Language Selection

English French German Italian Portuguese Spanish

OSS Leftovers

Filed under
OSS
  • Google open sources ClusterFuzz

    The fuzzing software is designed to automatically feed unexpected inputs to an application in order to unearth bugs.

    Google originally wrote ClusterFuzz to test for bugs in its Chrome web browser, throwing 25,000 cores at the task. In 2012, Google said that ClusterFuzz was running around 50 million test cases a day on Chrome. So far it’s helped find some 16,000 bugs in the web browser.

    [...]

    ClusterFuzz has been released under version 2.0 of the Apache License.

  • Google open-sources ClusterFuzz, a tool that has uncovered 16,000 bugs in Chrome

    Ever heard of “fuzzing”? It’s not what you think — in software engineering, the term refers to a bug-detecting technique that involves feeding “unexpected” or out-of-bounds inputs to target programs. It’s especially good at uncovering memory corruption bugs and code assertions, which normally take keen eyes and a lot of manpower — not to mention endless rounds of code review.

    Google’s solution? Pass the fuzzing work off to software. Enter ClusterFuzz, a cheekily named infrastructure running on over 25,000 cores that continuously (and autonomously) probes Chrome’s codebase for bugs. Two years ago, the Mountain View company began offering ClusterFuzz as a free service to open source projects through OSS-Fuzz, and today, it’s open-sourcing it on GitHub.

  • Last week of early birds!

    We do have some parts of the schedule fixed: the trainings and some initial speakers.

    The trainings are open enrollment courses at a bargain price, where parts of the dividends goes to financing the conference. This year we have two great trainers: Michael Kerrisk of manpage and The Linux Programming Interface fame, and Chris Simmonds, the man behind the Mastering Embedded Linux Programming book and a trainer since more than 15 years. The trainings held are: Building and Using Shared Libraries on Linux and Fast Track to Embedded Linux. These are both one day courses held in a workshop format.

  • Closing AGPL cloud services loop-hole: a MongoDB approach

    The problem comes with software-as-a-service. Large cloud or hosted services providers have found ways to commercialise popular open source projects without giving anything back, thus limiting software freedom intended by the licensors. The business model primarily focuses on offering managed services, e.g. customisation, integration, service levels and others, to a freely available open source component and charging a fee for this. Open source projects do not usually have the scale to effectively withstand such competition by providing similar offerings. To say the least, this pattern incentivises the writing of the software in closed source code.

    AGPL is not enough to capture such a services scenario. Commercial entities rarely modify open source components and, if they do, releasing corresponding source code to such modifications does not affect their proprietary interests or revenue flow.

More in Tux Machines

Security: Sphinx, Ransomware, Webmin, YubiKey

  • Exposed Sphinx Servers Are No Challenge for Hackers [Ed: That’s the same agency and the same troll site that initially promoted the lies and the FUD about VLC]

    A popular open-source text search server, Sphinx offers impressive performance for indexing and searching data in databases or just in files. It is cross-platform, available for Linux, Windows, macOS, Solaris, FreeBSD, and a few other operating systems. [...] CERT-Bund posted the warning on Twitter today alerting network operators and providers about the risk of running Sphinx servers with a default configuration that are open on the web. The organization highlights that Sphinx lacks any authentication mechanisms. Exposing it on the web gives an attacker the possibility "to read, modify or delete any data stored in the Sphinx database."

  • Ransomware Hits Texas Local Governments [iophk: Windows TCO]

    The attack was observed on the morning of August 16 and appears to have been launched by a single threat actor, the DIR announcement reads.

    The State Operations Center (SOC) was activated soon after the attack reports started to come in, and DIR says that all of the entities that were actually or potentially affected appear to have been identified and notified.

    A total of twenty-three entities have been confirmed as impacted so far, and the responders are working on bringing the affected systems back online.

  • Webmin Backdoored for Over a Year

    The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.

  • The YubiKey 5Ci is the 'first' iOS-compatible security key

    Like other YubiKey options in the 5 series, the YubiKey 5Ci supports multiple authentication protocols, including IDO2/WebAuthn, FIDO U2F, OTP (one-time-password), PIV (Smart Card), and OpenPGP.

Android Leftovers

Analysis of the state of play of Open Source policies in EU Member States

The study on OSS policies will answer the following research questions, each of which will be elaborated upon in dedicated chapters: [...] Read more

Android Leftovers