Odprtokodni pogled

Opensource view

Novice

KDE Frameworks 5.49 Released With Many Changes

Phoronix - Sob, 08/11/2018 - 17:57
The latest monthly update to the KDE Frameworks is now available that complement the offerings of the Qt5 tool-kit...

Canonical Releases New Linux Kernel Live Patch for Ubuntu 18.04 LTS & 16.04 LTS

tuxmachines.org - Sob, 08/11/2018 - 17:54

Available for Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 LTS (Trusty Tahr), the new kernel live patch fixes a total of five security vulnerabilities, including the recently disclosed critical TCP flaw (CVE-2018-5390) discovered by Juha-Matti Tilli, which could allow a remote attacker to cause a denial of service.

The rebootless kernel security patch also addresses a vulnerability (CVE-2018-13405) in the inode_init_owner function in fs/inode.c in the Linux kernel through 4.17.4 that could allow a local user to escalate his/her privileges by creating a file with an unintended group ownership and then make the file executable and SGID (Set Group ID).

read more

Dropbox To End Sync Support For All Filesystems Except Ext4 on Linux

tuxmachines.org - Sob, 08/11/2018 - 15:28

Dropbox is thinking of limiting the synchronization support to only a handful of file system types: NTFS for Windows, HFS+/APFS for macOS and Ext4 for Linux.

read more

Qualcomm Adreno 600 Series Support Proposed For Linux 4.19 Kernel

Phoronix - Sob, 08/11/2018 - 14:34
While a bit late, Freedreno lead developer Rob Clark is hoping to see the Qualcomm Adreno 600 series bring-up happen for the Linux 4.19 kernel cycle...

Facebook bo objavljal lokacijo upravljavcev velikih strani

Slo-Tech - Sob, 08/11/2018 - 14:23
Facebook bo objavljal lokacijo upravljavcev velikih strani

vir: The VergeThe Verge - Upravljavci Facebook strani, za zdaj samo takih z množičnim občinstvom, bodo morali po novem nekoliko bolj razkriti svojo identiteto. V naslednjih dneh jih bo na njihovi strani pričakalo opozorilo, da morajo skozi poseben avtorizacijski proces, v katerem bodo morali vključiti dvostopenjsko preverjanje identitete in potrditi v kateri državi se stalno nahajajo. V nasprotnem primeru bodo izgubili pravice do urejanja. Lokacijo bodo za zdaj preverjali le s pomočjo lokacije naprave, bo pa ta javno objavljena ob spisku oseb, ki stran upravljajo. Več na Slo-Techu.

Flatpak Gets New FreeDesktop SDK 18.08 Runtime

Phoronix - Sob, 08/11/2018 - 13:26
Flatpak now has access to an updated FreeDesktop SDK runtime that is built on their new BuildStream build system rather than Yocto and has other improvements...

Wayland 1.16 & Weston 5.0 Release Candidates For Testing

Phoronix - Sob, 08/11/2018 - 13:13
Derek Foreman of Samsung's Open-Source Group put out the release candidates on Friday for the upcoming Wayland 1.16 release as well as the Weston 5.0 reference compositor...

Mesa 18.1.6 On The Way With Over Three Dozen Fixes

Phoronix - Sob, 08/11/2018 - 13:07
While Mesa 18.2 is baking for release later this month, Mesa 18.1 remains the currently supported stable series. Final release preparations are underway for Mesa 18.1.6 as the latest bi-weekly point release...

Mir Now Supports XDG Shell Stable

Phoronix - Sob, 08/11/2018 - 12:32
Canonical developers continue working on advancing the Mir display server's support for Wayland...

V živo: Izstrelitev sonde Parker proti Soncu preložena na jutri dopoldne

Slo-Tech - Sob, 08/11/2018 - 10:06
V živo: Izstrelitev sonde Parker proti Soncu preložena na jutri dopoldne NASA - Na spletnem kanalu NASE smo lahko danes v živo spremljali prenos izstrelitve sonde Parker (Parker Solar Probe), ki naj bi bila v vesolje poletela ob 9.57 po slovenskem času. Ob zadnjem preverjanju pripravljenosti so naleteli na nekaj težav, zato je izstrelitev obstala na T-00:04:00 in bila začasno preložena. Današnje okno za izstrelitev je trajalo približno eno uro in ker v tem času niso uspeli odpraviti napake, bodo ponovno poizkusili jutri ob 9.30 po slovenskem času. Izstrelitev si boste lahko ogledali v neposrednem prenosu na kanalu NASA. Več na Slo-Techu.

Linux Foundation and DRM

tuxmachines.org - Sob, 08/11/2018 - 09:18
  • Academy and Linux Launch Software Foundation [iophk: "FUD + DRM"]

    The ASWF is the result of a two-year investigation by the Academy’s Science and Technology Council into the use of Open Source Software (OSS) across the motion picture industry. The survey found that more than 80% of the industry uses open source software, particularly for animation and visual effects. However, this widespread use of OSS has also created challenges including siloed development, managing multiple versions of OSS libraries (“versionitis”) and varying governance and licensing models that need to be addressed in order to ensure a healthy open source ecosystem.

  • Hollywood taps the Linux Foundation to create a home for its open-source projects

    Some 13 companies are listed as founding members alongside the Academy, including The Walt Disney Co., video game giant Epic Games Inc. and DreamWorks Animation LLC. A sizable portion of the foundation’s remaining backers hail from the tech industry. Among them are Intel Corp., Cisco Systems Inc. and Google LLC’s cloud division.

read more

Security Leftovers

tuxmachines.org - Sob, 08/11/2018 - 09:17
  • Practical Web Cache Poisoning

    In this paper I'll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.

    I'll illustrate and develop this technique with vulnerabilities that handed me control over numerous popular websites and frameworks, progressing from simple single-request attacks to intricate exploit chains that hijack JavaScript, pivot across cache layers, subvert social media and misdirect cloud services. I'll wrap up by discussing defense against cache poisoning, and releasing the open source Burp Suite Community extension that fueled this research.

  • IBM's proof-of-concept 'DeepLocker' malware uses AI to infect PCs
  • Hack causes pacemakers to deliver life-threatening shocks

    At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

  • Bad infrastructure means pacemakers can be compromised before they leave the factory

    # Windoze kills

    The new research is some of the most chilling to date. Rios and Butts have found vulnerabilities in Medtronic's infrastructure for programming and updating the pacemakers and their programming terminals (which run Windows XP!) (Windows XP!!). By attacking Medtronic's cloud infrastructure, the pair can poison all the devices as they leave the factory, or corrupt them once they're in the field.

  • Hackable implanted medical devices could cause deaths, researchers say

    To take control of the pacemaker, Rios and Butts went up the chain, hacking the system that a doctor would use to program a patient’s pacemaker. Their hack rewrote the system to replace the background with an ominous skull, but a real hack [sic] could modify the system invisibly, while ensuring that any pacemaker connected to it would be programmed with harmful instructions. “You can obviously issue a shock,” Butts said, “but you can also deny a shock.” Because the devices are implanted for a reason, he added, withholding treatment can be as damaging as active attempts to harm.

  • AWS does a guff in a bucket and exposes GoDaddy's dirty laundry

    Details included usage stats from GoDaddy, pricing and negotiated discounted rates from Amazon. More worryingly, there's also server config information, CPU specs, hostnames, operating systems and server loads.

    [...]

    GoDaddy was given a chance to plug the leaks, but after five weeks, UpGuard decided to act, as GoDaddy still hadn't locked things down.

  • Amazon AWS error exposes info on 31,000 GoDaddy servers

    Data leaks are par for the course these days, and the latest company to be involved in one is GoDaddy. The company, which says it's the world's top domain name registrar with over 18 million customers, is the subject of a new report from cybersecurity firm UpGuard that was shared exclusively with Engadget. In June, cyber risk analyst Chris Vickery discovered files containing detailed server information stored in an unsecured S3 bucket -- a cloud storage service from Amazon Web Services. A look into the files revealed multiple versions of data for over 31,000 GoDaddy systems.

  • Hackers [sic] Could Cause Havoc By Pwning Internet-Connected Irrigation Systems

    The researchers studied three different Internet of Things devices that help control irrigation and found flaws that would allow malicious hackers [sic] to turn them on remotely in an attempt to drain water. The attacks don’t rely on fancy hacking techniques or hard to find vulnerabilities, but to make a real, negative impact on a city’s water reserves, the hackers [sic] would need to take control of a lot of sprinklers. According to the researcher’s math, to empty an average water tower, hackers [sic] would need a botnet of 1,355 sprinklers; to empty a flood water reservoir, hackers [sic] would need a botnet of 23,866 sprinklers.

    The researchers say their attacks are innovative not because of the techniques, but because they don’t rely on targeting a city’s critical infrastructure itself, which is (or should be) hardened against hackers [sic]. Instead, it attacks weak Internet of Things devices connected to that infrastructure.

  • Windows BitPaymer ransomware scores a hole in one: US PGA takes a hit

    Malicious attackers have launched a Windows ransomware attack on the servers of the PGA of America golf tournament which began at the Bellerive County Club in St Louis on Thursday.

    Allan Liska, a ransomware expert from security form Recorded Future, told iTWire that the ransomware in question appeared to be BitPaymer.

  • Hacking [sic] a Brand New Mac Remotely, Right Out of the Box

    That attack, which researchers will demonstrate Thursday at the Black Hat security conference in Las Vegas, targets enterprise Macs that use Apple's Device Enrollment Program and its Mobile Device Management platform. These enterprise tools allow employees of a company to walk through the customized IT setup of a Mac themselves, even if they work in a satellite office or from home. The idea is that a company can ship Macs to its workers directly from Apple's warehouses, and the devices will automatically configure to join their corporate ecosystem after booting up for the first time and connecting to Wi-Fi.

  • In-the-wild router exploit sends unwitting users to fake banking site

    The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years. As described in disclosures here, here, here, here, and here, the flaw allows attackers to remotely change the DNS server that connected computers use to translate domain names into IP addresses.

  • In-vehicle wireless devices are endangering emergency first responders

    In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a crippling denial-of-service attack by a large number of devices, some of which appeared to be hosted inside the network of a large European airport. As he scanned the airport’s network from the Internet—and later, with the airport operators’ permission, from inside the network—he was eventually able to confirm that the devices were indeed part of several previously unseen botnets that were delivering record-setting denial-of-service attacks on websites.

  • Breaking Down the Door to Emergency Services through Cellular IoT Gateway

    Nearly two years have passed since we first started observing cellular gateways distributing packets across the internet. Today, we are only scratching the surface of what will inevitably turn into years of future research and discoveries before the world has tackled the problem of IoT devices being deployed without security considerations. For now, this article includes the following, and will be followed up with future research and discoveries.

    • The existence of cellular IoT devices that are not properly configured is allowing attackers to easily leverage remote administration for nefarious purposes.
      • The improperly configured devices we discovered and tested had either default administration credentials (such as admin:12345), or they required no authentication at all.
    • The absence of logging capabilities on these devices ensures that nefarious activities cannot be tracked.
    • Because most of the use cases for cellular IoT are for moving fleets, devices that need tracking, or remote critical infrastructure, virtually all of them have GPS coordinates. Excessive information disclosure, such as providing GPS coordinates publicly without requiring authentication (as some devices we discovered do) is giving attackers the ability to track fleet vehicles without ever breaking the law with unauthorized access. Yes, police cars can be tracked without breaking the law.
    • There is no bias on which industries or cellular device manufacturer will fall victim to threats emerging from cellular devices. Virtually every industry that requires some form of long-range, constant connectivity is impacted (and likely, most manufacturers) as development standards apply unilaterally.
    • As of July 28, 2018, we have identified more than 100,000 devices that are impacted online. 86% of the devices identified exist within the United States.
    • Attackers have been exploiting many of these systems since August 2016, if not earlier.
    • We have a defined list of impacted Sierra Wireless makes and models, however, we believe the problem to be widespread across all manufacturers of cellular IoT devices.

read more

today's leftovers

tuxmachines.org - Sob, 08/11/2018 - 05:40
  • PGP Clean Room 1.0 Release

    After several months of work, I am proud to announce that my GSoC 2018 project, the PGP/PKI Clean Room, has arrived at a stable (1.0) release!

  • Review: The Binary Times Podcast

    I recently authored a detailed review of the Linux podcast scene, grilling 25 podcasts targeted at Linux and open source enthusiasts. Like any roundup of this type, it’s almost inevitable that a few podcasts missed my radar. One of these is The Binary Times Podcast. Apologies to the hosts of the show.

    To rectify matters, here’s my take on The Binary Times Podcast.

    This review is incorporated into my detailed review, so you can see where they rank among their peers.

  • Ubuntu Podcast from the UK LoCo: S11E22 – Catch-22 - Ubuntu Podcast

    It’s Season 11 Episode 22 of the Ubuntu Podcast! Alan Pope and Mark Johnson are connected and speaking to your brain.

  • Conference Report: Fullstack 2018 London

    I recently attended Fullstack 2018, “The Conference on JavaScript, Node & Internet of Things” with my colleagues from the Canonical Web Team in London. Fullstack attempts to cover the full spectrum of the JS ecosystem – frontend, backend, IoT, machine learning and a number of other topics. While I attended a broad range of talks, I’ll just mention those that I think are most pertinent to the work we are doing currently in the web team.

  • Dropbox Client Will Only Support Ext4 Filesystems On Linux Beginning November 7

    Beginning November 7, 2018, the Dropbox client will only support the Ext4 filesystem on Linux. The news, coming from the Dropbox forums, mentions that the only supported filesystems will be Ext4 for Linux, NTFS for Windows, and HFS+ or APFS for Mac.

  • Opera Wants to Be World's First PC Web Browser with a Built-In Crypto Wallet

    Opera Software announced that it plans to bring its famous crypto wallet used on the Opera for Android mobile web browser to the desktop on Linux, Mac, and Windows platforms, in an upcoming Opera for PC stable release.

    Opera was already the world's first web browser to introduce a built-in crypto wallet when Opera Software announced it for its Opera for Android mobile web browser, allowing users to do seamless transactions on the Internet while promoting the adoption of cryptocurrencies by the mainstream.

  • Opera opens its PC browsers to crypto

    - Opera to soon ship crypto wallet access with its PC browser

    - Opera PC browser will give users access to the built-in crypto wallet in Opera for Android

    - After strong interest in the private beta, Opera is opening the crypto wallet to a larger audience for testing.

read more

6 Reasons Why Linux Users Switch to BSD

tuxmachines.org - Sob, 08/11/2018 - 05:39

Wonder why people use BSD? Read some of the main reasons that compel people to use BSD over Linux.

read more

Open Source FUD and Openwashing

tuxmachines.org - Sob, 08/11/2018 - 05:34
  • 5G futures: Why Huawei when open source may be the new black?

    So, the Australian government has a big decision to make about whether it will allow Huawei to be a provider of Australia’s 5G communications network that will power the internet of things for us. The national security concerns with having the large Chinese firm take on such an important role have been outlined well by ASPI’s cyber policy team and others in a series of recent Strategist posts.

    The big question people have asked, though, is, if not Huawei, then what? Ex-head of the UK’s GCHQ signals intelligence organisation Robert Hanigan, for example, has said, ‘The dilemma for western governments is that Chinese technology is no longer derivative or cheap, it’s often world-leading. Do we cut ourselves off from this technology by banning it, or find ways of managing the risk?’ It sounds like there’s an inevitability to embracing the solutions of China’s big tech firms, either now or sometime in the future.

    But that may well be just plain wrong. Rather than asking who’s the alternative supplier to Huawei, the better question might be, why would Australia go with an outdated approach to hardware and software provision at a time when new approaches might play to industry

  • The Top 3 Open Source Tools for AWS Incident Response

    Welcome to our third blog on incident response in the cloud. The first two posts primarily focused on the built-in capabilities from cloud service providers that can help your incident response efforts. We also discussed how to configure your Amazon Web Services (AWS) environment to take advantage of those features.

    Today, we are going to look at some tools that are extremely helpful for responding to cloud incidents. I’m only going to look at open source tools for AWS in this post, so you can go download and play with them in your training or test environment now.

  • WhiteSource Launches Free Open Source Vulnerability Checking [Ed: InfoQ is promoting/pushing proprietary software from Microsoft buddy (they co-author anti-FOSS papers)]
  • SD Times news digest: WhiteSource’s free vulnerability checker, Julia 1.0, and the Blockchain Learning Center

    WhiteSource is making its Vulnerability Checker available for free for developers to detect if their solutions contain any of the 50 most critical open-source bugs out there today. The checker will enable users to import and scan any library as well as check if their projects are susceptible to the most recent and common bugs.

read more

Programming/Development: Julia 0.7 and Rust

tuxmachines.org - Sob, 08/11/2018 - 05:29
  • Julia 0.7 arrives but let's call it 1.0: Data science code language hits milestone on birthday

    Julia, the open-source programming language with a taste for science, turned 1.0 on Thursday, six years after its public debut in 2012. The occasion was presented on YouTube, live from JuliaCon 2018 in London.

    Created by Jeff Bezanson, Stefan Karpinski, Viral Shah, and Alan Edelman, the language was designed to excel at data science, machine learning, and scientific computing.

    That's a niche – a rather substantial one these days – also served by Python and R, among other languages. However, the Julia aspires to be better, undaunted by being ranked 50 on Tiobe's programming language popularity index for August 2018. For what it's worth, Python presently sits at number 4 while R comes in at 18.

  • Julia 1.0 Programming Language Released

    Julia, the LLVM-based, speed-focused, dynamic and optional typing, full-featured programming language focused on numerical computing has reached the version 1.0 milestone.

    The Julia language has been in the works for nearly a decade while now the 1.0 milestone has been reached. Julia remains committed to its key focus areas for the language. With Julia 1.0 the developers are committing to language API stability.

  • Rust's Low-Level Graphics Abstraction Layer Is Showing A Lot Of Potential

    The Rust programming language's "GFX-RS" initiative that is backed by Mozilla continues working on exposing a universal "Vulkan-like" graphics API within Rust that in turn would have back-ends for Vulkan, OpenGL, Metal, and Direct3D 11/12 in order to reach all major platforms. Early benchmark results are quite promising for GFX-RS.

read more

Budgie Desktop, KDE and GNOME

tuxmachines.org - Sob, 08/11/2018 - 05:17
  • Summertime Solus | The Roundup #7

    For those that missed our announcements of last week’s Hackfest, you can watch it via the video embedded below. Most of this roundup will cover the work that has been done since the last roundup (in the specific sections in this blog) as well as the Hackfest, so if you don’t want to sit through the 10 hours of content, feel free to just keep reading.

  • Solus Linux & Its Budgie Desktop Seeing Summer 2018 Improvements

    The Solus Project has shared some of the work they've been engaged in this summer with their Linux distribution as well as their GTK3-based Budgie Desktop Environment.

  • Community Data Analytics Are Going to Akademy

    If you are interested in community data analytics, you will have several opportunities to discuss them during Akademy.

    Firstly, there will be my talk titled Bringing Community Data Analysis Back to KDE (why the hell did I use "Analysis" there... I only used "Analytics" everywhere so far, odd). It will happen on Saturday at 15:30 in room IE7. The slot is a bit small for the topic, but I'll try my best to create interest. Indeed you can catch me around talks to chat about it, and...

    Secondly, there will be a BoF "Discussing Community Data Analytics" on Monday at 10:30 in room 127. We hope to see people coming up with interesting questions to explore or willing to lend a hand in those explorations. See you there!

  • The birth of a new runtime

    Runtimes are a core part of the flatpak design. They are a way to make bundling feasible, while still fully isolating from the host system. Application authors can bundle the libraries specific to the application, but don’t have to care about the lowlevel dependencies that are uninteresting (yet important) for the application.

    Many people think of runtimes primarily as a way to avoid duplication (and thus bloat). However, they play two other important roles. First of all they allow an independent stream of updates for core libraries, so even dead apps get fixes. And secondly, they allow the work of the bundling to be shared between all application authors.

    [...]

    This runtime has the same name, and its content is very similar, but it is really a complete re-implementation. It is based on a new build system called BuildStream, which is much nicer and a great fit for flatpak. So, no more Yocto, no more buildbake, no multi-layer builds!

    Additionally, it has an entire group of people working on it, including support from Codethink. Its already using gitlab, with automatic builds, CI, etc, etc. There is also a new release model (year.month) with a well-defined support time. Also, all the packages are much newer!

    Gnome is also looking at using this as the basics for its releases, its CI system and eventually the Gnome runtime.

read more

Red Hat and Fedora: OpenShift, Finance, and Improving Fedora's App Backend

tuxmachines.org - Sob, 08/11/2018 - 05:14

read more

Intel IWD Wireless Daemon v0.6 Released

tuxmachines.org - Sob, 08/11/2018 - 05:01

Out today is a new version of IWD, the Intel-developed wireless daemon for Linux systems. IWD v0.6 is the latest version which is actually a quick follow-up release to address bugs from IWD v0.5 issued this morning.

IWD 0.5 added support for using agents with EAP-GTC methods, improved support for "known networks" management, support for Simultaneous Authentication of Equals, now exposes supported modes of operation, and can support D-Bus auto-activation via systemd.

read more

Syndicate content
sfy39587f05