Slashdot Mirror

paroneayea (642895) writes "The GNU MediaGoblin folks have put out another release of their free software media hosting platform, dubbed 0.7.0: Time Traveler's Delight. The new release moves closer to federation by including a new upload API based on the Pump API, a new theme labeled "Sandy 70s Speedboat", metadata features, bulk upload, a more responsive design, and many other fixes and improvements. This is the first release since the recent crowdfunding campaign run with the FSF which was used to bring on a full time developer to focus on federation, among other things."

msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.

DeviceGuru (1136715) writes "A non-profit company is developing an open source 64-bit system-on-chip that will enable fully open hardware, 'from the CPU core to the development board.' The 'lowRISC' SoC is the brainchild of a team of hardware and software hackers from the University of Cambridge, with the stated goal of implementing a 'fully open computing eco-system, including the instruction set architecture (ISA), processor silicon, and development boards.' The lowRISC's design is based on a new 64-bit RISC-V ISA, developed at UC Berkeley. The RISC-V core design has now advanced enough for the lowRISC project to begin designing an SoC around it. Prototype silicon of a 'RISC-V Rocket' core itself has already been benchmarked at UC Berkeley, with results results (on GitHub) suggesting that in comparison to a 32-bit ARM Cortex-A5 core, the RISC-V core is faster, smaller, and uses less power. And on top of that it's open source. Oh, and there's a nifty JavaScript-based RISC-V simulator that runs in your browser."

An anonymous reader writes Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It "provides always-on Tor routing, as well as 'pluggable' transport for Tor that can hide the service's traffic signature from some deep packet inspection systems." In essence, PORTAL is a travel router that the user simply plugs into their existing device for more than basic Tor protection (counterpoint to PogoPlug Safeplug and Onion Pi). On the down side, you have to download PORTAL from Github and flash it "onto a TP-Link compatible packet router." The guys behind the device acknowledge that not many people may want to (or even know how to) do that, so they're asking everyone to standby because a solution is pending. The project's GitHub page has a README file that lists compatible models, with some caveats: "It is highly recommended to use a modified router. The modified MR11U and WR703N provide a better experience than the stock routers due to the additional RAM. The severe space constraints of the stock router make them very challenging to work with. Due to the lack of usable space, it is necessary to use an external disk to store the Tor packages. The stock router has only a single USB port, and the best option is to use a microSD in a 3G modem." (Note: Lackey is no stranger to helping people secure internet privacy.)

An anonymous reader writes Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It "provides always-on Tor routing, as well as 'pluggable' transport for Tor that can hide the service's traffic signature from some deep packet inspection systems." In essence, PORTAL is a travel router that the user simply plugs into their existing device for more than basic Tor protection (counterpoint to PogoPlug Safeplug and Onion Pi). On the down side, you have to download PORTAL from Github and flash it "onto a TP-Link compatible packet router." The guys behind the device acknowledge that not many people may want to (or even know how to) do that, so they're asking everyone to standby because a solution is pending. The project's GitHub page has a README file that lists compatible models, with some caveats: "It is highly recommended to use a modified router. The modified MR11U and WR703N provide a better experience than the stock routers due to the additional RAM. The severe space constraints of the stock router make them very challenging to work with. Due to the lack of usable space, it is necessary to use an external disk to store the Tor packages. The stock router has only a single USB port, and the best option is to use a microSD in a 3G modem." (Note: Lackey is no stranger to helping people secure internet privacy.)

stephendavion writes A legal scholar says he and colleagues have developed an algorithm that can predict, with 70 percent accuracy, whether the US Supreme Court will uphold or reverse the lower-court decision before it. "Using only data available prior to the date of decision, our model correctly identifies 69.7 percent of the Court's overall affirm and reverse decisions and correctly forecasts 70.9% of the votes of individual justices across 7,700 cases and more than 68,000 justice votes," Josh Blackman, a South Texas College of Law scholar, wrote on his blog Tuesday.

itwbennett (1594911) writes "Despite becoming one of the most widely used programming languages on the Web, PHP didn't have a formal specification — until now. Facebook engineer and PHP core contributor Sara Golemon announced the initiative at OSCON earlier this month, and an initial draft of the specification was posted Wednesday on GitHub."

From the Firepick website: 'We are developing a really cool robotic machine that is capable of assembling electronic circuit boards (it also 3D prints, and does some other stuff!). It uses a vacuum nozzle to pick really tiny resistors and computer chips up, and place them down very carefully on a printed circuit board.' There are lots of companies here and in China that will happily place and solder components on your printed circuit board, but hardly any that will do a one-off prototype or a small quantity. And the components have gotten small enough that this is really a job for a robot (or at least a Waldo), not human fingers. || There are obviously other devices on the market that do this, but Firepick Delta creator Neil Jansen says they are far too expensive for small companies, let alone individual makers.

The Firepick Delta Hackaday page talks about a $300 price for this machine. That may be too optimistic, but even if it ends up costing two or three times that amount, that's still a huge step forward for small-time inventors and custom manufacturers who need to populate just a few circuit boards, not thousands. They have a Haxlr8r pitch video, and have been noticed by TechCrunch, 3DPrintBoard.com, and Adafruit, just to name a few. Kickstarter? Not yet. Maybe next year. Open source? Totally, complete with GitHub repository. And they were at OSCON 2014, which is where Timothy found them. (Alternate Video Link)

Back in 2009, OKLabs/NICTA announced the first formally verified microkernel, seL4 (a member of the L4 family). Alas, it was proprietary software. Today, that's no longer the case: seL4 has been released under the GPLv2 (only, no "or later versions clause" unfortunately). An anonymous reader writes OSnews is reporting that the formally verified sel4 microkernel is now open source: "General Dynamics C4 Systems and NICTA are pleased to announce the open sourcing of seL4, the world's first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement. It is still the world's most highly assured OS." Source is over at Github. It supports ARM and x86 (including the popular Beaglebone ARM board). If you have an x86 with the VT-x and Extended Page Table extensions you can even run Linux atop seL4 (and the seL4 website is served by Linux on seL4).

Plastic, plastic everywhere! Except on most surfaces of the Keyboardio ergonomic keyboard, which started as a 'scratch his itch' project by Jesse Vincent. According to his blurb on the Keyboardio site, Jesse 'has spent the last 20 years writing software like Request Tracker, K-9 Mail, and Perl. He types... a lot. He tried all the keyboards before finally making his own.'

His objective was to make a keyboard he really liked. And he apparently has. This video was shot in June, and Jesse already has a new model prototype under way that Tim Lord says is a notable improvement on the June version he already liked. || Note that the Keyboardio is hackable and open source, so if you think you can improve it, go right ahead. (Alternate Video Link)

An anonymous reader writes: Mozilla today announced the release of mozjpeg version 2.0. The JPEG encoder is now capable of reducing the size of both baseline and progressive JPEGs by 5 percent on average (compared to those produced by the standard JPEG library libjpeg-turbo upon which mozjpeg is based). Mozilla today also revealed that Facebook is testing mozjpeg 2.0 to see whether it can be used to improve the compression of images on Facebook.com. The company has even donated $60,000 to contribute to the ongoing development of the technology.

rtoz (2530056) writes A London based company, This Place, is launching a new app "MindRDR" for providing one more way for controlling Google Glass. It will allow the users to control the Google Glass with their thoughts. This MindRDR application bridges the Neurosky EEG biosensor and Google Glass. It allows users to take photos and share them on Twitter and Facebook by simply using brainwaves alone. This Place has put the code of this app on GitHub for others to use it and expand on it.

This interview with Googler Pete LePage took place at Google I/O 2014, where Pete and coworker Matt Gaunt set up a Device Lab with 46 different devices on their display wall. The point wasn't to show off Google's coolness as much as it was to let developers see how their websites displayed on as wide a range of mobile devices as possible. This is reminiscent of the last century's Any Browser campaign, which was set up to encourage developers to make sites that worked right in any browser instead of having a WWW full of sites "best viewed in Exploroscape" that displayed poorly in other browsers.

Today, the trick is to make a site that is fully functional across a wide range of devices with different size screens that a user might decide to view in landscape mode one day and portrait mode the next. Google is happy to share their MiniMobileDeviceLab with you to help set up multi-unit displays. Pete also suggests checking out PageSpeed Insights and Web Fundamentals even if you're a skilled and experienced Web designer, because those two Google sites are chock full of information on how to make sure your site works right on most devices and in most popular browsers. (Alternate Video Link)

An anonymous reader writes Qualcomm has forced GitHub to remove over 100 repositories due to "unauthorized publication, disclosure, and copying of highly sensitive, confidential, trade secret, and copyright-protected documents." Among the repositories taken down were for CyanogenMod and Sony Xperia. The issue though is that these "highly sensitive" and "confidential" files are Linux kernel code and reference/sample code files that can be easily found elsewhere, including the Android kernel, but GitHub has complied with Qualcomm's DMCA request.

oever (233119) writes with news that WebODF (an Open Document Format editor written entirely using Javascript and natively rendering the XML document using CSS) 0.5.0 has been released, and the developers are declaring this release stable enough for every day use. TheMukt chides Google for not supporting the OpenDocument Format well and claims that the newly released WebODF 0.5.0 in combination with ownCloud is the answer to this deficiency. A WebODF developer blog highlights all the goodies in the first WebODF release where the text editor is considered stable and made available as an easy to use component. These include extensive benchmarking, unit testing, and advanced HTML5 techniques to give the editor a native feel. There's also touch screen support, and better support for real-time collaborative editing. A demo shows off a few of the features.

An anonymous reader writes: Here's a fun project: engineer Yuriy Guts built a Visual Studio extension that lets people program using MIDI instruments. You can write code letter by letter on a piano keyboard. Granted, it's not terribly efficient, but it's at least artistic — you can compose music that is also a valid computer program. Somewhat more usefully, it also allows you to turn a simple MIDI input device, like a trigger pad into a set of buttons that will run tests, push/pull code, or other tasks suitable for automation. The extension is open source and open to contributions.

An anonymous reader writes Developed as part of a university master thesis is this "truly 3D" windowing system environment. The 3D desktop was developed as a Qt Wayland compositor and output to an Oculus Rift display and then controlled using a high-precision Razer mouse. Overall, it's interesting research for bringing 2D windows into a 3D workspace using Wayland and the Oculus Rift. The code is hosted as the Motorcar Compositor. A video demonstration is on YouTube.

Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.

The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.

mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. [Video, slides.]"

An anonymous reader writes "The original games developed by John Carmack, John Romero, and Adrian Carmack at Softdisk, where the legendary programmers originally met and went on to start id Software, have been open-sourced under the GPLv2. The games are now owned by Flat Rock Software and the open-source titles available are Catacomb, The Catacomb, Catacomb 3D, Catacomb Abyss, and Hovertank3D. The oldest of these games are written in Borland Turbo Pascal while the others are in Borland C++. The source-code can be downloaded from GitHub."

A limitation of current (affordable) 3D printers is their use of open loop controllers and stepper motors which limits reliability (drove the motor too quickly and skipped a step? Your model is ruined) and precision (~300 steps per revolution). A new project, Servo Stock instead uses cheap RC Servomotors combined with Hall Effect sensors, using a closed-loop controller to precisely position the extruder. The Servo Stock is derived from the delta robot Reprap Rostock (which is pretty cool even with stepper motors). The sensors give a resolution of 4096 ticks per rotation, and the controller can currently position the motors to within +/-2 ticks. They've also simplified the printer electronics by driving as much as possible from the controlling computer using Bowler, a new communication protocol for machine control. The Servo Stock also includes sensors for the hot end, presumably to be used to control the filament feed rate and temperature. The hardware models are fully parametric, allowing reasonably straightforward scaling of the design. Source for the hardware, firmware, and software is available.

A note on the video: the extruder platform is tilted in the video, but a project update indicates it was fixed by making the support arms more rigid.

wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'" The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."

An anonymous reader writes "You might recall the Debian port that is coming to OpenRISC (which is by the way making good progress with 5000 packages building) — Olof, a developer on the OpenRISC project, recently posted a lengthy status update about what's going on with OpenRISC. A few highlights are upstreamed binutils support, multicore becoming a thing, atomic operations, and a new build system for System-on-Chips."

An anonymous reader writes "Following the FCC's proposal a couple weeks ago to allow an internet fast lane, a group of activists has come up with a fun counterproposal: force the FCC itself into the slow lane and see how they like it. They write, 'Since the FCC seems to have no problem with this idea, I've (through correspondence) gotten access to the FCC's internal IP block, and throttled all connections from the FCC to 28.8kbps modem speeds on the Neocities.org front site, and I'm not removing it until the FCC pays us for the bandwidth they've been wasting instead of doing their jobs protecting us from the "keep America's internet slow and expensive forever" lobby.' The group has published the code snippet that throttles FCC IP addresses, and they encourage other web admins to implement it."

An anonymous reader writes "Game studios now seem to be forming a habit out of opening up their debugger / development utilities. After Valve's notable VOGL debugger, Crytek has now decided to open source their Renderdoc debugger. Renderdoc had been available for free use since earlier in the year but now they have posted an MIT-licensed version of the code to GitHub. Renderdoc builds on both Windows and Linux but for now just targets the Direct3D 11 graphics API while OpenGL support is being expected later."

An anonymous reader writes "Game studios now seem to be forming a habit out of opening up their debugger / development utilities. After Valve's notable VOGL debugger, Crytek has now decided to open source their Renderdoc debugger. Renderdoc had been available for free use since earlier in the year but now they have posted an MIT-licensed version of the code to GitHub. Renderdoc builds on both Windows and Linux but for now just targets the Direct3D 11 graphics API while OpenGL support is being expected later."

msm1267 (2804139) writes with a bit of news from last week that seems to have slipped under the radar. The IETF TLS working group has reached consensus on dropping static RSA cipher suites from TLS 1.3, instead requiring the use of Diffie-Hellman Exchange (or the faster ellipitic curve variant). Static DH and not just ephemeral DH key exchange will be supported, so not all connections will have forward secrecy. The consensus is subject to change before the final TLS 1.3 specification is released, and there are still details to be worked out. The changes to the draft are pending as a git pull request.

First time accepted submitter aojensen (1503269) writes "GitHub has made good on promises to open source Atom, a programmer's text editor based on Chromium. Atom is released under the MIT license (source repository). GitHub announced the following on their blog: 'Because we spend most of our day in a text editor, the single most important feature we wanted in an editor was extensibility. Atom is built with the same open source technologies used by modern web browsers. ... But more importantly, extending Atom is as simple as writing JavaScript and CSS, two languages used by millions of developers each day.'

Apart from being extensible via HTML, JavaScript, and CSS, Atom also offers out-of-the-box Node.js integration, a modular design with a built-in package manager (apm), and extensive features such as file system browser, themes, project-wide search and replace, panes, snippets, code folding, and more. Launched only 10 weeks ago, Atom seems to have a well-established ecosystem of packages and extensions already." The editor is based on atom-shell, a more general framework for building desktop apps using JavaScript/HTML. Beware: according to the FAQ, by default it sends "usage data" to Google Analytics (which can be disabled at least).

First time accepted submitter aojensen (1503269) writes "GitHub has made good on promises to open source Atom, a programmer's text editor based on Chromium. Atom is released under the MIT license (source repository). GitHub announced the following on their blog: 'Because we spend most of our day in a text editor, the single most important feature we wanted in an editor was extensibility. Atom is built with the same open source technologies used by modern web browsers. ... But more importantly, extending Atom is as simple as writing JavaScript and CSS, two languages used by millions of developers each day.'

Apart from being extensible via HTML, JavaScript, and CSS, Atom also offers out-of-the-box Node.js integration, a modular design with a built-in package manager (apm), and extensive features such as file system browser, themes, project-wide search and replace, panes, snippets, code folding, and more. Launched only 10 weeks ago, Atom seems to have a well-established ecosystem of packages and extensions already." The editor is based on atom-shell, a more general framework for building desktop apps using JavaScript/HTML. Beware: according to the FAQ, by default it sends "usage data" to Google Analytics (which can be disabled at least).

First time accepted submitter aojensen (1503269) writes "GitHub has made good on promises to open source Atom, a programmer's text editor based on Chromium. Atom is released under the MIT license (source repository). GitHub announced the following on their blog: 'Because we spend most of our day in a text editor, the single most important feature we wanted in an editor was extensibility. Atom is built with the same open source technologies used by modern web browsers. ... But more importantly, extending Atom is as simple as writing JavaScript and CSS, two languages used by millions of developers each day.'

Apart from being extensible via HTML, JavaScript, and CSS, Atom also offers out-of-the-box Node.js integration, a modular design with a built-in package manager (apm), and extensive features such as file system browser, themes, project-wide search and replace, panes, snippets, code folding, and more. Launched only 10 weeks ago, Atom seems to have a well-established ecosystem of packages and extensions already." The editor is based on atom-shell, a more general framework for building desktop apps using JavaScript/HTML. Beware: according to the FAQ, by default it sends "usage data" to Google Analytics (which can be disabled at least).

concertina226 (2447056) writes "Online hacktivist collective Anonymous has announced that it is working on a new tool called Airchat which could allow people to communicate without the need for a phone or an internet connection — using radio waves instead. Anonymous, the amorphous group best known for attacking high profile targets like Sony and the CIA in recent years, said on the project's Github page: 'Airchat is a free communication tool [that] doesn't need internet infrastructure [or] a cell phone network. Instead it relies on any available radio link or device capable of transmitting audio.' Despite the Airchat system being highly involved and too complex for most people in its current form, Anonymous says it has so far used it to play interactive chess games with people at 180 miles away; share pictures and even established encrypted low bandwidth digital voice chats. In order to get Airchat to work, you will need to have a handheld radio transceiver, a laptop running either Windows, Mac OS X or Linux, and be able to install and run several pieces of complex software." And to cleanse yourself of the ads with autoplaying sound, you can visit the GitHub page itself.

An anonymous reader writes "Andrew Kelley was a big fan of the Amarok open source music player. But a few years ago, its shortcomings were becoming more annoying and the software's development path no longer matched with the new features he wanted. So he did what any enterprising hacker would do: he started work on a replacement. Three and a half years later, his project, Groove Basin, has evolved into a solid music player, and it's still under active development. Kelley has now posted a write-up of his development process, talking about what problems he encountered, how he solved them, and how he ended up contributing code to libav."

An anonymous reader writes "Late Yesterday, GitHub concluded its investigation regarding sexual harassment within its work force, and although it found no evidence of 'legal wrongdoing,' Tom Preston-Werner, one of its founding members implicated in the investigation resigned. In its statement, GitHub vows to implement 'a number of new HR and employee-led initiatives as well as training opportunities to make sure employee concerns and conflicts are taken seriously and dealt with appropriately.' Julie Ann Horvath, the former GitHub employee whose public resignation last month inspired the sexual harassment investigation, found the company's findings to be gratuitous and just plain wrong."

rjmarvin (3001897) writes "Two Princeton computer science students have created an open source platform for developing voice-controlled applications that are always on. Created by Shubhro Saha and Charlie Marsh, Jasper runs on the Raspberry Pi under Raspbian, using a collection of open source libraries to make up a development platform for building voice-controlled applications. Marsh and Saha demonstrate Jasper's capability to perform Internet searches, update social media, and control music players such as Spotify. You need a few easily obtainable bits of hardware (a USB microphone, wifi dongle or ethernet, and speakers). The whole thing is powered by CMU Sphinx (which /. covered the open sourcing of back in 2000). Jasper provides Python modules (under the MIT license) for recognizing phrases and taking action, or speaking when events occur. There doesn't seem to be anything tying it to the Raspberry Pi either, so you could likely run it on an HTPC for always-on voice control of your media center.

An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."

An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."

An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."

itwbennett (1594911) writes "The software driving Bitcoin's network was upgraded Wednesday, with security fixes addressing a problem that defunct bitcoin exchange Mt. Gox blamed for losing nearly half a billion dollars worth of bitcoins. The latest version of bitcoin's software, 0.9.0, contains more than a half dozen fixes for transaction malleability, according to the release notes for the software. Bitcoin Core also contains a new feature for payment requests. Previously, merchants couldn't attach a note describing an invoice, and people also could not supply a refund address to a merchant. The latest version automatically supplies a refund address." This wouldn't have prevented the Mt. Gox implosion since they weren't using the reference implementation. The foundation also renamed the software to "Bitcoin Core" to avoid confusion between Bitcoin-the-network and Bitcoin-the-reference-implementation,

New submitter dalias (1978986) writes "The musl libc project has released version 1.0, the result of three years of development and testing. Musl is a lightweight, fast, simple, MIT-licensed, correctness-oriented alternative to the GNU C library (glibc), uClibc, or Android's Bionic. At this point musl provides all mandatory C99 and POSIX interfaces (plus a lot of widely-used extensions), and well over 5000 packages are known to build successfully against musl.

Several options are available for trying musl. Compiler toolchains are available from the musl-cross project, and several new musl-based Linux distributions are already available (Sabotage and Snowflake, among others). Some well-established distributions including OpenWRT and Gentoo are in the process of adding musl-based variants, and others (Aboriginal, Alpine, Bedrock, Dragora) are adopting musl as their default libc." The What's New file contains release notes (you have to scroll to the bottom). There's also a handy chart comparing muscl to other libc implementations: it looks like musl is a better bet than dietlibc and uclibc for embedded use.

New submitter BIOS4breakfast writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is: when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"

An anonymous reader writes "Looking for something to do this weekend? Code Combat recently released the first of their multi-player levels for the general public. Their goal is to enable users to learn JavaScript it a fun, game-structured way. There are a bunch of levels to teach programming basics and JavaScript syntax, showing users how to code the AI and send humans against Orcs. It ranges from simple, single-player movement problems all the way to complex, multiplayer, Warcraft-styled battles featuring multiple troop types and heroes. Best of all, the entire project is up on Github (MIT license) and it welcomes new submissions."

An anonymous reader writes "A piece of software called 'Popcorn Time' drew a lot of attention last week for encapsulating movie torrents within a slick, stream-based UI that made watching pirated films as easy as firing up Netflix. The app ran into trouble a few days ago when it was pulled from its hosting provider, Mega, and now Popcorn Time's creators say they're shutting it down altogether. They say it was mainly an experiment: 'Piracy is not a people problem. It's a service problem. A problem created by an industry that portrays innovation as a threat to their antique recipe to collect value. It seems to everyone that they just don't care. But people do. We've shown that people will risk fines, lawsuits and whatever consequences that may come just to be able to watch a recent movie in slippers. Just to get the kind of experience they deserve.' However, the software itself isn't a complete loss — the project is being picked up by the founder of a torrent site, and he says development will continue."

vencs writes "With the latest cycle of speed reading fad catching on all over, there bloomed a rather neat technique called Spritzing (an online implementation of Rapid Serial Visual Presentation). Even before the company released its SDK, many clones popped up, offering bookmarklets that do the same task. It's a cool (though situational) tool for going through text articles quickly (400-600 wpm)."

vencs writes "With the latest cycle of speed reading fad catching on all over, there bloomed a rather neat technique called Spritzing (an online implementation of Rapid Serial Visual Presentation). Even before the company released its SDK, many clones popped up, offering bookmarklets that do the same task. It's a cool (though situational) tool for going through text articles quickly (400-600 wpm)."

jones_supa writes "A bit surprisingly, Valve Software has uploaded their Direct3D to OpenGL translation layer onto GitHub as open source. It is provided as-is and with no support, under the MIT license allowing you to do pretty much anything with it. Taken directly from the DOTA2 source tree, the translation layer supports limited subset of D3D 9.0c, bytecode-level HLSL to GLSL translator, and some SM3 support. It will require some tinkering to get it to compile, and there is some hardcoded Source-specific stuff included. The project might bring some value to developers who are planning to port their product from Windows to Linux."

jones_supa writes "A bit surprisingly, Valve Software has uploaded their Direct3D to OpenGL translation layer onto GitHub as open source. It is provided as-is and with no support, under the MIT license allowing you to do pretty much anything with it. Taken directly from the DOTA2 source tree, the translation layer supports limited subset of D3D 9.0c, bytecode-level HLSL to GLSL translator, and some SM3 support. It will require some tinkering to get it to compile, and there is some hardcoded Source-specific stuff included. The project might bring some value to developers who are planning to port their product from Windows to Linux."

jones_supa writes "Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted. A crash is caused by the game's interaction with SELinux, the Linux kernel subsystem that deals with access control security policies. Portal 2 uses the third-party Miles Sound System MP3 decoder which, in turn, uses execheap, a feature that is normally disabled by SELinux. Like its name suggests, execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that particular memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code. In the end, Valve developer David W. took responsibility of the problem: 'I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it.' This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction."

The Glamor driver for X11 has sought for years to replace all of the GPU-specific 2D rendering acceleration code in X.org with portable, high performance OpenGL. Unfortunately, that goal was hampered by the project starting in the awkward time when folks thought fixed-function hardware was still worth supporting. But, according to Keith Packard, the last few months have seen the code modernized and finally maturing as a credible replacement for many of the hardware-specific 2D acceleration backends. From his weblog: "Fast forward to the last six months. Eric has spent a bunch of time cleaning up Glamor internals, and in fact he’s had it merged into the core X server for version 1.16 which will be coming up this July. Within the Glamor code base, he's been cleaning some internal structures up and making life more tolerable for Glamor developers. ... A big part of the cleanup was a transition all of the extension function calls to use his other new project, libepoxy, which provides a sane, consistent and performant API to OpenGL extensions for Linux, Mac OS and Windows." Keith Packard dove in and replaced the Glamor acceleration for core text and points (points in X11 are particularly difficult to accelerate quickly) in just a few days. Text performance is now significantly faster than the software version (not that anyone is using core text any more, but "they’re often one of the hardest things to do efficiently with a heavy weight GPU interface, and OpenGL can be amazingly heavy weight if you let it."). For points, he moved vertex transformation to the GPU getting it up to the same speed as the software implementation. Looking forward, he wrote "Having managed to accelerate 17 of the 392 operations in x11perf, it’s pretty clear that I could spend a bunch of time just stepping through each of the remaining ones and working on them. Before doing that, we want to try and work out some general principles about how to handle core X fill styles. Moving all of the stipple and tile computation to the GPU will help reduce the amount of code necessary to fill rectangles and spans, along with improving performance, assuming the above exercise generalizes to other primitives." Code is available in anholt's and keithp's xserver branches.

sfcrazy writes "It's not The Onion: Red Hat has partnered with Uhuru Software to bring Microsoft .NET Apps and SQL server capabilities to Red Hat's Platform-as-a-Service solution OpenShift." This brings OpenShift to Windows, and not .NET applications to GNU/Linux OpenShift installations. RedHat customers have apparently been asking for this for a while. The source is available: "The consistent model for managing both Linux and Windows systems that OpenShift provides allow organizations to achieve greater efficiency and agility. Windows is now a full-fledged member of the Open Source world of OpenShift. In keeping with the spirit of Open Source, Uhuru has made all of its OpenShift integration software for Windows available to the community and is working to have it officially integrated into OpenShift Origin."

In related news (OpenShift is usually used on top of OpenStack), darthcamaro writes "The OpenStack cloud platform keeps on gaining new converts. The latest is GoDaddy which today announced it is now officially supporting the OpenStack Foundation. How GoDaddy came to officially join the OpenStack Foundation is interesting, apparently the OpenStack Foundation found out that GoDaddy was using OpenStack though job postings."

An anonymous reader writes "Months after Intel ported the Chromium open-source web browser to Wayland, Chromium is now running on Ubuntu's Mir. The Mir display server port ended up being based on Wayland's Chromium code for interfacing with Google's Ozone abstraction framework. The Ubuntu developer responsible for this work makes claims that they will be trying to better collaborate with Wayland developers over this code." Grab the code hot off the press.