I just received this note on the ticket, which was escalated appropriately: "I have discussed your offer with the dedicated team and we are thankful for your enthusiasm and for your good idea. I am afraid I have also to let you know that at this moment in time our support for software is only focused on Windows and Mac." The post, written by Richard -- who has long been a maintainer of GNOME Software, PackageKit, GNOME Packagekit, points out that Razer executive Min-Liang Tan last year invited Linux enthusiasts to suggest ideas to help the company make the best notebook that supports Linux.

An anonymous reader quotes BleepingComputer: Members of the open source community are working on a new security-focused project for the Linux kernel. Named Linux Kernel Runtime Guard (LKRG), this is a loadable kernel module that will perform runtime integrity checking of the Linux kernel. Its purpose is to detect exploitation attempts for known security vulnerabilities against the Linux kernel and attempt to block attacks. LKRG will also detect privilege escalation for running processes, and kill the running process before the exploit code runs.

Since the project is in such early development, current versions of LKRG will only report kernel integrity violations via kernel messages, but a full exploit mitigation system will be deployed as the system matures... While LKRG will remain an open source project, LKRG maintainers also have plans for an LKRG Pro version that will include distro-specific LKRG builds and support for the detection of specific exploits, such as container escapes. The team plans to use the funds from LKRG Pro to fund the rest of the project.

The first public version of LKRG -- LKRG v0.0 -- is now live and available for download on this page. A wiki is also available here, and a Patreon page for supporting the project has also been set up. LKRG kernel modules are currently available for main Linux distros such as RHEL7, OpenVZ 7, Virtuozzo 7, and Ubuntu 16.04 to latest mainlines.

An anonymous reader quotes the Seattle Post-Intelligencer: A private investigative team announced Thursday morning that members now believe D.B. Cooper was a black ops CIA operative possibly even involved with Iran-Contra, and that his identity has been actively hidden by government agents. The 40-member cold-case team comprised of several former FBI agents and led by Thomas and Dawna Colbert made its latest reveal after a code breaker working with the team found connections in each of five letters allegedly sent by Cooper in the days following the famed hijacking in 1971.

What's more, several people who knew Colbert's top suspect, a man named Robert W. Rackstraw, have noted possible connections to the CIA and to top-secret operations, Colbert said. "The new decryptions include a dare to agents, directives to apparent partners, and a startling claim that is followed by Rackstraw's own initials: If captured, he expects a get-out-of-jail card from a federal spy agency," Colbert said in a news release... In a brief phone call last year, Rackstraw only told SeattlePI to verify Colbert's claims; he didn't issue a denial, or comment further on Colbert's investigation...

Late last year, Colbert's team obtained a fifth letter allegedly sent by Cooper that Colbert said supports a possible FBI cover-up, but also included random letters and numbers. A code breaker on Colbert's team was able to decode the letters and numbers and find they pointed to three Army units Rackstraw was connected to during his military service in Vietnam. The code was meant to serve as a signal to his co-conspirators that he was alive and well after the jump, Colbert said... Another letter, in which Cooper claimed to be CIA openly, also had the letters "RWR" at the end -- the initials of Robert W. Rackstraw, according to Colbert.

GBHackers On Cyber Security and an anonymous Slashdot reader have shared a story about a new zero-day vulnerability found in Adobe's Flash Player. Bleeping Computer reports: South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number.

"An attacker can persuade users to open Microsoft Office documents, web pages, spam e-mails, etc. that contain Flash files that distribute the malicious [Flash] code," KR-CERT said. The malicious code is believed to be a Flash SWF file embedded in MS Word documents. Simon Choi, a security researcher with Hauri Inc., a South Korean security firm, says the zero-day has been made and deployed by North Korean threat actors and used since mid-November 2017. Choi says attackers are trying to infect South Koreans researching North Korea. Adobe said it plans to patch this zero-day on Monday, February 5.

Ars Technica reports that "hackers have been finding partial vulnerabilities in early versions of the [Nintendo] Switch firmware throughout 2017." They have discovered a Webkit flaw that allows for basic "user level" access to some portions of the underlying system and a service-level initialization flaw that gives hackers slightly more control over the Switch OS. "But the potential for running arbitary homebrew code on the Switch really started looking promising late last month, with a talk at the 34th Chaos Communication Congress (34C3) in Leipzig Germany," reports Ars. "In that talk, hackers Plutoo, Derrek, and Naehrwert outlined an intricate method for gaining kernel-level access and nearly full control of the Switch hardware." From the report: The full 45-minute talk is worth a watch for the technically inclined, it describes using the basic exploits discussed above as a wedge to dig deep into how the Switch works at the most basic level. At one point, the hackers sniff data coming through the Switch's memory bus to figure out the timing for an important security check. At another, they solder an FPGA onto the Switch's ARM chip and bit-bang their way to decoding the secret key that unlocks all of the Switch's encrypted system binaries. The team of Switch hackers even got an unexpected assist in its hacking efforts from chipmaker Nvidia. The "custom chip" inside the Switch is apparently so similar to an off-the-shelf Nvidia Tegra X1 that a $700 Jetson TX1 development kit let the hackers get significant insight into the Switch's innards. More than that, amid the thousand of pages of Nvidia's public documentation for the X1 is a section on how to "bypass the SMMU" (the System Memory Management Unit), which gave the hackers a viable method to copy and write a modified kernel to the Switch's system RAM. As Plutoo put it in the talk, "Nvidia backdoored themselves."

An anonymous reader quotes BleepingComputer: Unknown hackers (or hacker) have hijacked the DNS server for BlackWallet.co, a web-based wallet application for the Stellar Lumen cryptocurrency (XLM), and have stolen over $400,000 from users' accounts. The attack happened late Saturday afternoon (UTC timezone), January 13, when the attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to their own server. "The DNS hijack of Blackwallet injected code," said Kevin Beaumont, a security researcher who analyzed the code before the BlackWallet team regained access over their domain and took down the site. "If you had over 20 Lumens it pushes them to a different wallet," Beaumont added...

According to Bleeping Computer's calculations, as of writing, the attacker collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate. The BlackWallet team and other XLM owners have tried to warn users via alerts on Reddit, Twitter, GitHub, the Stellar Community and GalacticTalk forums, but to no avail, as users continued to log into the rogue BlackWallet.co domain, enter their credentials, and then see funds mysteriously vanish from their wallets.

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.
They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."

schwit1 shares the findings of a new study of 11,500-year-old bones: Sunrise girl-child ("Xach'itee'aanenh T'eede Gaay") lived some 11,500 years ago in what is now called Alaska, and her ancient DNA reveals not only the origins of Native American society, but reminds the world of a whole population of people forgotten by history millennia ago. "We didn't know this population existed," says anthropologist Ben Potter from the University of Alaska Fairbanks. "It would be difficult to overstate the importance of this newly revealed people to our understanding of how ancient populations came to inhabit the Americas." In a new study published this week, the team reports that a genetic analysis of sunrise girl-child's DNA shows she belonged to a forgotten people called the Ancient Beringians, unknown to science until now. Before now, there were only two recognized branches of early Native Americans (referred to as Northern and Southern). But when the researchers sequenced sunrise girl-child's genome -- the earliest complete genetic profile of a New World human to date -- to their surprise it matched neither.

Given the nature of this field of research -- and the scope of the new findings -- it's unlikely the new hypotheses will remain uncontested for long. But in the light of all the new evidence researchers are uncovering, it's clear the first settlers of America carried a more diverse lineage than we ever realized. "[This is] the first direct evidence of the initial founding Native American population," Potter says. "It is markedly more complex than we thought." The findings are reported in the journal Nature.

An anonymous reader writes: The i-Programmer site revisits one of its top stories of 2017, about researchers who used data from GitHub for a large-scale empirical investigation into static typing versus dynamic typing. The team investigated 20 programming languages, using GitHub code repositories for the top 50 projects written in each language, examing 18 years of code involving 29,000 different developers, 1.57 million commits, and 564,625 bug fixes.

The results? "The languages with the strongest positive coefficients - meaning associated with a greater number of defect fixes are C++, C, and Objective-C, also PHP and Python. On the other hand, Clojure, Haskell, Ruby and Scala all have significant negative coefficients implying that these languages are less likely than average to result in defect fixing commits."

Or, in the researcher's words, "Language design does have a significant, but modest effect on software quality. Most notably, it does appear that disallowing type confusion is modestly better than allowing it, and among functional languages static typing is also somewhat better than dynamic typing."

The CEO of Wireline -- a cloud application marketplace and serverless architecture platform -- is pushing for an open source development fund to help sustain projects, funded by an initial coin offering. "Developers like me know that there are a lot of weak spots in the modern internet," he writes on MarketWatch, suggesting more Equifax-sized data breaches may wait in our future. In fact, many companies are not fully aware of all of the software components they are using from the open-source community. And vulnerabilities can be left open for years, giving hackers opportunities to do their worst. Take, for instance, the Heartbleed bug of 2014... Among the known hacks: 4.5 million health-care records were compromised, 900 Canadians' social insurance numbers were stolen. It was deemed "catastrophic." And yet many servers today -- two years later! -- still carry the vulnerability, leaving whole caches of personal data exposed...

[T]hose of us who are on the back end, stitching away, often feel a sense of dread. For instance, did you know that much of the software that underpins the entire cloud ecosystem is written by developers who are essentially volunteers? And that the open-source software that underpins 70% of corporate America is vastly underfunded? The Heartbleed bug, for instance, was created by an error in some code submitted in 2011 to a core developer on the team that maintained OpenSSL at the time. The team was made up of only one full-time developer and three other part-timers. Many of us are less surprised that a bug had gotten through than that it doesn't happen more often.
The article argues that "the most successful open-source initiatives have corporate sponsors or an umbrella foundation (such as the Apache and Linux foundations). Yet we still have a lot of very deeply underfunded open-source projects creating a lot of the underpinnings of the enterprise cloud."

New submitter Jose Deras writes: Nearly 35 years ago, Apple released its first computer with a graphical user interface, called the Lisa. Starting next year, the Computer History Museum will release the Apple Lisa OS for free as an open-source project. According to a new report from Business Insider, the Computer History Museum will release the code behind the Apple Lisa operating system for free as open source, for anyone to try and tinker with. The news was announced via the LisaList mailing list for Lisa enthusiasts.

"While Steve Jobs didn't create the Lisa, he was instrumental in its development. It was Jobs who convinced the legendary Xerox PARC lab to let the Apple Lisa team visit and play with its prototypes for graphical user interfaces," reads the report. "And while Apple at the time said that Lisa stood for 'Local Integrated System Architecture,' Jobs would later claim to biographer Walter Isaacson that the machine was actually named for his oldest daughter, Lisa Nicole Brennan-Jobs." "Then-Apple CEO John Sculley had Jobs removed from the Lisa project, which kicked off years-long animosity between the two," continues the report. "Ultimately, a boardroom brawl would result in Jobs quitting in a huff to start his own company, NeXT Computer. Apple would go on to buy NeXT in 1996, bringing Jobs back into the fold. By 1997, Jobs had become CEO of Apple, leading the company to its present status as the most valuable in the world."

Harvard computer science professor David J. Malan "is pretty amazing!" says long-time education-watcher theodp. And he's sharing a link to the online version of Malan's famous CS50 class, "if you can't pony up the estimated $63,025-a-year sticker price to take 'the quintessential Harvard (and Yale!) course' on campus."

KQED's education site "MindShift" reports: Malan's class attracts students who have never taken computer science before, as well as kids who have been coding a long time. His goal with this diverse group of learners is to create a community that's equal and collaborative. One way he does this is by asking students to self-identify by comfort level. Those groups become different section levels, and they sometimes get different homework, but harder assignments are not worth more credit. Malan said recently that the "less comfortable" group has dominated his 700-person course. "At the end of the day all students are treated with the same expectations," said Malan, speaking at the Building Learning Communities conference in Boston.

Students are graded based on each individual's growth; Malan and his team of teaching assistants don't use absolute measures when assigning grades. Instead, they look at scope, how hard the student tried, correctness, how right the work was, style, how aesthetic the code is, and design, which is the most subjective. When it's time to assign grades, Malan and his teaching fellows have lots of in-depth conversations about how each student has improved relative to where he or she started...
The course includes a tool that rewrites error messages to make them easier to understand, plus a code-checking tool which they're planning to open source. There's also a cloud-based IDE which "allows students to access their code from multiple locations," though students can also submit their code through GitHub. (The original submission complains that Harvard's students are "coddled.") But Malan says the class works partly because there's an intentionally social aspect to it -- including numerous teaching assistants holding office hours in public spaces and "the human structure within the course." Guest lecturers have even included Mark Zuckerberg and Steve Ballmer.

But all these technical details don't really capture the wild flavor of the course and all of its multimedia bells and whistles. Malan's fast-paced lectures often close with relevant clips from movies -- for example, a lecture on cryptography which ended with video from a movie you'd see "if you turn on your TV on December 24th."

An anonymous reader quotes the official Rust blog: Rust's development in 2017 fit into a single overarching theme: increasing productivity, especially for newcomers to Rust. From tooling to libraries to documentation to the core language, we wanted to make it easier to get things done with Rust. That desire led to a roadmap for the year, setting out 8 high-level objectives that would guide the work of the team. How'd we do? Really, really well.
Aaron Turon, part of the core developer team for Rust, wrote the blog post, and specifically touts this year's progress on lowering the learning curve with books and curriculum, as well as actual improvements in the language and a faster edit-compile-debug cycle. He also notes new support for Rust in IntelliJ and Atom (as well as preview versions for Visual Studio and Visual Studio Code) in 2017 -- and most importantly, mentoring. I'd like to specifically call out the leaders and mentors who have helped orchestrate our 2017 work. Leadership of this kind -- where you are working to enable others -- is hard work and not recognized enough. So let's hand it to these folks...! Technical leaders are an essential ingredient for our success, and I hope in 2018 we can continue to grow our leadership pool, and get even more done -- together.

Catalin Cimpanu, writing for BleepingComputer: Many Android users may still have a backdoor on their device, according to new revelations made today by the Malwarebytes' mobile security research team. Their discovery is related to the Adups case from last year. Back in mid-November 2016, US cyber-security firm Kryptowire revealed it discovered that firmware code created by a Chinese company called Adups was collecting vasts amount of user information and sending it to servers located in China. According to Kryptowire, the backdoor code was collecting SMS messages, call history, address books, app lists, phone hardware identifiers, but it was also capable of installing new apps or updating existing ones. The backdoor was hidden inside a built-in and unremovable app named com.adups.fota, the component responsible for the phone's firmware-over-the-air update (FOTA) system.

"There is no reason for the open-source community to worry..." writes Daniel Stone, who heads the graphics team at open-source consultancy Collabora. mfilion quotes Collabora.com: Recently, Sean Paul from Google's ChromeOS team, submitted a patch series to enable HDCP support for the Intel display driver. HDCP is used to encrypt content over HDMI and DisplayPort links, which can only be decoded by trusted devices... However, if you already run your own code on a free device, HDCP is an irrelevance and does not reduce freedom in any way....

HDCP support is implemented almost entirely in the hardware. Rather than adding a mandatory encryption layer for content, the HDCP kernel support is dormant unless userspace explicitly requests an encrypted link. It then attempts to enable encryption in the hardware and informs userspace of the result. So there's the first out: if you don't want to use HDCP, then don't enable it! The kernel doesn't force anything on an unwilling userspace.... HDCP is only downstream facing: it allows your computer to trust that the device it has been plugged into is trusted by the HDCP certification authority, and nothing more. It does not reduce user freedom, or impose any additional limitations on device usage.

wiredmikey writes: A team of researchers has revived an old crypto vulnerability and determined that it affects the products of several major vendors and a significant number of the world's top websites. The attack/exploit method against a Transport Layer Security (TLS) vulnerability now has a name, a logo and a website. It has been dubbed ROBOT (Return Of Bleichenbacher's Oracle Threat) and, as the name suggests, it's related to an attack method discovered by Daniel Bleichenbacher back in 1998. ROBOT allows an attacker to obtain the RSA key necessary to decrypt TLS traffic under certain conditions. While proof-of-concept (PoC) code will only be made available after affected organizations have had a chance to patch their systems, the researchers have published some additional details. Researchers have made available an online tool that can be used to test public HTTPS servers. An analysis showed that at least 27 of the top 100 Alexa websites, including Facebook and PayPal, were affected.

Richard Chirgwin, writing for The Register: Given that code sharing is a big part of the GitHub mission, it should come at no surprise that the platform stores a lot of duplicated code: 70 per cent, a study has found. An international team of eight researchers didn't set out to measure GitHub duplication. Their original aim was to try and define the "granularity" of copying -- that is, how much files changed between different clones -- but along the way, they turned up a "staggering rate of file-level duplication" that made them change direction. Presented at this year's OOPSLA (part of the late-October Association of Computing Machinery) SPLASH conference in Vancouver, the University of California at Irvine-led research found that out of 428 million files on GitHub, only 85 million are unique. Before readers say "so what?", the reason for this study was to improve other researchers' work. Anybody studying software using GitHub probably seeks random samples, and the authors of this study argued duplication needs to be taken into account.