Open Source

Tesla Releases Some of Its Software To Comply With Open-Source Licenses (sfconservancy.org) 24

Jeremy Allison - Sam shares a blog post from Software Freedom Conservancy, congratulating Tesla on their first public step toward GPL compliance: Conservancy rarely talks publicly about specifics in its ongoing GNU General Public License (GPL) enforcement and compliance activity, in accordance with our Principles of Community Oriented GPL Enforcement. We usually keep our compliance matters confidential -- not for our own sake -- but for the sake of violators who request discretion to fix their mistakes without fear of public reprisal. We're thus glad that, this week, Tesla has acted publicly regarding its current GPL violations and has announced that they've taken their first steps toward compliance. While Tesla acknowledges that they still have more work to do, their recent actions show progress toward compliance and a commitment to getting all the way there.
Operating Systems

Fedora-Based Linux Distro Korora Halts Development (betanews.com) 65

Korora, a Fedora-based Linux distro, halted its development this month, BetaNews' Brian Fagioli spotted Wednesday. The announcement would irk many, as Korora consistently received positive feedback from critics and users alike. News outlet ZDNet once described Korora as "Fedora++", while Slashdot readers, too, spoke highly of the distro.

At the same time, the announcement should come as little surprise to anyone who has been tracking Korora's work. In a blog post, Korora team wrote: Korora for the forseeable future is not going to be able to march in cadence with the Fedora releases. In addition to that, for the immediate future there will be no updates to the Korora distribution. Our team is infinitesimal (currently 1 developer and 2 community managers) compared to many other distributions, we don't have the luxury of being able to dedicate the amount of time we would like to spend on the project and still satisfy our real life obligations. So we are taking a little sabbatical to avoid complete burn out and rejuvenate ourselves and our passion for Korora/Fedora and wider open source efforts. The team had expressed similar concerns earlier this year: For the past few years Korora has released a new version in line with each Fedora version. That means that approximately twice a year we prepare, test and create 5 different ISO versions. This is as well as, among other things, developing new projects, supporting existing releases and planning the future versions. As each team member has different skills some tasks, such as development, can only be done by one person. All this is done in our spare time along side our job, family and personal responsibilities. For a very small team, currently 3 people plus the occasional input from others, this is a lot of work. It means that often Korora has to take a back seat when real life intrudes. This isn't the first time Korora had to abruptly pause its development. In 2007, Christopher Smart, who kickstarted Korora (at the time based on Gentoo Linux), had discontinued the project -- only to revive it three years later.
Facebook

Justice Department, FBI Are Investigating Cambridge Analytica (cbsnews.com) 139

An anonymous reader quotes a report from CBS News: The Justice Department and FBI are investigating Cambridge Analytica, the now-shuttered political data firm that was once used by the Trump campaign and came under scrutiny for harvesting data of millions of users, The New York Times reported on Tuesday. The Times, citing a U.S. official and people familiar with the inquiry, reported federal investigators have looked to question former employees and banks connected to the firm.

The Times reports prosecutors have informed potential witnesses there is an open investigation into the firm, whose profiles of voters were intended to help with elections. One source tells CBS News correspondent Paula Reid prosecutors are investigating the firm for possible financial crimes. A company that has that much regulatory scrutiny is almost guaranteed to have federal prosecutors interested, Reid was told. Christopher Wylie, a former Cambridge Analytica employee who spoke out about the data sharing practices, told the Times federal investigators had contacted him. The American official told the Times investigators have also contacted Facebook as a part of the probe.

Encryption

Encrypted Email Has a Major, Divisive Flaw (wired.com) 116

An anonymous reader quotes a report from Wired: The ubiquitous email encryption schemes PGP and S/MIME are vulnerable to attack, according to a group of German and Belgian researchers who posted their findings on Monday. The weakness could allow a hacker to expose plaintext versions of encrypted messages -- a nightmare scenario for users who rely on encrypted email to protect their privacy, security, and safety. The weakness, dubbed eFail, emerges when an attacker who has already managed to intercept your encrypted emails manipulates how the message will process its HTML elements, like images and multimedia styling. When the recipient gets the altered message and their email client -- like Outlook or Apple Mail -- decrypts it, the email program will also load the external multimedia components through the maliciously altered channel, allowing the attacker to grab the plaintext of the message.

The eFail attack requires hackers to have a high level of access in the first place that, in itself, is difficult to achieve. They need to already be able to intercept encrypted messages, before they begin waylaying messages to alter them. PGP is a classic end-to-end encryption scheme that has been a go-to for secure consumer email since the late 1990s because of the free, open-source standard known as OpenPGP. But the whole point of doing the extra work to keep data encrypted from the time it leaves the sender to the time it displays for the receiver is to reduce the risk of access attacks -- even if someone can tap into your encrypted messages, the data will still be unreadable. eFail is an example of these secondary protections failing.

GNU is Not Unix

Richard Stallman Demands Return Of Abortion Joke To libc Documentation (theregister.co.uk) 522

An anonymous reader quotes The Register: Late last month, open-source contributor Raymond Nicholson proposed a change to the manual for glibc, the GNU implementation of the C programming language's standard library, to remove "the abortion joke," which accompanied the explanation of libc's abort() function... The joke, which has been around since the 1990s and is referred to as a censorship joke by those supporting its inclusion, reads as follows:

25.7.4 Aborting a Program... Future Change Warning: Proposed Federal censorship regulations may prohibit us from giving you information about the possibility of calling this function. We would be required to say that this is not an acceptable way of terminating a program.

On April 30, the proposed change was made, removing the passage from the documentation. That didn't sit well with a number of people involved in the glibc project, including the joke's author, none other than Free Software Foundation president and firebrand Richard Stallman, who argued that the removal of the joke qualified as censorship... Carlos O'Donnell, a senior software engineer at Red Hat, recommended avoiding jokes altogether, a position supported by many of those weighing in on the issue. Among those voicing opinions, a majority appears to favor removal.

But in a post to the project mailing list, Stallman wrote "Please do not remove it. GNU is not a purely technical project, so the fact that this is not strictly and grimly technical is not a reason to remove this." He added later that "I exercise my authority over glibc very rarely -- and when I have done so, I have talked with the official maintainers. So rarely that some of you thought that you are entirely autonomous. But that is not the case. On this particular question, I made a decision long ago and stated it where all of you could see it."

The Register reports that "On Monday, the joke was restored by project contributor Alexandre Oliva, having taken Stallman's demand as approval to do so."
Security

After Equifax Breach, Major Firms Still Rely on Same Flawed Software (zdnet.com) 62

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.
Bitcoin

Aventus Blockchain-Based Ticketing System Aims To Wipe Out Ticket Touts (theguardian.com) 94

umafuckit writes: The Guardian reports on Aventus, an open-source protocol designed to eliminate fraud and touting for large events. The Aventus Protocol "would allow event organizers to give each ticket a unique identity that is tied to its owner. Since each ticket is a linked list of records, where each new one contains an encrypted version of the previous one, they cannot be faked. The software also allows event promoters to keep an easy record of who owns the ticket, which means they can control the prices. The protocol was launched at Imperial College London last week and will be trialed at this year's world cup, where it will handle 10,000 ticket sales.
Cloud

Google Releases Open Source Framework For Building 'Enclaved' Apps For Cloud (arstechnica.com) 21

An anonymous reader quotes a report from Ars Technica: Today, Google is releasing an open source framework for the development of "confidential computing" cloud applications -- a software development kit that will allow developers to build secure applications that run across multiple cloud architectures even in shared (and not necessarily trusted) environments. The framework, called Asylo, is currently experimental but could eventually make it possible for developers to address some of the most basic concerns about running applications in any multi-tenant environment. Container systems like Docker and Kubernetes are designed largely to allow untrusted applications to run without exposing the underlying operating system to badness. Asylo (Greek for "safe place") aims to solve the opposite problem -- allowing absolutely trusted applications to run "Trusted Execution Environments" (TEEs), which are specialized execution environments that act as enclaves and protect applications from attacks on the underlying platform they run on.
Open Source

Facebook's Open-Source Go Bot Can Now Beat Professional Players (techcrunch.com) 44

Google's DeepMind isn't the only team working to defeat professional Go players with artificial intelligence. At Facebook's F8 developer conference today, the company announced a Go bot of its own that has now achieved professional status after winning all 14 games it played against a group of top 30 human Go players. TechCrunch reports: "We salute our friends at DeepMind for doing awesome work," Facebook CTO Mike Schroepfer said in today's keynote. "But we wondered: Are there some unanswered questions? What else can you apply these tools to." As Facebook notes in a blog post today, the DeepMind model itself also remains under wraps. In contrast, Facebook has open-sourced its bot. "To make this work both reproducible and available to AI researchers around the world, we created an open source Go bot, called ELF OpenGo, that performs well enough to answer some of the key questions unanswered by AlphaGo," the team writes today. Facebook's AI Research group is also developing a StarCraft bot that it too plans to open source.
Censorship

Amazon Tells Signal's Creators To Stop Using Anti-Censorship Tool (theverge.com) 99

An anonymous reader quotes a report from The Verge: The team behind secure messaging app Signal says Amazon has threatened to kick the app off its CloudFront web service unless Signal drops the anti-censorship practice known as domain-fronting. Google recently banned the practice, which lets developers disguise web traffic to look like it's coming from a different source, allowing apps like Signal to evade country-level bans. As a result, Signal moved from Google to the Amazon-owned Souq content delivery network. But Amazon implemented its own ban on Friday. In an email that Moxie Marlinspike -- founder of Signal developer Open Whisper Systems -- posted today, Amazon orders the organization to immediately stop using domain-fronting or find another web services provider. Signal used the system to provide service in Egypt, Oman, and the United Arab Emirates (UAE), where it's officially banned. It got around filters by making traffic appear to come from a huge platform, since countries weren't willing to ban the entirety of a site like Google to shut down Signal. "The idea behind domain fronting was that to block a single site, you'd have to block the rest of the internet as well. In the end, the rest of the internet didn't like that plan," Marlinspike writes. "We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. [...] In the meantime, the censors in these countries will have (at least temporarily) achieved their goals. Sadly, they didn't have to do anything but wait."
Books

New Book Describes 'Bluffing' Programmers in Silicon Valley (theguardian.com) 292

Long-time Slashdot reader Martin S. pointed us to this an excerpt from the new book Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley by Portland-based investigator reporter Corey Pein.

The author shares what he realized at a job recruitment fair seeking Java Legends, Python Badasses, Hadoop Heroes, "and other gratingly childish classifications describing various programming specialities." I wasn't the only one bluffing my way through the tech scene. Everyone was doing it, even the much-sought-after engineering talent. I was struck by how many developers were, like myself, not really programmers, but rather this, that and the other. A great number of tech ninjas were not exactly black belts when it came to the actual onerous work of computer programming. So many of the complex, discrete tasks involved in the creation of a website or an app had been automated that it was no longer necessary to possess knowledge of software mechanics. The coder's work was rarely a craft. The apps ran on an assembly line, built with "open-source", off-the-shelf components. The most important computer commands for the ninja to master were copy and paste...

[M]any programmers who had "made it" in Silicon Valley were scrambling to promote themselves from coder to "founder". There wasn't necessarily more money to be had running a startup, and the increase in status was marginal unless one's startup attracted major investment and the right kind of press coverage. It's because the programmers knew that their own ladder to prosperity was on fire and disintegrating fast. They knew that well-paid programming jobs would also soon turn to smoke and ash, as the proliferation of learn-to-code courses around the world lowered the market value of their skills, and as advances in artificial intelligence allowed for computers to take over more of the mundane work of producing software. The programmers also knew that the fastest way to win that promotion to founder was to find some new domain that hadn't yet been automated. Every tech industry campaign designed to spur investment in the Next Big Thing -- at that time, it was the "sharing economy" -- concealed a larger programme for the transformation of society, always in a direction that favoured the investor and executive classes.

"I wasn't just changing careers and jumping on the 'learn to code' bandwagon," he writes at one point. "I was being steadily indoctrinated in a specious ideology."
The Internet

100 US Mayors Sign Pledge To Defend Net Neutrality Against Crooked ISPs (gizmodo.com) 91

An anonymous reader quotes a report from Gizmodo: More than 100 U.S. mayors have signed a pledge to hold internet service providers accountable for net neutrality violations, despite the FCC's vote to repeal the regulations late last year. The pledge, initiated by Mayors Bill de Blasio of New York City, Steve Adler of Austin, and Ted Wheeler of Portland, promises that cities will refuse to do business with ISPs that violate net neutrality standards. The mayors, brought together by a coalition of open internet advocates, including Free Press, Demand Progress, and Daily Kos, have accused FCC Chairman Ajit Pai of caving to corporate interests by giving companies such as AT&T and Verizon the power to "block, throttle and slow access to sites and services at will." A complete list of the cities taking the pledge is available on the campaign's website. At time of writing, nearly 80,000 letters have been sent urging mayors across the country to participate.
Operating Systems

Ubuntu 18.04 Focuses On Security and AI Improvements (sdtimes.com) 89

Canonical has announced the release of its open-source Linux operating system, Ubuntu 18.04, which features security, multi-cloud, containers, and AI improvements. From a report: "Multi-cloud operations are the new normal," said Mark Shuttleworth, CEO of Canonical and founder of Ubuntu, in a statement. "Boot-time and performance-optimized images of Ubuntu 18.04 LTS on every major public cloud make it the fastest and most efficient OS for cloud computing, especially for storage and compute intensive tasks like machine learning." On-premises and on-cloud AI development within Ubuntu will be improved by the integration of Kubeflow and a range of CI/CD tools into Canonical Kubernetes. Kubeflow is a machine learning library built on Kubernetes.
Programming

Drupal Warns of New Remote-Code Bug, the Second in Four Weeks (arstechnica.com) 50

For the second time in a month, websites that use the Drupal content management system are confronted with a stark choice: install a critical update or risk having your servers infected with ransomware or other nasties. From a report: Maintainers of the open-source CMS built on the PHP programming language released an update patching critical remote-code vulnerability on Wednesday. The bug, formally indexed as CVE-2018-7602, exists within multiple subsystems of Drupal 7.x and 8.x. Drupal maintainers didn't provide details on how the vulnerability can be exploited other than to say attacks work remotely. The maintainers rated the vulnerability "critical" and urged websites to patch it as soon as possible.
Open Source

Apple Open Sources FoundationDB (macrumors.com) 50

Apple's FoundationDB company announced on Thursday that the FoundationDB core has been open sourced with the goal of building an open community with all major development done in the open. The database company was purchased by Apple back in 2015. As described in the announcement, FoundationDB is a distributed datastore that's been designed from the ground up to be deployed on clusters of commodity hardware. Mac Rumors reports: By open sourcing the project to drive development, FoundationDB is aiming to become "the foundation of the next generation of distributed databases: "The vision of FoundationDB is to start with a simple, powerful core and extend it through the addition of "layers". The key-value store, which is open sourced today, is the core, focused on incorporating only features that aren't possible to write in layers. Layers extend that core by adding features to model specific types of data and handle their access patterns. The fundamental architecture of FoundationDB, including its use of layers, promotes the best practices of scalable and manageable systems. By running multiple layers on a single cluster (for example a document store layer and a graph layer), you can match your specific applications to the best data model. Running less infrastructure reduces your organization's operational and technical overhead." The source for FoundationDB is available on Github, and those who wish to join the project are encouraged to visit the FoundationDB community forums, submit bugs, and make contributions to the core software and documentation.

Slashdot Top Deals