Slashdot Mirror

The OpenBSD project announced today plans to disable support for Intel CPU hyper-threading due to security concerns regarding the theoretical threat of more "Spectre-class bugs." Bleeping Computer reports: Hyper-threading (HT) is Intel's proprietary implementation of Simultaneous Multithreading (SMT), a technology that allows processors to run parallel operations on different cores of the same multi-core CPU. The feature has been added to all Intel CPUs released since 2002 and has come enabled by default, with Intel citing its performance boost as the main reason for its inclusion.

But today, Mark Kettenis of the OpenBSD project, said the OpenBSD team was removing support for Intel HT because, by design, this technology just opens the door for more timing attacks. Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms. The OpenBSD team is now stepping in to provide a new setting to disable HT support because "many modern machines no longer provide the ability to disable hyper-threading in the BIOS setup."

If any of you use mailing list archive Gmane, you would want to start looking at its alternative. Gmane developer Lars Ingebrigtsen announced Thursday that he is thinking about ending the decade-old email-to-news gateway. But first, for those unaware about Gmane, here's is what it does: It allows users to access electronic mailing lists as if they were Usenet newsgroups, and also through a variety of web interfaces. Gmane is an archive; it never expires messages (unless explicitly requested by users). Gmane also supports importing list postings made prior to a list's inclusion on the service.Ingebrigtsen said Gmane machines are under numerous DDoS attacks -- coupled with some other issues -- that have made him wonder whether it is worth the time and effort to keep Gmane ticking. He writes: I'm thinking about ending Gmane, at least as a web site. Perhaps continue running the SMTP-to-NNTP bridge? Perhaps not? I don't want to make 20-30K mailing lists start having bouncing addresses, but I could just funnel all incoming mail to /dev/null, I guess... The nice thing about a mailing list archive (with NNTP and HTTP interfaces) is that it enables software maintainers to say (whenever somebody suggests using Spiffy Collaboration Tool of the Month instead of yucky mailing lists) is "well, just read the stuff on Gmane, then". I feel like I'm letting down a generation here.As Gmane's future remains uncertain, Ingebrigtsen recommends people to have a look at Mail Archive.

Bismillah writes: The recent 13-microsecond timing anomaly was caused by a satellite failure triggering a "software issue", the USAF 50th Space Wing has confirmed. Such an error is large enough to cause navigation errors of up to 4 km. Luckily, no issues with GPS guided munition were reported. Reader donaggie03 adds a link to the official explanation from Rick Hamilton, Executive Secretariat of the Civil Global Positioning System Service Interface Committee. From Hamilton's email: Further investigation revealed an issue in the Global Positioning System ground software which only affected the time on legacy L-band signals. This change occurred when the oldest vehicle, SVN 23, was removed from the constellation. While the core navigation systems were working normally, the coordinated universal time timing signal was off by 13 microseconds which exceeded the design specifications. The issue was resolved at 6:10 a.m. MST, however global users may have experienced GPS timing issues for several hours.

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing." The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.

New submitter anwyn writes "In a recent article posted on the cryptography mailing list, long time civil libertarian and free software entrepreneur John Gilmore has analyzed possible NSA obstruction of cryptography in IPSEC. He suggests that packet processing in the Linux kernel had been obstructed by one kernel developer. Gilmore suggests that the NSA has been plotting against strong cryptography on mobile phones."

mtaht writes "Has anyone, besides those that worked on byte queue limits, and sfqred, had a chance to benchmark networking using these tools on the Linux 3.3 kernel in the real world? A dent, at least theoretically, seems to be have made in bufferbloat, and now that the new kernel and new iproute2 are out, should be easy to apply in general (e.g. server/desktop) situations." Dear readers: Have any of you had problems with bufferbloat that were alleviated by the new kernel version?

First time accepted submitter para_droid writes "Version 1.3 of the popular open source notification system for Mac OS X, Growl has surprised its users by going closed-source and only available for purchase on the Mac App Store. Any users who provide links to bugfixes and source for the previous version 1.2 are being banned from the discussion group, and their messages deleted. Could it be time for the community to create an OpenGrowl fork?" The linked post above about bugfixes and source ends "Hopefully the Growl 1.3 branch from the official Growl maintainers will eventually become open source again and get straightened out so that it works for most users, but if it doesn't, a fork of the project will be able to provide a working Growl to Mac users."

dkd903 writes "We all knew it would come to this, and it has finally happened — 33 developers have left OpenOffice.org to join The Document Foundation, with more expected to leave in the next few days. After Oracle acquired Sun Microsystems, OpenOffice.org fell into the hands of Oracle, as did a lot of other products. So, last month a few very prominent members of the OpenOffice.org community decided to form The Document Foundation and fork OpenOffice.org as LibreOffice, possibly fearing that it could go the OpenSolaris way."

Fred Trotter writes "CCHIT is the dominant Electronic Health Record certification body in the US. It is also decidedly anti-FOSS and has been for years. Certification of one kind or another will be required for EHR systems to qualify for funding under the Stimulus Act. If CCHIT is chosen as the certification body, and the current certification strategies continue, it will not be possible to have a funded EHR that is both certified and truly FOSS. Now, however, CCHIT has agreed to meet the FOSS Health IT community at HIMSS 09 to address this issue." We discussed the shortcomings in the stimulus bill as it relates to FOSS a few days back.

An anonymous reader writes "gNewSense, the fully-free GNU/Linux distribution sponsored by the FSF, has released a 2.1 live CD (torrent). Since the last release, more non-free binary blobs have been removed, new artwork has been added and lots of other improvements have been made. It's also two years since the first edition of gNewSense, and in that time an impressive ten live CDs have been released! gNewSense 2.1 DeltaH is based on Ubuntu Hardy, and removes non-free software that other distributions don't." I wonder if gNewSense can be easily installed on an OLPC XO the way several other distros can.

hweimer writes "Most problems when opening Word documents under GNU/Linux are due to missing fonts. Therefore, Red Hat published a set of fonts metric-compatible with the Windows core fonts last year. However, there were some concerns regarding the licensing that prevented many other distros to ship them. We finally managed to settle these problems, leading to better document interoperability for all GNU/Linux users."

Peter writes "Free Software Foundation president Richard Stallman and ITWire have praised KDE and KOffice developers for taking a principled stand against OOXML, while raising serious concerns about the GNOME Foundation's decision to give credibility to Microsoft's broken format. This comes on the heels of GNOME co-founder Miguel de Icaza's depiction of OOXML as a 'superb standard', and GNOME Foundation director Quim Gil's stonewalling of the patent-free Ogg Vorbis / Theora format on behalf of Nokia. Will the GNOME Foundation's indifferent response to Richard Stallman's appeal drive him to throw his weight behind KDE?"

Reservoir Hill writes "Once Rupert Murdoch's acquisition of Dow Jones & Company is completed later this year, Murdoch plans to provide free access to The Wall Street Journal's Web site, trading subscription fees for anticipated ad revenue. The WSJ web site, one of the few news sites to successfully introduce a subscription model, currently has around one million subscribers and generates about $50 million annually in user fees. Murdoch's decision to move to an advertising based model comes amid reports that newspaper's online profits margins are skyrocketing worldwide. Murdoch's previous internet initiative, his acquisition of MySpace has worked out very well. He actually first discussed this two years ago when he spoke before the American Society of Newspaper Editors on the role of newspapers in this digital world.""

An anonymous reader writes "Exciting advances in breaking hash functions this week at the CRYPTO conference. SHA-0 has definitely been broken (collision found in the full function). Rumors are that at the informal rump session, a researcher will announce a collision in full MD5 and RIPEMD-128. And Ed Felten is speculating about collisions in SHA-1! Many systems, especially those that use cryptography for digital signatures are most at risk here."

gripdamage asks: "Why are email administrators still sending virus bounce messages, when everyone knows viruses forge the sender? This effectively doubles the amount of email traffic due to the virus (triples in the case that the recipient is also notified). As one of the links says 'any AV software or admins that have it mis-configured [so] that it is continuing to send out notices...to forged senders, deserve to be ridiculed.' I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem! This is a problem deserving publicity, so that email admins will be shamed into doing the right thing." The problem is that most bounces are automated responses, the simple thing would be to turn them off. Of course, the rational of the automated response is to hopefully notify the infected user of the problem -- what a catch-22! What kind of policy would you recommend when it comes to spam, e-mail and automated responders?

mumumu was among the many to write with this news: "XFree86's release engineer David Dawes has announced that "a majority of the XFree86 core team has voted in favour of my proposal to disband the core team". XFree86's News Headline has a short message about it. Why, all of a sudden? What is the successor of the XFree86? Xouvert? freedesktop.org?"

An anonymous reader writes "The Cygwin/XFree86 project is leaving XFree86.org. For those that don't know, Cygwin/XFree86 is a port of the X Window System to Cygwin (which provides a *nix-like API on Windows). Here is the announcement and the start of the trouble. The XFree86 project has pushed away more developers than most projects ever have - is this the beginning of the end for XFree86?"

SiliconEntity writes "Cryptographer and security expert Peter Gutmann has demolished several Linux security software packages in a recent posting to the cryptography mailing list. He says, 'It's possible to create insecure 'security' products just as readily with open-source as with closed-source software. CIPE and vtun must be the OSS community's answer to Microsoft's PPTP implementation. What's even worse is that some of the flaws were pointed out nearly two years ago, but despite the hype about open-source products being quicker with security fixes, some of the protocols still haven't been fixed.'"

wilko11 writes "There have been two cases recently where websites have requested the removal of modules from CPAN. These modules could be used to access the websites (EuroTV and Streetmap) from a PERL program. The question being asked on the mailinglists (threads about EuroTV and about Streetmap) is 'can companies dictate what software you can use to access web content from their server?'"

Judg3 writes " My most recent newsletter from the Center for Democracy and Technology included a link to the newly unveiled Regulations.Gov site that allows individuals to more easily find and comment on proposed rules being considered by federal agencies. Comment on proposed rules ranging from the Secretary of Defense, Coast Guard, Veteran Affairs Admission, to even the Post Office." Here's a newsletter about the site.

wowbagger asks: "I have the (mis)fortune to be working on a commercial product that will contain encryption/decryption capability. Since the product is targeted for export as well as use within the US, I get to file with the various TLAs showing my product isn't going to destroy the world. Joy. Does anybody else have experience in this? Yes, the ITAR regs aren't merely a case of 'locking the barn door after the horse has fled', but rather 'locking the barn door after the horse has fled, raised a family, evolved into sentience, developed technology, come back with flamethrowers, burned the barn to the ground, sown the lot with salt, and left for another star system'. But unfortunately I have to comply. So, does anybody else have any experience with this process?" A better place to ask this would be the cypherpunks or wasabisystems.com crypto mailing lists...

gsfprez writes "While chatting with some Apple employee friends (with .mac accounts and iChat), we were stumped why we couldn't see each other on AIM. It seems that AOL has decided to take the opportunity -- while integrating the .mac users 'into the fold' -- to modify their AIM protocols so that Open Source clients (like Fire and Trillian) can't see those with '@mac.com' IM accounts, and vise versa. Bottom line: you can't be seen by .mac IM users, and they can't see you, unless you get the crufty, single service AOL IM client. The only positive affirmation of this is from the Fire mailing list. 'Into the fold ... sorta' is more like it." Well, it's still early, this may merely be about bugs that need fixing, rather than intent to block .mac users. We'll see.

pudge (apple.slashdot.org editor and MacPerl Maintainer) writes "MacPerl 5.6.1r1 is the first release of MacPerl in four years. It is now based on perl 5.6.1 -- actually on the latest unreleased 5.6 sources, so MacPerl is the most advanced release of perl ever -- and support for MacPerl is now in the perl core, for both 5.6 and 5.8. MacPerl can also be built entirely with freely available software. And, like its predecessor, it runs on Mac OS X under the Classic environment. Read the announcement, and see macperldelta for details on what's changed."

An anonymous reader sent in: "In this post to the Cryptography Mailing List, someone who knows more about math than I do claimed "effectively all PGP RSA keys shorter than 2k bits are insecure, and the 2kbit keys are not nearly as secure as we thought they were." Apparently Dan Bernstein of qmail fame figured out how to factor integers faster on the same cost hardware. Should we be revoking our keys and creating larger ones? Is this "the biggest news in crypto in the last decade," as the original poster claims, or only ginger-scale big?"

spell_caster asks: "I have an HPNA 2.0 network at home (10M LAN over ordinary phone lines). I am experimenting with Linux, but I can't find any drivers for HPNA 2.0. Is anyone working on this? Has anyone else tried the HPNA cards?" For those of you searching for this type of support, there might be some good news for you.

Here's a helpful post from the Linux-Hardware Digest #870:

From: Mark Darby mdarby@lucent.com
Crossposted-To: comp.os.linux.networking
Subject: Re: Phone line networking
Date: Tue, 16 May 2000 12:06:52 -0400

       The pcnet32 module that comes with the 2.2.13 kernel appears to
 support any 1Mbps phoneline (HPNA) card that is made with the AMD
 PCNet-Home controller.  Most of the 1Mbps cards on the market appear
 to be made with the AMD chip, although Intel has their version of
 1Mbps HPNA with the AnyPoint product line.  Their controller is the
 21145. So far, I haven't seen any "freely" available Linux drivers
 that support the Intel variant.

       FYI, RedHat created a driver module (called pcnethme) which
 supports AMD-based HPNA cards for RedHat 6.0. It's on their Web site.

       For 10Mbps HPNA, all cards are made with the Broadcom iLine10
 controller chip so far.  Broadcom doesn't freely distribute any
 drivers for cards based on their controller, but they claim they
 provide drivers for vendors who build cards with their chip. Again, I
 haven't seen any 10Mbps HPNA card vendor provide a Linux driver yet.

       I play with LRP (Linux Router Project - www.linuxrouter.org),
 and I've successfully used some AMD-based cards to create a gateway
 for my home. I have a Web page (

www.iop.com/~intutor/lrprg/index.html ) which documents my tinkering thus far, if you're interested...... Mark Darby mdarby@lucent.com (work) intutor@iop.com (home)

So there looks like there may be some small support out there. Have others experimented with HPNA with Unix?