Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 6 hours 31 sec ago

Anticipating KDE's 20th anniversary

Tuesday 6th of September 2016 06:38:55 AM
The announcement of a project to develop the "Kool Desktop Environment" went out on October 14, 1996. As the 20th anniversary of that announcement approaches, the KDE project is celebrating with a project timeline and a 20 Years of KDE book. "This book presents 37 stories about the technical, social and cultural aspects that shaped the way the KDE community operates today. It has been written as part of the 20th anniversary of KDE. From community founders and veterans to newcomers, with insights from different perspectives and points of view, the book provides you with a thrilling trip through the history of such an amazing geek family."

Kernel prepatch 4.8-rc5

Monday 5th of September 2016 06:56:07 AM
The 4.8-rc5 kernel prepatch is available for testing. "So rc5 is noticeably bigger than rc4 was, and my hope last week that we were starting to calm down and shrink the releases seems to have been premature. [...] Not that any of this looks worrisome per se, but if things don't start calming down from now, this may be one of those releases that will need an rc8. We'll see."

Z-Wave protocol specification now public

Friday 2nd of September 2016 10:58:35 PM

The Z-Wave wireless home-automation protocol has been released to the public. In years past, the specification was only available to purchasers of the Z-Wave Alliance's development kit, forcing open-source implementations to reverse-engineer the protocol. The official press release notes that there are several such projects, including OpenZWave; Z-Wave support is also vital to higher-level Internet-of-Things abstraction systems like AllJoyn.

Friday's security updates

Friday 2nd of September 2016 03:43:20 PM

Arch Linux has updated chromium (multiple vulnerabilities) and webkit2gtk (multiple vulnerabilities).

Debian has updated libidn (multiple vulnerabilities).

Debian-LTS has updated mailman (password disclosure).

Fedora has updated canl-c (F24; F23: proxy manipulation), krb5 (F23: denial of service), libksba (F24: denial of service), openvpn (F23: information disclosure), tomcat (F24; F23: denial of service), and webkitgtk4 (F23: multiple vulnerabilities).

openSUSE has updated karchive (SLE12: command execution).

Oracle has updated ipa (O7; O6: denial of service).

Suspect in kernel.org breakin arrested

Friday 2nd of September 2016 02:08:15 PM
The US Department of Justice has announced that it has arrested a suspect in the 2011 kernel.org breakin. "[Donald Ryan] Austin is charged with causing damage to four servers located in the Bay Area by installing malicious software. Specifically, he is alleged to have gained unauthorized access to the four servers by using the credentials of an individual associated with the Linux Kernel Organization. According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers."

Contemplating the possible retirement of Apache OpenOffice

Friday 2nd of September 2016 07:02:15 AM
Outgoing Apache OpenOffice project management committee (PMC) chair Dennis Hamilton has begun the discussion of a possible (note possible at this point) shutdown of the project. "In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue. In responses to concerns raised in June, the PMC is currently tasked by the ASF Board to account for this inability and to provide a remedy. An indicator of the seriousness of the Board's concern is the PMC been requested to report to the Board every month, starting in August, rather than quarterly, the normal case. One option for remedy that must be considered is retirement of the project. The request is for the PMC's consideration among other possible options." (Thanks to James Hogarth.)

Also of interest is this note on how the handling of CVE-2016-1513 went.

OpenBSD 6.0

Thursday 1st of September 2016 08:54:59 PM
OpenBSD 6.0 has been released. An EFI bootloader has been added to the armv7 platform along with other improvements for that platform. Also in this release, new and improved hardware support, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements, and more. The announcement also contains information about OpenSMTPD 6.0.0, OpenSSH 7.3, OpenNTPD 6.0, and LibreSSL 2.4.2.

Thursday's security updates

Thursday 1st of September 2016 03:08:51 PM

Debian-LTS has updated cacti (authentication bypass).

Mageia has updated eog (M5: out-of-bounds write), python3/python (M5: HTTPoxy attack), redis (M5: information leak), and webkit2 (M5: multiple vulnerabilities).

openSUSE has updated cracklib (Leap 42.1: code execution), gd (13.2: out-of-bounds read), and libgcrypt (13.2: flawed random number generation).

Red Hat has updated ipa (RHEL 6,7: denial of service).

Slackware has updated mozilla thunderbird (14.1, 14.2: unspecified vulnerabilities).

Building a new Tor that can resist next-generation state surveillance (ars technica)

Thursday 1st of September 2016 09:07:23 AM
Here's a lengthy ars technica article on efforts to replace Tor with something more secure. "As a result, these known weaknesses have prompted academic research into how Tor could be strengthened or even replaced by some new anonymity system. The priority for most researchers has been to find better ways to prevent traffic analysis. While a new anonymity system might be equally vulnerable to adversaries running poisoned nodes, better defences against traffic analysis would make those compromised relays much less useful and significantly raise the cost of de-anonymising users."

[$] LWN.net Weekly Edition for September 1, 2016

Thursday 1st of September 2016 01:39:30 AM
The LWN.net Weekly Edition for September 1, 2016 is available.

More in Tux Machines

Networking and Security

  • FAQ: What's so special about 802.11ad Wi-Fi?
    Here are the broad strokes about 802.11ad, the wireless technology that’s just starting to hit the market.
  • 2.5 and 5 Gigabit Ethernet Now Official Standards
    In 2014, multiple groups started efforts to create new mid-tier Ethernet speeds with the NBASE-T Alliance starting in October 2014 and MGBASE-T Alliance getting started a few months later in December 2014. While those groups started out on different paths, the final 802.3bz standard represents a unified protocol that is interoperable across multiple vendors. The promise of 2.5 and 5 Gbps Ethernet is that they can work over existing Cat5 cabling, which to date has only been able to support 1 Gbps. Now with the 802.3bz standard, organizations do not need to rip and replace cabling to get Ethernet that is up to five times faster. "Now, the 1000BASE-T uplink from the wireless to wired network is no longer sufficient, and users are searching for ways to tap into higher data rates without having to overhaul the 70 billion meters of Cat5e / Cat6 wiring already sold," David Chalupsky, board of directors of the Ethernet Alliance and Intel principal engineer, said in a statement. "IEEE 802.3bz is an elegant solution that not only addresses the demand for faster access to rapidly rising data volumes, but also capitalizes on previous infrastructure investments, thereby extending their life and maximizing value."
  • A quick fix for stupid password reset questions
    It didn’t take 500 million hacked Yahoo accounts to make me hate, hate, hate password reset questions (otherwise known as knowledge-based authentication or KBA). It didn't help when I heard that password reset questions and answers -- which are often identical, required, and reused on other websites -- were compromised in that massive hack, too. Is there any security person or respected security guidance that likes them? They are so last century. What is your mother’s maiden name? What is your favorite color? What was your first pet’s name?
  • French hosting provider hit by DDoS close to 1TBps
    A hosting provider in France has been hit by a distributed denial of service attack that went close to one terabyte per second. Concurrent attacks against OVH clocked in at 990GBps. The attack vector is said to be the same Internet-of-Things botnet of 152,464 devices that brought down the website of security expert Brian Krebs. OVH chief technology officer Octave Klaba tweeted that the network was capable of attacks up to 1.5TBps.
  • Latest IoT DDoS Attack Dwarfs Krebs Takedown At Nearly 1Tbps Driven By 150K Devices
    If you thought that the massive DDoS attack earlier this month on Brian Krebs’ security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these types devices' network settings are improperly configured, which leaves them ripe for the picking for hackers that would love to use them to carry our destructive attacks.

Android Leftovers

  • Goodbye QWERTY: BlackBerry stops making hardware
    BlackBerry CEO John Chen has been hinting at this move for almost a year now: today BlackBerry announced it will no longer design hardware. Say goodbye to all the crazy hardware QWERTY devices, ultra-wide phones, and unique slider designs. Speaking to investors, BlackBerry CEO John Chen described the move as a "pivot to software," saying, "The company plans to end all internal hardware development and will outsource that function to partners. This allows us to reduce capital requirements and enhance return on invested capital." The "Outsourcing to partners" plan is something we've already seen with the "BlackBerry" DTEK50, which was just a rebranded Alcatel Idol 4. Chen is now betting the future of the company on software, saying, "In Q2, we more than doubled our software revenue year over year and delivered the highest gross margin in the company's history. We also completed initial shipments of BlackBerry Radar, an end-to-end asset tracking system, and signed a strategic licensing agreement to drive global growth in our BBM consumer business." BlackBerry never effectively responded to the 2007 launch of the iPhone and the resulting transition to modern touchscreen smartphones. BlackBerry took swings with devices like the BlackBerry Storm in 2008, its first touchscreen phone; and the BlackBerry Z10 in 2013, the first BlackBerry phone with an OS designed for touch, but neither caught on. BlackBerry's first viable competitor to the iPhone didn't arrive until it finally switched to Android in 2015 with the BlackBerry Priv. It was the first decent BlackBerry phone in some time, but the high price and subpar hardware led to poor sales.
  • Oracle's 'Gamechanger' Evidence Really Just Evidence Of Oracle Lawyers Failing To Read
    Then on to the main show: Oracle's claim that Google hid the plans to make Android apps work on Chrome OS. Google had revealed to Oracle its "App Runtime for Chrome" (ARC) setup, and it was discussed by Oracle's experts, but at Google I/O, Google revealed new plans for apps to run in Chrome OS that were not using ARC, but rather a brand new setup, which Google internally referred to as ARC++. Oracle argued that Google only revealed to them ARC, but not ARC++ and that was super relevant to the fair use argument, because it showed that Android was replacing more than just the mobile device market for Java. But, here's Oracle's big problem: Google had actually revealed to Oracle the plans for ARC++. It appears that Oracle's lawyers just missed that fact. Ouch.
  • Understanding Android's balance between openness and security
    At the 2016 Structure Security conference, Google's Adrian Ludwig talked about the balance between keeping Android as open as possible, while also keeping it secure.
  • Google's Nougat Android update hits the sweet spot: Software 'isn't flashy, but still pretty handy'
    Nougat, Google's latest update of its Android smartphone software, isn't particularly flashy; you might not even notice what's different about it at first. But it offers a number of practical time-saving features, plus a few that could save money — and perhaps even your life. Nougat is starting to appear on phones, including new ones expected from Google next week.
  • How to change the home screen launcher on Android
  • Andromeda: Chrome OS and Android will merge
  • Sale of Kodi 'fully-loaded' streaming boxes faces legal test
  • Android boxes: Middlesbrough man to be first to be prosecuted for selling streaming kits

Endless OS 3.0 is out!

So our latest and greatest Endless OS is out with the new 3.0 version series! The shiny new things include the use of Flatpak to manage the applications; a new app center (GNOME Software); a new icon set; a new Windows installer that gives you the possibility of installing Endless OS in dual-boot; and many bug fixes. Read more

Expandable, outdoor IoT gateway runs Android on i.MX6

VIA’s “Artigo A830” IoT gateway runs Android on an i.MX6 DualLite SoC and offers HDMI, GbE, microSD, numerous serial and USB ports, plus -20 to 60° operation. As the name suggests, the VIA Technologies Artigo A830 Streetwise IoT Platform is designed for outdoor Internet of Things gateway applications. These are said to include smart lockers, vending machines, information kiosks, and signage devices that run “intensive multimedia shopping, entertainment, and navigation applications.” The outdoors focus is supported with an extended -20 to 60°C operating range, as well as surge and ESD protection for surviving challenges such as a nearby lightning strike. Read more