"There has never been a successful, widespread malware attack against iPhone," notes Apple's security blog, pointing out that "The only system-level iOS attacks we observe in the wild come from mercenary spyware... historically associated with state actors and [using] exploit chains that cost millions of dollars..."

But they're doing something about it — this week announcing a new always-on memory-safety protection in the iPhone 17 lineup and iPhone Air (including the kernel and over 70 userland processes)... Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry... For Apple, improving memory safety is a broad effort that includes developing with safe languages and deploying mitigations at scale...

Our analysis found that, when employed as a real-time defensive measure, the original Arm Memory Tagging Extension (MTE) release exhibited weaknesses that were unacceptable to us, and we worked with Arm to address these shortcomings in the new Enhanced Memory Tagging Extension (EMTE) specification, released in 2022. More importantly, our analysis showed that while EMTE had great potential as specified, a rigorous implementation with deep hardware and operating system support could be a breakthrough that produces an extraordinary new security mechanism.... Ultimately, we determined that to deliver truly best-in-class memory safety, we would carry out a massive engineering effort spanning all of Apple — including updates to Apple silicon, our operating systems, and our software frameworks. This effort, together with our highly successful secure memory allocator work, would transform MTE from a helpful debugging tool into a groundbreaking new security feature.

Today we're introducing the culmination of this effort: Memory Integrity Enforcement (MIE), our comprehensive memory safety defense for Apple platforms. Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies. MIE is built right into Apple hardware and software in all models of iPhone 17 and iPhone Air and offers unparalleled, always-on memory safety protection for our key attack surfaces including the kernel, while maintaining the power and performance that users expect. In addition, we're making EMTE available to all Apple developers in Xcode as part of the new Enhanced Security feature that we released earlier this year during WWDC...

Based on our evaluations pitting Memory Integrity Enforcement against exceptionally sophisticated mercenary spyware attacks from the last three years, we believe MIE will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products. Because of how dramatically it reduces an attacker's ability to exploit memory corruption vulnerabilities on our devices, we believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.

Thursday saw the release of Rust 1.89.0 But this week the Rust Foundation also released its second comprehensive annual technology report.

A Rust Foundation announcement shares some highlights: - Trusted Publishing [GitHub Actions authentication using cryptographically signed tokens] fully launched on crates.io, enhancing supply chain security and streamlining workflows for maintainers.

- Major progress on crate signing infrastructure using The Update Framework (TUF), including three full repository implementations and stakeholder consensus.

- Integration of the Ferrocene Language Specification (FLS) into the Rust Project, marking a critical step toward a formal Rust language specification [and "laying the groundwork for broader safety certification and formal tooling."]

- 75% reduction in CI infrastructure costs while maintaining contributor workflow stability. ["All Rust repositories are now managed through Infrastructure-as-Code, improving maintainability and security."]

- Expansion of the Safety-Critical Rust Consortium, with multiple international meetings and advances on coding guidelines aligned with safety standards like MISRA. ["The consortium is developing practical coding guidelines, aligned tooling, and reference materials to support regulated industries — including automotive, aerospace, and medical devices — adopting Rust."]

- Direct engagement with ISO C++ standards bodies and collaborative Rust-C++ exploration... The Foundation finalized its strategic roadmap, participated in ISO WG21 meetings, and initiated cross-language tooling and documentation planning. These efforts aim to unlock Rust adoption across legacy C++ environments without sacrificing safety.
The Rust Foundation also acknowledges continued funding from OpenSSF's Alpha-Omega Project and "generous infrastructure donations from organizations like AWS, GitHub, and Mullvad VPN" to the Foundation's Security Initiative, which enabled advances like including GitHub Secret Scanning and automated incident response to "Trusted Publishing" and the integration of vulnerability-surfacing capabilities into crates.io.

There was another announcement this week. In November AWS and the Rust Foundation crowdsourced "an effort to verify the Rust standard library" — and it's now resulted in a new formal verification tool called "Efficient SMT-based Context-Bounded Model Checker" (or ESBMCESBMC) This winning contribution adds ESBMC — a state-of-the-art bounded model checker — to the suite of tools used to analyze and verify Rust's standard library. By integrating through Goto-Transcoder, they enabled ESBMC to operate seamlessly in the Rust verification workflow, significantly expanding the scope and flexibility of verification efforts...

This achievement builds on years of ongoing collaboration across the Rust and formal verification communities... The collaboration has since expanded. In addition to verifying the Rust standard library, the team is exploring the use of formal methods to validate automated C-to-Rust translations, with support from AWS. This direction, highlighted by AWS Senior Principal Scientist Baris Coskun and celebrated by the ESBMC team in a recent LinkedIn post, represents an exciting new frontier for Rust safety and verification tooling.

An anonymous reader quotes a report from Ars Technica: Last week, electronics engineer Lorentio Brodesco announced the completion of a mock-up for nsOne, reportedly the first custom PlayStation 1 motherboard created outside of Sony in the console's 30-year history. The fully functional board accepts original PlayStation 1 chips and fits directly into the original console case, marking a milestone in reverse-engineering for the classic console released in 1994. Brodesco's motherboard isn't an emulator or FPGA-based re-creation -- it's a genuine circuit board designed to work with authentic PlayStation 1 components, including the CPU, GPU, SPU, RAM, oscillators, and voltage regulators. The board represents over a year of reverse-engineering work that began in March 2024 when Brodesco discovered incomplete documentation while repairing a PlayStation 1.

"This isn't an emulator. It's not an FPGA. It's not a modern replica," Brodesco wrote in a Reddit post about the project. "It's a real motherboard, compatible with the original PS1 chips." It's a desirable project for some PS1 enthusiasts because a custom motherboard could allow owners of broken consoles to revive their systems by transplanting original chips from damaged boards onto new, functional ones. With original PS1 motherboards becoming increasingly prone to failure after three decades, replacement boards could extend the lifespan of these classic consoles without resorting to emulation.

The nsOne project -- short for "Not Sony's One" -- uses a hybrid design based on the PU-23 series motherboards found in SCPH-900X PlayStation models but reintroduces the parallel port that Sony had removed from later revisions. Brodesco upgraded the original two-layer PCB design to a four-layer board while maintaining the same form factor. [...] As Brodesco noted on Kickstarter, his project's goal is to "create comprehensive documentation, design files, and production-ready blueprints for manufacturing fully functional motherboards." Beyond repairs, the documentation and design files Brodesco is creating would preserve the PlayStation 1's hardware architecture for future generations: "It's a tribute to the PS1, to retro hardware, and to the belief that one person really can build the impossible."

AWS has quietly halted new customer onboarding for several of its services, including the once-touted CodeCommit source code repository and Cloud9 cloud IDE, signaling a potential retreat from its comprehensive DevOps offering.

The stealth deprecation, discovered by users encountering unexpected errors, has sent ripples through the AWS community, with many expressing frustration over the lack of formal announcements and the continued presence of outdated documentation. AWS VP Jeff Barr belatedly confirmed the decision on social media, listing affected services such as S3 Select, CloudSearch, SimpleDB, Forecast, and Data Pipeline.

Richard Speed reports via The Register: A study has found that software projects adopting Agile practices are 268 percent more likely to fail than those that do not. Even though the research commissioned by consultancy Engprax could be seen as a thinly veiled plug for Impact Engineering methodology, it feeds into the suspicion that the Agile Manifesto might not be all it's cracked up to be. The study's fieldwork was conducted between May 3 and May 7 with 600 software engineers (250 in the UK and 350 in the US) participating. One standout statistic was that projects with clear requirements documented before development started were 97 percent more likely to succeed. In comparison, one of the four pillars of the Agile Manifesto is "Working Software over Comprehensive Documentation."

According to the study, putting a specification in place before development begins can result in a 50 percent increase in success, and making sure the requirements are accurate to the real-world problem can lead to a 57 percent increase. Dr Junade Ali, author of Impact Engineering, said: "With 65 percent of projects adopting Agile practices failing to be delivered on time, it's time to question Agile's cult following. "Our research has shown that what matters when it comes to delivering high-quality software on time and within budget is a robust requirements engineering process and having the psychological safety to discuss and solve problems when they emerge, whilst taking steps to prevent developer burnout." [...] Projects where engineers felt they had the freedom to discuss and address problems were 87 percent more likely to succeed. Worryingly, workers in the UK were 13 percent less likely to feel they could discuss problems than those in the US, according to the study.

The foundations behind Rust, Python, Apache, Eclipse, PHP, OpenSSL, and Blender announced plans to create "common specifications for secure software development," based on "existing open source best practices."

From the Eclipse Foundation: This collaborative effort will be hosted at the Brussels-based Eclipse Foundation [an international non-profit association] under the auspices of the Eclipse Foundation Specification Process and a new working group... Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well.

The starting point for this highly technical standardisation effort will be today's existing security policies and procedures of the respective open source foundations, and similar documents describing best practices.

The governance of the working group will follow the Eclipse Foundation's usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence... While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation.

The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.
The Apache Foundation notes the working group is forming partly "to demonstrate our commitment to cooperation with and implementation of" the EU's Cyber Resilience Act. But the Eclipse Foundation adds that even before it goes into effect in 2027, they're recognizing open source software's "increasingly vital role in modern society" and an increasing need for reliability, safety, and security, so new regulations like the CRA "underscore the urgency for secure by design and robust supply chain security standards."

Their announcement adds that "It is also important to note that it is similarly necessary that these standards be developed in a manner that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium enterprises." But at the same time, "Today's global software infrastructure is over 80% open source... [W]hen we discuss the 'software supply chain,' we are primarily, but not exclusively, referring to open source."

"We invite you to join our collaborative effort to create specifications for secure open source development," their announcement concludes," promising initiative updates on a new mailing list. "Contribute your ideas and participate in the magic that unfolds when open source foundations, SMEs, industry leaders, and researchers combine forces to tackle big challenges."

The Python Foundation's announcement calls it a "community-driven initiative" that will have "a lasting impact on the future of cybersecurity and our shared open source communities."

An anonymous reader shares a report: A somewhat obscure guideline for developers of U.S. government websites may be about to accelerate the long, sad decline of Mozilla's Firefox browser. There already are plenty of large entities, both public and private, whose websites lack proper support for Firefox; and that will get only worse in the near future, because the 'fox's auburn paws are perilously close to the lip of the proverbial slippery slope. The U.S. Web Design System (USWDS) provides a comprehensive set of standards which guide those who build the U.S. government's many websites. Its documentation for developers borrows a "2% rule" from its British counterpart: "... we officially support any browser above 2% usage as observed by analytics.usa.gov." (Firefox's market share was 2.2%, per the traffic for the previous ninety days.)

[...] "So what?" you may wonder. "That's just for web developers in the U.S. government. It doesn't affect any other web devs." Actually, it very well could. Here's how I envision the dominoes falling:

1. Once Firefox slips below the 2% threshold in the government's visitor analytics, USWDS tells government web devs they don't have to support Firefox anymore.
2. When that word gets out, it spreads quickly to not only the front-end dev community but also the corporate IT departments for whom some web devs work. Many corporations do a lot of business with the government and, thus, whatever the government does from an IT standpoint is going to influence what corporations do.
3. Corporations see this change as an opportunity to lower dev costs and delivery times, in that it provides an excuse to remove some testing (and, in rare cases, specific coding) from their development workflow.

Dan Robinson reports via The Register: Nvidia is facing legal action in the U.S. for theft of trade secrets from a German automotive company, which alleges its ex-employee made an epic blunder of showing something he shouldn't have when minimizing a Powerpoint slide at a joint Microsoft Teams meeting both companies were attending. The automotive firm, Valeo Schalter und Sensoren, claims the flashing of its source code for the assisted parking app on the call is evidence to support its accusations that the ex-staffer stole the IP before leaving to join Nvidia. The two tech companies were both on the call as they were each suppliers on contract for a parking and driving assistance project with a major automotive OEM that was not named in the suit. Under the terms of the contract with the OEM, the suit states, engineers from both Valeo and Nvidia had to schedule collaboration meetings so that "Nvidia employees could ask Valeo employees questions about Valeo's ultrasonic hardware and data associated with the hardware."

The complaint [PDF], filed by Valeo in the US District Court for Northern California, goes on to allege misappropriation of trade secrets by Nvidia, through which the company claims the GPU-maker attempted to take a shortcut into the automotive marketplace by using its stolen software. Nvidia is a relative newcomer to the automotive market, introducing its Nvidia Drive platform at the CES trade show in 2015. Valeo says that it only discovered the theft during a conference call on March 8, 2022 between its engineers and those of Nvidia to collaborate on work for an automotive OEM, a customer of both companies. Valeo develops automotive hardware such as cameras and sensors, in addition to software to processes the data from the hardware. The court filing states that Valeo previously provided the OEM in question with both hardware and software for its autonomous vehicle technology, but in this instance, it asked Valeo to provide ultrasonic hardware only. For the software side, the OEM instead chose Nvidia. One of the Nvidia engineers on the call, named as Mohammad Moniruzzaman, was a former employee of Valeo, and during the call, made using Microsoft's Teams software, he shared his screen in order to give a presentation containing questions for the Valeo participants.

Yet also visible on his screen after the presentation finished - or so the complaint alleges - was a window of source code, which the Valeo participants recognized as belonging to their company. According to the filing, one of the Valeo engineers succeeded in capturing a screenshot as evidence. According to Valeo, the source code file names that were allegedly visible in the screenshot were identical to those used in its source code, and it also claims the source code appeared to be identical to proprietary code maintained in Valeo's repositories. The company says in the suit that it then conducted a comprehensive internal forensic IT audit, and alleges it discovered that Moniruzzaman had copied four repositories containing the code for Valeo's parking and driving assistance software, prior to leaving the company in May 2021. [...] The claim is that Valeo's source code and documentation has been used in the development of Nvidia's software, and this provided the GPU giant and its engineers with a shortcut in the development of its parking assistance code, saving Nvidia perhaps hundreds of millions of dollars in development costs.

According to the court filing, Nvidia said it removed Moniruzzaman's additions to its code. However, those additions underwent "a peer review process of 10-30 iterations of feedback loops" before the code was fully merged into Nvidia's database. Valeo contends that this process of extensive edits by others means it is not realistic that Nvidia could have fully remove Moniruzzaman's contributions. Valeo claims it has suffered competitive harm as a result of Nvidia's action and as a result is seeking damages, to be determined at trial, as well as an injunction prohibiting Nvidia or its employees from using or disclosing Valeo's trade secrets. A date for jury trial has yet to be announced.

SysAid's system management software has "a vulnerability actively being exploited to deploy Clop ransomware," according to SiliconAngle: The warning came from Microsoft Corp.'s Threat Intelligence team, which wrote on X that it had discovered the exploitation of a zero-day vulnerability in SysAid's IT support software that's being exploited by the Lace Tempest ransomware gang.

Lace Tempest first emerged earlier this year from its attacks involving the MOVEit Transfer and GoAnywhere MFT. This group has been characterized by its sophisticated attack methods, often exploiting zero-day vulnerabilities to infiltrate organizations' systems to deploy ransomware and exfiltrate sensitive data...

In a blog post, SysAid said that the vulnerability, tracked as CVE-2023-47246, was first discovered on Novembers 2 and is a path traversal vulnerability leading to code execution within the SysAid on-prem software... "Given the scale and impact of the MOVEit breach, which was considered one of the largest in recent history, the potential for the SysAid vulnerability to reach similar levels of disruption is not inconceivable, though several factors would influence this outcome," Craig Jones, vice president of security operations at managed detection and response provider Ontinue Inc., told SiliconANGLE. "The MOVEit breach, exploited by the Clop ransomware group, impacted over 1,000 organizations and more than 60 million individuals," Jones explained. "Comparatively, SysAid claims more than 5,000 customers across various industries globally. The potential damage from the SysAid vulnerability would depend on factors such as how widespread the exploitation is, how quickly the patch is applied and the sensitivity of the accessed data."
SysAid's blog post confirms the zero-day vulnerability, and says they've begun "proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified..."

"We urge all customers with SysAid on-prem server installations to ensure that your SysAid systems are updated to version 23.3.36, which remediates the identified vulnerability, and conduct a comprehensive compromise assessment of your network..." The attacker uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service [which] provided the attacker with unauthorized access and control over the affected system.Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan...

After this initial access and the deployment of the malware, the attacker utilized a second PowerShell script to erase evidence associated with the attacker's actions from the disk and the SysAid on-prem server web logs... Given the severity of the threat posed, we strongly recommend taking immediate steps according to your incident response playbook and install any patches as they become available.

"OpenAI has unveiled the Beta version of its Python SDK," reports Analytics India Magazine, "marking a significant step towards enhancing access to the OpenAI API for Python developers." The OpenAI Python library offers a simplified way for Python-based applications to interact with the OpenAI API, while providing an opportunity for early testing and feedback before the official launch of version 1.0. It streamlines the integration process by providing pre-defined classes for API resources, dynamically initialising from API responses, ensuring compatibility across various OpenAI API versions...

Developers can find comprehensive documentation and code examples in the OpenAI Cookbook for various tasks, including classification, clustering, code search, customising embeddings, question answering, recommendations, visualisation of embeddings, and more...

This comes just weeks before OpenAI's first developer conference, OpenAI DevDay.
More details in OpenAI's official announcement at PyPi.org.

When Red Hat laid off 4% of its global staff, Fedora Program Manager Ben Cotton was "a member of that 4%," according to a new post on Cotton's blog: I've received so much support from people since the news started spreading. It's like that end scene of "It's a Wonderful Life" and I'm George Bailey. I'm proud of the contributions I've made to the Fedora community over the last five years, and it feels good to have others recognize that.
Cotton joined Red Hat in 2018, but "I was a Fedora contributor long before" Cotton writes, adding later that "I fully intend to still be participating in the Fedora community when my account hits the 20-year mark in May 2029." (Cotton's first foray into Fedora was joining its Docs team in 2009, and then volunteering to be the Docs project leader in 2011...)

And the blog post adds that professionally Cotton is "already pursuing a few opportunities... In the meantime, I have (at least) a few weeks to relax for a bit." I've told folks that if Fedora falls off the rails, then I have failed. I'm working with Matthew, Justin, and others to ensure coverage of the core job duties one way or another. I've worked hard over the years to automate tasks that can be automated. The documentation is far more comprehensive than what I inherited. No doubt there are gaps in what I've left for my successors. However, my goal is that in a few months, nobody will notice that I'm gone. That's my measure of success...

As to what the broader implication behind the loss of my position might be, I don't know. There's no indication that my role was targeted specifically. There are definitely people in Red Hat who continue to view Fedora as strategically important.

An anonymous reader quotes a report from Ars Technica: Cybersecurity at eight federal agencies is so poor that four of them earned grades of D, three got Cs, and only one received a B in a report issued Tuesday by a US Senate Committee. "It is clear that the data entrusted to these eight key agencies remains at risk," the 47-page report stated. "As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable."

The report, issued by the Senate Committee on Homeland Security and Governmental Affairs, comes two years after a separate report found systemic failures by the same eight federal agencies in complying with federal cybersecurity standards. The earlier report (PDF) found that during the decade spanning 2008 to 2018, the agencies failed to properly protect personally identifiable information, maintain a list of all hardware and software used on agency networks, and install vendor-supplied security patches in a timely manner. The 2019 report also highlighted that the agencies were operating legacy systems that were costly to maintain and hard to secure. All eight agencies -- including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education -- failed to protect sensitive information they stored or maintained.

Tuesday's report, titled Federal Cybersecurity: America's Data Still at Risk, analyzed security practices by the same agencies for 2020. It found that only one agency had earned a grade of B for its cybersecurity practices last year. "What this report finds is stark," the authors wrote. "Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America's sensitive data." State Department systems, the auditors found, frequently operated without the required authorizations, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner. The department's user management system came under particular criticism because officials couldn't provide documentation of user access agreements for 60 percent of sample employees that had access to the department's classified network. "This network contains data which if disclosed to an unauthorized person could cause 'grave damage' to national security," the auditors write. "Perhaps more troubling, State failed to shut off thousands of accounts after extended periods of inactivity on both its classified and sensitive but unclassified networks. According to the Inspector General, some accounts remained active as long as 152 days after employees quit, retired, or were fired. Former employees or hackers could use those unexpired credentials to gain access to State's sensitive and classified information, while appearing to be an authorized user. The Inspector General warned that without resolving issues in this category, 'the risk of unauthorized access is significantly increased.'"

Ars Technica adds that the Social Security Administration "suffered many of the same shortcomings, including a lack of authorization for many systems, use of unsupported systems, failure to Compile an Accurate and Comprehensive IT Asset Inventory, and Failure to Provide for the Adequate Protection of PII."

"We are uncovering better ways of developing software by doing it and helping others do it," declared the Agile Manifesto, nearly 20 years ago. "Through this work we have come to value..."

* Individuals and interactions over processes and tools
* Working software over comprehensive documentation
* Customer collaboration over contract negotiation
* Responding to change over following a plan

Today a new ZDNet article asks how far the tech industry has come in achieving the vision of its 12 principles — and why Agile is often "still just a buzzword." The challenge arises "because many come to agile as a solution or prescription, rather than starting with the philosophy that the Agile Manifesto focused on," says Bob Ritchie, VP of Software at SAIC. "Many best practices such as automated test-driven development, automated builds, deployments, and rapid feedback loops are prevalent in the industry. However, they are frequently still unmoored from the business and mission objectives due to that failure to start with why."

Still, others feel we're still nowhere near achieving the vision of the original Agile Manifesto. "Absolutely not at a large scale across enterprises," , says Brian Dawson, DevOps evangelist with CloudBees. "We are closer and more aware, but we are turning a tanker and it is slow and incremental. In start-ups, we are seeing much more of this; that is promising because they are the enterprises of the future." Agile initiatives "all too often are rolled out from, and limited to, project planning or the project management office. To support agile and DevOps transformation, agile needs to be implemented with all stakeholders."

Some organizations turn to agile "as a panacea to increase margins by cutting cost with a better, shinier development process," Ritchie cautions. "Others go even further by weaponizing popular metrics associated with agile capacity planning such as velocity and misclassifying it as a performance metric for an individual or team. In these circumstances, the promises of the manifesto are almost certainly missed as opportunities to engage and collaborate give way to finger pointing, blame, and burnout." What's missing from many agile initiatives is "ways to manage what you do based on value and outcomes, rather than on measuring effort and tasks," says Morris. "We've seen the rise of formulaic 'enterprise agile' frameworks that try to help you to manage teams in a top-down way, in ways that are based on everything on the right of the values of the Agile Manifesto. The manifesto says we value 'responding to change over following a plan,' but these frameworks give you a formula for managing plans that don't really encourage you to respond to change once you get going."

According to CEO Kyle Wiens, teardown and repair website iFixit has just posted "the most comprehensive online resource for medical repair professionals." The Verge reports: The new database contains dedicated sections for clinical, laboratory, and medical support equipment, in addition to numerous other categories of devices. It also provides more than 13,000 manuals from hundreds of medical device manufacturers. Wiens says the effort began with a crowdsourcing campaign to collect repair information for hospital equipment, with a focus on "ventilator documentation, anesthesia systems, and respiratory analyzers -- devices widely used to support COVID-19 patients." But the effort grew from there, spanning more than two months as iFixit added dozens more staff members to the project; began talking to more biomedical technicians, doctors, and nurses about their day-to-day needs; and started collecting and cataloging information from libraries and other sources.

The medical repair database is split up into nine categories, with each containing countless subcategories for basically any type of device you'd find in a medical setting. For instance, the clinical equipment category contains 53 subcategories for everything from anesthesia systems and Bilevel Positive Airway Pressure (BiPAP) machines to respiratory analyzers and ventilators. The database also has medical training manuals, information on medical furniture like decontamination systems and hospital beds, and an exhaustive section on surgical equipment repair and maintenance. Wiens explains in iFixit's announcement post that some medical device manufacturers make this information more easily available online than others. "But for their day-to-day work, biomeds have long relied on a rag-tag set of web resources to get the job done. Among the most popular is Frank's Hospital Workshop, a Tanzania-based site that hosts hundreds of medical device manuals -- it's the unofficial biomed bible," Wiens writes. The goal was not to outdo that website or try to overtake it in popularity, but to add new documents and manuals that weren't available before to a database including existing resources. Another bonus: the website will not make money on this project. "We are providing hosting and curation free of charge, and free of advertising, to the medical community," Wiens says.

The Python Software Foundation has settled on a new governance model for the programming language Python. The decision to come up with a new model was made after Python creator and chief Guido van Rossum stepped down as the "Benevolent Dictator For Life" (BDFL). SDTimes: The new governance model will rely on a five-person steering council to establish standard practices for introducing new features to the Python programming language. Based on tested methods, the proposal was designed to be "boring," comprehensive, flexible and lightweight, the steering council model document explained. "We're not experts in governance, and we don't think Python is a good place to experiment with new and untried governance models," software developers Nathaniel Smith and Donald Stufft explained in the Python documentation.

"So this proposal sticks to mature, well-known, previously tested processes as much as possible. The high-level approach of a mostly-hands-off council is arguably the most common across large successful F/OSS projects, and low-level details are derived directly from Django's governance." The steering council will serve as the "court of final appeal" for changes to the language and will have broad authority over the decision-making process, including the ability to accept or reject PEPs (Python Enhancement Proposals) (such as the one used to introduce this governance model), enforce and update the project's code of conduct, create subcommittees and manage project assets. But the intended goal of the council is to take a more hands-off and occasional approach to flexing its powers, Smith and Stufft explained.

An anonymous reader writes: Today Mozilla announced some big changes to its extension support. Their new addon API, WebExtensions, is mostly compatible with the extension model used by Chrome and Opera. In short, this means we'll soon see cross-platform browser extensions. They say, "For some time we've heard from add-on developers that our APIs could be better documented and easier to use. In addition, we've noticed that many Firefox add-on developers also maintain a Chrome, Safari, or Opera extension with similar functionality. We would like add-on development to be more like Web development: the same code should run in multiple browsers according to behavior set by standards, with comprehensive documentation available from multiple vendors."

benrothke writes Many organizations are overwhelmed by the onslaught of security data from disparate systems, platforms and applications. They have numerous point solutions (anti-virus, firewalls, IDS/IPS, ERP, access control, IdM, single sign-on, etc.) that can create millions of daily log messages. In addition to directed attacks becoming more frequent and sophisticated, there are regulatory compliance issues that place increasing burden on security, systems and network administrators. This creates a large amount of information and log data without a formal mechanism to deal with it. This has led to many organizations creating a security operations center (SOC). A SOC in its most basic form is the centralized team that deals with information security incidents and related issues. In Designing and Building a Security Operations Center, author David Nathans provides the basics on how that can be done. Keep reading for the rest of Ben's review

A while ago you had a chance to ask Andrew "bunnie" Huang about hardware, hacking and his open source hardware laptop Novena. Below you'll find his answers to those questions.

benrothke writes "With Adobe Flash, it's possible to quickly get a pretty web site up and running; something that many firms do. But if there is no content behind the flashy web page, it's unlikely anyone will return. In The Digital Crown: Winning at Content on the Web, author Ahava Leibtag does a fantastic job on showing how to ensure that your web site has what it takes to get visitors to return, namely great content." Read below for the rest of Ben's review.

benrothke writes "Of the books that author Pete Loshin has written in the past, a number of them are completely comprised of public domain information that he gathered. Titles such as Big book of Border Gateway Protocol (BGP) RFCs, Big Book of IPsec RFCs, Big Book of Lightweight Directory Access Protocol (LDAP) RFCs, and others, are simply bound copies of publicly available information. In two of his latest books, Practical Anonymity: Hiding in Plain Sight Online and Simple Steps to Data Encryption: A Practical Guide to Secure Computing, Loshin doesn't do the wholesale cut and paste like he did from the RFC books, but on the other side, doesn't offer much added information than the reader can get online." Read below for the rest of Ben's review.