Slashdot Mirror

Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said. Update: 07/21 22:15 GMT by U L : Slides.

An anonymous reader writes with some exciting news from the world of processor design: Robert Watson at Cambridge (author of Capsicum) has written a blog post on SRI/Cambridge's recent open sourcing of the hardware and software for the DARPA-sponsored CHERI processor — including laser cutting directions for an FPGA-based tablet! Described in their paper The CHERI Capability Model: Reducing Risk in an age of RISC, CHERI is a 64-bit RISC processor able to boot and run FreeBSD and open-source applications, but has a Clang/LLVM-managed fine-grained, capability-based memory protection model within each UNIX process. Drawing on ideas from Capsicum, they also support fine-grained in-process sandboxing using capabilities. The conference talk was presented on a CHERI tablet running CheriBSD, with a video of the talk by student Jonathan Woodruff (slides).

Although based on the 64-bit MIPS ISA, the authors suggest that it would also be usable with other RISC ISAs such as RISC-V and ARMv8. The paper compares the approach with several other research approaches and Intel's forthcoming Memory Protection eXtensions (MPX) with favorable performance and stronger protection properties. The processor "source code" (written in Bluespec Verilog) is available under a variant of the Apache license (modified for application to hardware). Update: 07/16 20:53 GMT by U L : If you have any questions about the project, regular Slashdot contributor TheRaven64 is one of the authors of the paper, and is answering questions.

New submitter raides (881987) writes "Theo De Raadt has been on a better roll as of late. Since his rant about FreeBSD playing catch up, he has something to say about OpenSSL. It is worth the 5 second read because it is how a few thousand of us feel about the whole thing and the stupidity that caused this panic." Update: 04/10 15:20 GMT by U L : Reader badger.foo pointed out Ted Unangst (the Ted in the mailing list post) wrote two posts on the issue: "heartbleed vs malloc.conf and "analysis of openssl freelist reuse" for those seeking more detail.

cyclomedia writes "The Decibel Kid — the "AudioVisual Artist" responsible for last summer's Ipswich Zelda Map — has unveiled his new website. Modeled on Amiga OS it supports changing the wallpaper, window dragging, resizing, minimizing, and that z-index shuffle button. The mobile site is a completely different beast, modeling itself as a low-res LCD." There's even a drum machine. If you're pining for the "real" thing, there's always UAE (if you can find a ROM). Update: 03/05 15:45 GMT by U L : polyp2000 pointed out a better simulation, and a simulation of Workbench 1.5.

An anonymous reader writes "A Google Glass user was interrogated without legal counsel for a couple of hours under suspicion that he may have been recording a film in the AMC movie theater. Although the matter could have been cleared in minutes, federal agents insisted on interrogating the user for hours. So long for our constitutional freedoms." Hours of being detained that could have been avoided if they had just searched his devices (which he repeatedly suggested they do): "Eventually, after a long time somebody came with a laptop and an USB cable at which point he told me it was my last chance to come clean. I repeated for the hundredth time there is nothing to come clean about and this is a big misunderstanding so the FBI guy finally connected my Glass to the computer, downloaded all my personal photos and started going though them one by one (although they are dated and it was obvious there was nothing on my Glass that was from the time period they accused me of recording). Then they went through my phone, and 5 minutes later they concluded I had done nothing wrong." Update: 01/21 21:41 GMT by U L : The Columbus Dispatch confirmed the story with the Department of Homeland Security. The ICE and not the FBI detained the Glass wearer, and there happened to be an MPAA task force at the theater that night, who then escalated the incident.

hypnosec writes "Eric S. Raymond, co-founder of the Open Source Initiative, has recommended that Emacs should move to another version control system like GitHub, as bzr is dying. In an email, Raymond highlighted the key reasons why he believes that Emacs should move. Raymond said that bzr is moribund; its dev list has flatlined; and most of Canonical's in-house projects have already abandoned bzr and moved to GitHub. ESR believes that bzr's codebase is sufficiently mature to be used as a production tool, but he does mention that continuing to use the revision control system will have 'social and signaling effects damaging to Emacs's prospects.'" Update: 01/06 20:50 GMT by U L : ESR did not suggest Github the proprietary hosting platform for git, but rather git the version control system. Which is actually already available on Savannah (the bazaar repository is automatically synced with the git repository).

An anonymous reader writes "Starting with version 3.7, POV-Ray is released under the AGPLv3 (or later) license and thus is Free Software according to the FSF definition. 'Free software' means software that respects users' freedom and community. Roughly, the users have the freedom to run, copy, distribute, study, change and improve the software. With these freedoms, the users (both individually and collectively) control the program and what it does for them. Full source code is available, allowing users to build their own versions and for developers to incorporate portions or all of the POV-Ray source into their own software provided it is distributed under a compatible license (for example, the AGPL3 or — at their option — any later version). The POV-Ray developers also provide officially-supported binaries for selected platforms (currently only Microsoft Windows, but expected to include OS X shortly)." Update: 11/14 21:57 GMT by U L : The previous distribution terms and source modification license.

First time accepted submitter VZ writes "The first new stable wxWidgets release in years and the first new major release since 1998 has just been announced. wxWidgets 3.0 now includes official support for Cocoa-based 32 and 64 bit applications under OS X, GTK+ 3 under Unix and has thousands of other improvements." Update: 11/12 01:00 GMT by U L : Clarification: it's been several years since the 2.8 release series, and fifteen years since wxWidgets 2.0.

kylus writes "The Register is reporting that Oracle's new Java 7 update 40 release comes complete with a new 'Deployment Rule Set' capability which allows administrators to define which particular applets and Java Web Start applications ('Rich Internet Applications') are permitted to run on a given machine. Not a complete solution for the recent trend of Java hacks that have cropped up, but good news for enterprises that have to run this in their environment." Update: 09/19 20:08 GMT by U L : There's an introduction to deploying rule sets on the Java platform group weblog too.

An anonymous reader writes "With the LLVM/Clang migration, FreeBSD developers have now disabled building GCC and the GNU C++ standard library (libstdc++) as part of the FreeBSD base system. GCC and libstdc++ have been superseded by LLVM's Clang and libc++, respectively, on primary architectures for FreeBSD 10.0." You can still flip a few switches to get GCC, but the system compiler will still be clang. Update: 09/11 14:50 GMT by U L : Reader Noryungi noted that the What's Cooking for FreeBSD 10 page is also worth a look, adding "I have to say, this is shaping up to be a very interesting release. Bhyve [the BSD hypervisor], in particular, sounds very promising."

adeelarshad82 writes "While it's more limited than the Roku 3 and by no means Google's answer to Airplay, Chromecast sets itself apart from other similar products simply based on its price and potential of bringing Internet HDTV streaming to many more people than before. Priced at only $35, it's a direct stick that plugs into your HDTV's HDMI port and lets you stream media from Netflix, YouTube, and Google Play through your smartphone, tablet, or notebook. Unlike the Roku Stick, it uses a separate micro-USB port instead of MHL to power it. This on one hand means you need to run a cable from the stick to a USB port, making it much less neat than it would seem. On the other hand, it means the stick works with any HDTV, whether it has an MHL-capable HDMI port or not. Once connected, the setup itself is fairly simple and entirely app-controlled. Past the setup, your streaming content choices are currently limited, though Google released an API for the Chromecast, so more apps could support it in the future. For now Android users can stream media from Google Play Movies and Music, as well as Netflix and YouTube whereas iOS users can watch Netflix and YouTube via the Chromecast. From a computer, users can stream media from Netflix, YouTube, Google Play, and Chrome. Unlike Apple TV and AirPlay, Chromecast doesn't let you stream your locally stored media. In fact Google Play Music gives an error message when you try to play music you loaded on your device yourself and not through the Google Play store. All in all, at $35 it's the most affordable way to access online media services on your HDTV." El Reg also got their hands on one. Alas, one perk of grabbing the Chromecast is gone: Google ended the free three month Netflix bundle that was worth almost as much as the cost of the Chromecast itself after sales were much higher than expected (so high it looks like they ran out of them after only a day). Update: 07/26 21:20 GMT by U L : iFixIt posted a teardown of the Chromecast.

At a press conference dubbed "Breakfast With Sundar," Google announced two new pieces of hardware and a minor revision to Android. Complete stories and commentary are still coming in, but in the mean time you can skim a liveblog or two First is the new Nexus 7. The hardware is slightly improved (full HD screen, better graphics, etc.). The specs managed to "leak" hours before the event through Best Buy opening preordering too early. On the software side, they've announced a minor revision to Android, 4.3. It features improved Bluetooth support (including Bluetooth 4.0), OpenGL ES 3.0, enhanced internationalization, enhanced DRM, and multi-user support. The multi-user support looks most exciting: now you can share a tablet with more than one person. One of the features Google focused on was restricted profiles: a device owner can create accounts that e.g. cannot make in-app purchases (Junior won't rack up a $3000 bill again). Bad news: Google is implementing stricter DRM for books and video, locking down the entire video stack. The consolation prize is that Netflix will work on more devices and at 1080p. Also demoed were a new version of Chrome that brings the tablet experience closer to the desktop, improved hangouts, and improved maps. Google also appears to be making a push into gaming, emphasizing tablet-only games that integrate into Google+. In addition to gaming, they have secured deals with five major textbook publishers to sell students presumably DRMed electronic textbooks that can be purchased or rented, enhanced with better search and highlighting (because PDF readers don't support those features already). As usual lately, all of the really nice additions to Android are proprietary and tied to Google services, further eroding the open nature of Android. Finally, they announced a tiny $35 dongle named Chromecast that appears to be the successor of the Nexus Q. Running Chrome OS, it connects to any HDMI port, finds your Wi-Fi network, and Just Works (tm) for online video. The online and mobile Youtube and Netflix interfaces will allow you to hit a single button and forward the video to your television as well. Google Music streaming to the television is also supported. The Chromecast looks like a handy little device, hopefully it is turns out it can be reflashed. Of course, when using your browser as a remote, all of the commands go through The Cloud. An SDK and more details on the software side of things are slated for release later today, although conspiciously absent on their supported platforms list is GNU/Linux, listing only Chrome OS and Android. Update: 07/24 18:01 GMT by U L : The Chromecast SDK is out, but with an awfully restrictive license that requires written permission from Google to distribute any cast enabled applications, which appears to make it completely incompatible with Free/Open Source software.

Via Ars comes news that the OpenGL 4.4 and OpenCL 2.0 were released yesterday. OpenGL 4.4 features a few new extensions, perhaps most importantly a few to ease porting applications from Direct3D. New bindless shaders have access to the entire virtual address space of the card, and new sparse textures allow streaming tiles of textures too large for the graphics card memory. Finally, the ARB has announced the first set of conformance tests since OpenGL 2.0, so going forward anything calling itself OpenGL must pass certification. The OpenCL 2.0 spec is still provisional, but now features a memory model that is a subset of C11, allowing sharing of complex data between the host and GPU and avoiding the overhead of copying data to and from the GPU (which can often make using OpenCL a losing proposition). There is also a new spec for an intermediate language: "'SPIR' stands for Standard Portable Intermediate Representation and is a portable non-source representation for OpenCL 1.2 device programs. It enables application developers to avoid shipping kernel source and to manage the proliferation of devices and drivers from multiple vendors. OpenCL SPIR will enable consumption of code from third party compiler front-ends for alternative languages, such as C++, and is based on LLVM 3.2. Khronos has contributed open source patches for Clang 3.2 to enable SPIR code generation." For full details see Khronos's OpenGL 4.4 announcement, and their OpenCL 2.0 announcement. Update: 07/23 20:17 GMT by U L : edxwelch notes that Anandtech published notes and slides from the SIGGRAPH announcement.

sfcrazy writes "Aaron Seigo, a lead KDE developer, says that the ambitious KDE tablet Vivaldi is shipping to the team for quality testing. Seigo writes on his Google+ page, 'A great start to the week with a warm, sunny, quiet Monday. Well, almost quiet. The first Vivaldi tablets, new dual-core engineering boards and the custom EOMA68 developer workbenches we commissioned have all been shipped out. Don't get too excited: the tablets are pre-certification (EC/FCC) and are on their way to us so we can verify the Q/A targets we set out. Still ...'" It looks like long-time reader lkcl's EOMA-68 initiative is working out; in related news the first batch of Allwinner A10 EOMA-68 cards is shipping to the "...20 Free Software developers brave enough to take one of these at this very early phase." Update: 07/23 17:16 GMT by U L : Correction from lkcl: the first batch of EOMA-68 cards are actually using the Allwinner A20, a bit of an upgrade from the original design.

Despite many publishers themselves settling with the DOJ over allegations of price fixing ebooks, Apple held firm and recently went to trial. And now the verdict is in: Apple conspired with major publishers to control ebook prices in violation of anti-trust laws. A trial for damages has been ordered. Quoting Reuters: "The decision by U.S. District Judge Denise Cote in Manhattan is a victory for the U.S. government and various states, which the judge said are entitled to injunctive relief. ... Cote said the conspiracy resulted in prices for some e-books rising to $12.99 or $14.99, when Amazon had sold for $9.99. 'The plaintiffs have shown that the publisher defendants conspired with each other to eliminate retail price competition in order to raise e-book prices, and that Apple played a central role in facilitating and executing that conspiracy,' Cote said. 'Without Apple's orchestration of this conspiracy, it would not have succeeded as it did in the spring of 2010,' she added." Update: 07/10 16:36 GMT by U L : The ruling is now available (160 page PDF).

An anonymous reader writes "Seth Vidal, a lead developer of Yum, was killed in a hit-and-run accident while riding his bicycle in Durham, NC last night." The Fedora Project posted a statement. Quoting: "Seth was a lead developer of yum and the update repository system, and a contributor to the CentOS project as well as the original Fedora Extras system. He worked tirelessly on the infrastructure for the Fedora Project to make all systems work well and consistently for our contributors around the world. He was a gifted speaker, a brilliant thinker, a clever wit, a humble and genuinely funny person, and a good friend. The Fedora community owes an enormous debt of gratitude to Seth's dedication to Fedora and other free software projects, his commitment to community values, and his passion for excellence in his work. To say he will be missed is an understatement." Update: 07/10 00:24 GMT by U L : Local news reports that the driver turned himself in.

Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)" Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.

MojoKid writes "For the past decade, AMD and Intel have been racing each other to incorporate more components into the CPU die. Memory controllers, integrated GPUs, northbridges, and southbridges have all moved closer to a single package, known as SoCs (system-on-a-chip). Now, with Haswell, Intel is set to integrate another important piece of circuitry. When it launches next month, Haswell will be the first x86 CPU to include an on-die voltage regulator module, or VRM. Haswell incorporates a refined VRM on-die that allows for multiple voltage rails and controls voltage for the CPU, on-die GPU, system I/O, integrated memory controller, as well as several other functions. Intel refers to this as a FIVR (Fully Integrated Voltage Regulator), and it apparently eliminates voltage ripple and is significantly more efficient than your traditional motherboard VRM. Added bonus? It's 1/50th the size." Update: 05/14 01:22 GMT by U L : Reader AdamHaun comments: "They already have a test chip that they used to power a ~90W Xeon E7330 for four hours while it ran Linpack. ... Voltage ripple is less than 2mV. Peak efficiency per cell looks like ~76% at 8A. They claim hitting 82% would be easy..." and links to a presentation on the integrated VRM (PDF).

An anonymous reader writes "A letter addressed to Senator Roger Wicker (R-Mississippi) was tested and found to contain ricin, a highly toxic, inexpensive, and easily produced substance derived from castor beans. The letter was intercepted at the U.S. Capitol's off-site mail facility and nobody has been injured. The letter was postmarked Memphis, Tennessee, but listed no return address. Sen. Claire McCaskill told reporters that a suspect has been identified." And, this morning, a letter addressed to the President was discovered containing a suspicious substance. Update: 04/17 16:25 GMT by U L : And the substance is ricin. Apparently, air filters at another facility have also tested positive for ricin.

SirJorgelOfBorgel writes "It appears Google has begun removing ad-blocker apps for Android from the Play store, citing breaches of the Play Store Developer Distribution Agreement. The apps would be welcome back as soon as they no longer violated the agreement, though that doesn't seem possible while keeping the apps' core functionality intact." Update: 03/18 20:06 GMT by U L : You can still easily install ad blockers using F-Droid, the Free Software only replacement for Play.

sfcrazy writes "Quite a lot of people raised their eyebrows the way ex-Red Hat developer Matthew Garrett made Microsoft the 'universal' control of any desktops PCs running with UEFI secure boot. Though the intentions of Garrett were clear — to enable GNU/Linux to be able to run Linux on Windows 8 certified PCs with secure boot; it was clearly putting Microsoft in a very powerful position. Linus, while a supporter of secure boot, exploded at Garrett and Howells when they proposed its inclusion in the kernel. Linus responded: 'Guys, this is not a d*#@-sucking contest. If you want to parse PE binaries, go right ahead. If Red Hat wants to deep-throat Microsoft, that's *your* issue. That has nothing what-so-ever to do with the kernel I maintain. It's trivial for you guys to have a signing machine that parses the PE binary, verifies the signatures, and signs the resulting keys with your own key. You already wrote the code, for chissake, it's in that f*cking pull request.'" Update: 02/25 17:24 GMT by U L : The headline/article are misleading, since mjg seems to agree that the patch is a bit complicated : "(I mean, *I'm* fine with the idea that they're *@#$ing idiots and deserve to be miserable, but apparently there's people who think this is a vital part of a business model)". The issue at hand is a set of patches to load and store keys inside of a UEFI PE binary which is then passed to the kernel, which then extracts the keys from the binary. It's absurd, it's messy, and it's only needed because Microsoft will only sign PE binaries so not supporting it makes restricted boot even more difficult to support.

New submitter BetterThanCaesar writes "The Swedish Pirate Party and their ISP Serious Tubes have received a letter from 'The Rights Alliance' (formerly Antipiratbyrån, The Swedish Anti-Piracy Bureau), demanding they cease supplying Internet access to The Pirate Bay. Referring to the final sentence on the four Pirate Bay profiles, they threaten with legal action if access is not removed by February 26. On her blog, party leader Anna Troberg calls the letter 'extortion,' pointing out that (translated from Swedish) '[i]t is not illegal to provide The Pirate Bay with Internet access. There is no list of illegal sites that ISPs cannot provide access to.' (google translation to English)." The letter sent (in Swedish). Update: 02/20 14:58 GMT by U L : richie2000 notes that hosting isn't quite right; they're just routing traffic to TPB: "We're not hosting TPB, we're just routing traffic to them. Just like an ISP. Serious Tubes routes traffic to the Pirate Party, so they're even more removed. But, last night, Portlane, one of the ISPs that routes traffic to Serious Tubes, was pressured into cutting their transit to ST, even if they were just a provider to a provider to a provider to TPB."

sfcrazy writes "The Qt project and Digia, the company behind Qt framework, have released the most awaited C++ framework for developers, Qt 5.0. The company claims it's one of the best releases to date and has invested a significant amount of time behind this release. It's an overhaul of the Qt 4.x series and makes Qt fit for the future." Update: 12/19 17:46 GMT by U L : Major new features include an overhauled graphics layer, full integration of Qt Quick for creating flexible interfaces using Javascript, and increased modularization including the first steps toward de-emphasizing QtWidgets by separating them into their own module.

I recently retired my ancient AthlonMP rig for something a bit more modern, and in the upgrade got a new DVD±RW drive. Since I have the new rig and a lot more disk space, the time has come to re-rip my ~450 disc CD collection into FLAC (I trust active storage more than optical discs that may or may not last another twenty years). The optical drive I had in my old rig was one recommended by Hydrogen Audio or somewhere similar for ripping CDs, and can grab an hour long album in about five minutes. My new drive, unfortunately, takes about fifteen to do the same. With the number of discs I have to churn through and the near-instaneous encoding, it's somewhat annoying. After searching the Internet high and low for advice I came up empty handed, and so I ask Slashdot: are there any SATA DVD burners that don't suck at ripping CDs? Read on for more details if you wish.

To work around the problem, I've temporarily yanked an old Promise IDE card I had in an ancient K6-2 rig (timothy found parts of it in a dumpster even) and am using the old drive, but it's approaching a decade and was pretty heavily used. What with having lots of moving parts and a laser or three, I don't see it lasting another decade, and I'd like to have a drive usable with a bus that hasn't been deprecated for almost as long. I'd also like to avoid anything that can read/write Bluray, because the hardware implemented DRM is pretty heinous.

For those interested in the gory details of the hardware I ran cdparanoia -A on both drives: ide drive, sata drive. As you can see, the old drive is way faster, and it looks like the primary difference is that it also has a cache that works with non-linear access, but that behaves "correctly." If you own a drive you want to recommend and can analyze it with cdparanoia, I'm interested in seeing the output.

A note on software suggestions: it has to be FSF-definition Free Software, and GNU/Linux is the only operating system in my house. That basically leaves... cdparanoia. I'm a bit uptight when it comes to tagging (mostly because: once I've done this, will I ever have the stamina to re-tag? Nope), but I'm not trying to start a pirate CD factory and don't really care about getting 100% frame-accuarate rips, just error-free ones.

I recently retired my ancient AthlonMP rig for something a bit more modern, and in the upgrade got a new DVD±RW drive. Since I have the new rig and a lot more disk space, the time has come to re-rip my ~450 disc CD collection into FLAC (I trust active storage more than optical discs that may or may not last another twenty years). The optical drive I had in my old rig was one recommended by Hydrogen Audio or somewhere similar for ripping CDs, and can grab an hour long album in about five minutes. My new drive, unfortunately, takes about fifteen to do the same. With the number of discs I have to churn through and the near-instaneous encoding, it's somewhat annoying. After searching the Internet high and low for advice I came up empty handed, and so I ask Slashdot: are there any SATA DVD burners that don't suck at ripping CDs? Read on for more details if you wish.

To work around the problem, I've temporarily yanked an old Promise IDE card I had in an ancient K6-2 rig (timothy found parts of it in a dumpster even) and am using the old drive, but it's approaching a decade and was pretty heavily used. What with having lots of moving parts and a laser or three, I don't see it lasting another decade, and I'd like to have a drive usable with a bus that hasn't been deprecated for almost as long. I'd also like to avoid anything that can read/write Bluray, because the hardware implemented DRM is pretty heinous.

For those interested in the gory details of the hardware I ran cdparanoia -A on both drives: ide drive, sata drive. As you can see, the old drive is way faster, and it looks like the primary difference is that it also has a cache that works with non-linear access, but that behaves "correctly." If you own a drive you want to recommend and can analyze it with cdparanoia, I'm interested in seeing the output.

A note on software suggestions: it has to be FSF-definition Free Software, and GNU/Linux is the only operating system in my house. That basically leaves... cdparanoia. I'm a bit uptight when it comes to tagging (mostly because: once I've done this, will I ever have the stamina to re-tag? Nope), but I'm not trying to start a pirate CD factory and don't really care about getting 100% frame-accuarate rips, just error-free ones.

hypnosec writes "The Linux Foundation's plans for releasing a signed pre-bootloader that will enable users to install Linux alongside Windows 8 systems with UEFI have been reportedly delayed. The Foundation proposed a signed pre-bootloader that will chain-load a bootloader which, in turn, will boot the desired operating system, thus keeping Linux installations for novice users as simple as it was before. Further, this particular component is meant for small-time Linux distros which otherwise wouldn't have the required expertise or resources to develop their own system to tackle the secure boot issue. This was going as per plans up until Linux kernel maintainer James Bottomley disclosed that he has been having rather bizarre experiences with Microsoft sysdev centre. Bottomley said, 'The first time I sent the loader through, it got stuck (it still is, actually). So I sent another one through after a week or so. That actually produced a download, which I've verified is signed (by the MS UEFI key) and works, but now the Microsoft sysdev people claim it was "improperly" signed and we have to wait for them to sort it out. I've pulled the binary apart, and I think the problem is that it's not signed with a LF [Linux Foundation] specific key, it's signed by a generic one rooted in the UEFI key. I'm not sure how long it will take MS to get their act together but I'm hoping its only a few days." Update: 11/21 14:22 GMT by U L : See the Original weblog post, and one interesting tidbit: Microsoft banned bootloaders licensed under the GPLv3 and "similar open source licenses."

In October, Linus Torvalds expressed concerns that udev was making "...changes that were known to be problematic, and are pure and utter stupidity." Several Gentoo developers were also concerned about the removal of features and uncooperative nature of udev maintained by the systemd developers, so they've announced a fork: "After speaking with several other Gentoo developers that share Linus' concerns, I have decided to form a team to fork udev. Our plan is to eliminate the separate /usr requirement from our fork, among other things. We will announce the project later this week." The project name (for now) is udev-ng, and you can grab the code from Github. Update: 11/16 21:29 GMT by U L : One of the developers commented that this isn't yet an official Gentoo project (but hopefully it will be!). There's also an informative flamewar about the fork on debian-devel.

Since the two big guys got their three debates covered, and the last third party debate kind of fizzled due to technical difficulties, we invite you to discuss the third party debate happening at 9 p.m. EDT tonight. Candidates from the Green, Libertarian, Constitution, and Justice parties will be debating in the same room with Larry King moderating. It would appear that C-SPAN is rebroadcasting it, so you catch it using rtmpdump if you happen to not use Flash. Since third party politicians are still politicians, remember to print out some Logical Fallacy Bingo. Topics for the debate include climate change, the drug war, and civil liberties. Update: 10/24 02:32 GMT by U L : It turns out there will be a final third party debate next Tuesday on foreign policy between two of the candidates. To determine who will be in the debate Free and Equal is holding an IRV vote until 10:30 p.m. EDT October 24.

Tonight's debate between the two largest American political parties' candidates for vice president of the United States takes place at Danville, Kentucky's Centre College, starting at 9 p.m. Joe Biden and Paul Ryan will face each other on stage, and are expected to talk about issues "including the economy, foreign policy and the role of the Vice President," according to C-SPAN, which will feature a live streaming view of the event. (Criteria from the Commission on Presidential Debates means you won't hear tonight from other presidential candidates' running mates (like Cheri Honkala, Jim Clymer, and James Gray, of the Green, Constitution, and Libertarian party tickets, respectively). If you'll be watching the debate tonight, please add your commentary below. It would be helpful if you start your comment's title with a time-stamp (to the minute), too, for context. (Like this: "9:08: $Candidate just intentionally mis-repeated the Q on taxes.") And Yes, we're posting this here in a vain attempt to keep the political discussion out of other story threads tonight. Update: 10/12 01:18 GMT by U L : If you don't have flash, you can use rtmpdump and mplayer to watch (incantation duplicated below, in case the site is slashdotted).

Via Don Armstrong an incantation to watch the debate without flash:
rtmpdump -v -r rtmpt://cp82346.live.edgefcs.net:1935/live?ovpfv=2.1.4 \
--tcUrl rtmp://cp82346.live.edgefcs.net:1935/live?ovpfv=2.1.4 \
--app live?ovpfv=2.1.4 --flashVer LNX.11,2,202,238 \
--playpath CSPAN1@14845 \
--swfVfy http://www.c-span.org/cspanVideoHD.swf \
--pageUrl http://www.c-span.org/ | \
mplayer -xy 3 -;

mikejuk writes "Everyone seems to have a replacement for JavaScript — Google even has two. Now Microsoft has revealed that Anders Hejlsberg, the father of C# among other languages, has been working on a replacement and it has released a preview of TypeScript. The good news is that it is compatible with JavaScript — you can simply load JavaScript code and run it. JavaScript programs are TypeScript programs. To improve on JavaScript, TypeScript lets you include annotations that allow the compiler to understand what objects and functions support. The annotations are removed by the compiler, making it a zero overhead facility. It also adds a full class construct to make it more like traditional object oriented languages. Not every JavaScript programmer will be pleased about the shift in emphasis, but the way it compiles to a JavaScript constructor is fairly transparent. At this early stage it is difficult to see the development as good. It isn't particularly good for JavaScript developers who already have alternatives, and it isn't good for C# developers who now have confirmation that Ander Hejlsberg is looking elsewhere for his future." Update: 10/01 20:34 GMT by U L : It's also freely available under under the Apache 2.0 license, and there's a language specification available. It looks pretty interesting: it even has ML-style type inference (including e.g. deducing the types of higher order functions).

From David Dahl's weblog: "Good news! With a lot of hard work – I want to tip my hat to Ryan Sleevi at Google – the W3C Web Crypto API First Public Working Draft has been published. If you have an interest in cryptography or DOM APIs and especially an interest in crypto-in-the-DOM, please read the draft and forward any commentary to the comments mailing list: public-webcrypto-comments@w3.org" This should be helpful in implementing the Cryptocat vision. Features include a secure random number generator, key generation and management primitives, and cipher primitives. The use cases section suggests multi-factor auth, protected document exchange, and secure (from the) cloud storage: "When storing data with remote service providers, users may wish to protect the confidentiality of their documents and data prior to uploading them. The Web Cryptography API allows an application to have a user select a private or secret key, to either derive encryption keys from the selected key or to directly encrypt documents using this key, and then to upload the transformed/encrypted data to the service provider using existing APIs." Update: 09/19 00:01 GMT by U L : daviddahl commented: "I have built a working extension that provides 'window.mozCrypto', which does SHA2 hash, RSA keygen, public key crypto and RSA signature/verification, see: https://addons.mozilla.org/en-US/firefox/addon/domcrypt/ and source: https://github.com/daviddahl/domcrypt I plan on updating the extension once the Draft is more settled (after a first round of commentary & iteration)"

New submitter overmoderated writes first with news of an attack on the U.S. Consulate in Libya. From the article: "The U.S. ambassador to Libya and three other embassy staff were killed in a rocket attack on their car, a Libyan official said, as they were rushed from a consular building stormed by militants denouncing a U.S.-made film insulting the Prophet Mohammad." An anonymous reader adds: "Sean Smith, a.k.a. Vile Rat, an EVE Online CSM member, and diplomat for the GoonFleet corporation, was one of the four killed in the attack on the U.S. Consulate in Libya last night. He was 34. A fundraiser is being organized for his children by the Something Awful forums." Update: 09/12 21:28 GMT by U L : Ozma from Something Awful mailed in a link to the memorial thread on the SA forums (including details on the memorial fund).

An anonymous reader writes "Linux creator Linus Torvalds has poured scorn on claims made by the co-founder of the GNOME Desktop project, Miguel de Icaza, that he (Torvalds) was in any way to blame for the lack of development in Linux desktop initiatives. De Icaza wrote in his personal blog: 'Linus, despite being a low-level kernel guy, set the tone for our community years ago when he dismissed binary compatibility for device drivers. The kernel people might have some valid reasons for it, and might have forced the industry to play by their rules, but the Desktop people did not have the power that the kernel people did. But we did keep the attitude.'" Update: 09/02 18:39 GMT by U L : The original source of the comments (and an exciting flamewar between Free Software heavyweights).

gcnaddict writes "NASA released content from the MRO HiRISE imager taken during the descent of the Curiosity Rover. Among the most notable artifacts are the images themselves as well as a diagram showing the exact location of the rover relative to NASA's target." Update: 08/07 00:15 GMT by U L : And now for a picture from the rover itself.

The name — MidAtlantic Retro Computing Hobbyists — might make you think this is a bunch of nerds who get together to enthuse over long-obsolete computer hardware and ASCII computer games. And that's exactly what it is. There are farmers who gush over antique tractors, drivers who love antique cars, and music lovers who dote on old phonographs. So why not old computers? Many people in the computer industry seem to have asked that question, so there are lots of computer museums around. MARCH was just the group Slashdot ran into at HOPE. Their website has lots of links that will help you connect with fellow antique computer buffs (assuming you are one), wherever you may be. See here a member showing off the MacGyveresque process that is booting BASIC and playing a game on a reproduction Apple I. Update: 08/01 15:20 GMT by U L : Evan Koblentz (the guy in the video) commented with a bit more information on MARCH (including info on the discussion list and computer museum).

Four years ago, there were around ten hackerspaces across America; today, Hackerspaces (Techshops, Makerspaces) are within driving distance of a good chunk of the population. The RepRap can be assembled for a moderate price, and those with a bit more cash to burn can get one preassembled from multiple sources. Makerfaires are held in most major cities, sites like Instructables and Hackaday are thriving, and all things "Maker" are cool. Far McKon was at HOPE 9 giving an update on how far community fabrication has come since his 2008 presentation at the The Last HOPE (mp3 of the talk), what threats lie on the horizon, and where we might find ourselves in another four years.

Update: 09/20 21:02 GMT by U L : There's an audio recording of the talk available.

Much has improved in the last four years. 3D printers for one have gone from being rare and expensive items to something you can build with a reasonable effort, or purchase for a mere arm & leg instead of your first born. The copyleft nature of the 3D printer community and active competition between folks selling them is certainly reminiscent of the early days of commercial Free Software (making things quite exciting).

Hackerspaces have spread like wildfire, encouraging cooperation and granting access to DIY manufacturing tools to the masses without forcing everyone to shell out lots of money.

McKon admits that electronics kits are only a bit more accessible than they were in 2008 — Arduino, Beagleboard, Raspberry Pi, et al are certainly welcome — but we're nowhere near the "building hardware being as easy as software" dream McKon predicted in 2008. He predicts that four years from now will see about as much incremental change; hardware is hard.

On the other hand, Laser cutters haven't really budged in cost (they were around $8000 then, and ... surprise, $8000 now). But, hey, what's your local Hackerspace for? McKon speculated that laser cutters have been produced by entrenched proprietary vendors which have no profit-motive to decrease prices. Entering the market is far more challenging than jumping into a market with open hardware participants, something echoed later in the talk when McKon noted that Open Source ideals more easily infiltrated upcoming industries than entrenched ones generally (where's my Open Source fridge?).

Software for 3D printing still sucks. OpenSCAD is workable but difficult, Blender isn't really suited for the task, and in any case the bar to generating a model that can actually be printed is way too high. During the Q&A someone mentioned that Autodesk was adding features aimed at 3D printing; McKon noted that Open Source design tools were encroaching on Autodesk et al's turf. Proprietary software packages are going to have to improve (great for their users), but Open Source development has distinct advantages that, at least in this area, are leading to ever-accelerating development. Still, he emphasized that the only way Open Source tools would win is if people contributed. So go and contribute, or else.

The Hackerspace community has spread the ideals of Free Culture into device manufacturing. McKon sees two business models: Seed and Feed. In the Feed model, you are a consumer and the device is closed. You can see this in proprietary additive printers where the extrusion material often comes in closed cartridges ala inkjet printers and the manufacturer doesn't release information on controlling the device. The Feed model prevails in the world today.

The Seed model is a mixture of DIY and peer to peer sharing of knowledge. Makerbot Industries might sell you an additive printer, but what you do with it is produce, and everything is out in the open so you can make your own repairs, source your own supplies, etc.

The Internet had the promise of expanding P2P and Seed culture, but has become more about consumption (a theme that proved prevalent at HOPE9). Home manufacturing similarly pushes us toward a producer culture; the change this may bring is not all so rosy.

Four years ago "You wouldn't pirate a car would you?" was an absurd parody of itself; now replicating an army of RPG miniatures isn't really stretching the imagination. This poses a possible threat to the revenue models of some rather profitable businesses; and thus the threat that we may see lobbying from those entities similar to what the RIAA/MPAA have done for the last decade.

The pace of innovation in open hardware might be threatened by patents in the way they have affected software: as the twenty year term seems infinite in the software world, the pace of development in the hardware world seems to have caught up. McKon especially feared a patent arms-race like we've seen with Smartphone companies leading to crippling lawsuits for everyone. Luckily, McKon reports that this certainly has not begun, but notes that a few "hey, we've got these patents and you might be violating them, thought you might want to know" letters have been received by some.

Right now Makerspaces and Maker culture are the hot thing; McKon believes that Maker culture is well on its way to the peak of inflated expectations, and that a crash is inevitable. Some funded hackerspaces may lose funding, some will disappear, device manufacturers will consolidate, etc. But, eventually things will level out to a sustainable Hackerspace population. What that level is remains to be seen, but what is known is that something is brewing.

In a world increasingly dominated by the cloud, privacy is often sacrificed for convenience. Imagine a world where you could use cloud services without allowing the provider to read your data. Author of Cryptocat (a browser-based secure chat system) Nadim Kobeissi shared the problems he faced developing Cryptocat, his solutions, and future of client-side cryptography. Read on for more.

Update: 07/18 03:48 GMT by U L : Slides (PDF) from and video of the talk are now online.

Despite giving workshops on Off- the-Record messaging to Middle Eastern Activists, Kobeissi found that adoption was low because of the complexity of installing new chat software, plugins, generating keys, verifying your friends, etc. Especially when the person on the other end had not been taught how to use OTR. At the end of the talk he gave some reasons why North American users may find it easier: we develop this software and export it so we have a community of developers available for support, whereas in the Middle East this is foreign software lacking context.

Since he was interested in client-side cryptography and there was a clear problem getting people to securely communicate, he set out to experiment with the former while solving the latter. He identified several problems thwarting success:

• Code delivery is insecure (will it be intercepted and modified? Can you trust the original server?). Compounding this, code in browsers is ephemeral, making it nigh impossible to trust.
• The JavaScript random number generator, while fine for most uses, is not good enough for encryption (its only seed is the current time, making it vulnerable to attack).
• There are no standardized primitives for working with cryptography algorithms in JavaScript, and libraries available at the time were not very good.
• Browser sandboxing was often incomplete and exploitable (a situation which has improved, but new bugs are still occasionally found). If the sandbox breaks, all bets are off.

To each problem there is a solution. For code delivery, Chrome apps proved ideal. There are interesting client side security features, bundles can be signed, sandboxing is effective (aside from the occasional convoluted exploit), and you only have to verify the source once. For encryption, he developed his own implementation of the Fortuna CSPRNG and several cryptography primitives in JavaScript, using keypress timing, mouse movement, window position, etc. for entropy (on mobile devices, the accelerometer has proven useful). Chrome later added their own implementation (which has access to the system entropy source) with Firefox support coming soon.

But where to go from here?

We need an API for transparent encryption: it should be as enforceable and easy as https. We need a full crypto toolkit in the browser, protected key storage (the author suggested protected JavaScript variables), OpenSSL compatibility (certificate formats, not the horrendous C API). And we need secure communications usable by mere mortals.

The W3C formed a web cryptography working group six months ago, with a specification due in 18 months.

Working with the Guardian project, the Cryptocat developers hope to introduce AweSoMe (always secure messaging), which aims to build a suite of utilities for easy and secure messaging (guaranteed message delivery, verifiable end-to-end encryption, and control over logging).

Development of Cryptocat2 is in progress, using XMPP rather than their experimental protocol, and mpOTR which extends OTR with group chat features and newer ciphers. The specification is half complete, and contributions were encouraged.

Although secure chat for the masses is being worked on, there is still much work to be done on securely storing data in the cloud. Luckily, the lessons learned developing Cryptocat will apply to future projects.

beefsack writes "Miniand have demonstrated how to control Linux using a Samsung Galaxy S2. Using an MK802 with the ARM build of Droidmote server bundled into an MK802 Lubuntu image with uinput enabled, Miniand demonstrates (video) using an Android phone as a keyboard, mouse, and gamepad over Wi-Fi to the device." Update: 07/10 00:07 GMT by U L : reader ancienthart pointed toward Premotedroid, an (possibly, I could find no license in the code but the code is there) open source alternative.

An anonymous reader tipped us to news that the Software Freedom Conservancy is expanding its GPL compliance efforts. Quoting Bradley Kuhn: "This new program is an outgrowth of the debate that happened over the last few months regarding Conservancy's GPL compliance efforts. Specifically, I noticed that, buried in the FUD over the last four months regarding GPL compliance, there was one key criticism that was valid and couldn't be ignored: Linux copyright holders should be involved in compliance actions on embedded systems. Linux is a central component of such work, and the BusyBox developers agreed wholeheartedly that having some Linux developers involved with compliance would be very helpful. Conservancy has addressed this issue by building a broad coalition of copyright holders in many different projects who seek to work on compliance with Conservancy, including not just Linux and BusyBox, but other projects as well." The anonymous reader adds: "This news was also discussed in the latest episode of the Free as in Freedom Oggcast." Update: 05/30 14:20 GMT by U L: It may not be entirely clear, but several Linux developers have assigned copyright so that the Conservancy can pursue violations for them.

New submitter Beeftopia writes with perhaps distressing news about cancer research. From the article: "During a decade as head of global cancer research at Amgen, C. Glenn Begley identified 53 'landmark' publications — papers in top journals, from reputable labs — for his team to reproduce. Begley sought to double-check the findings before trying to build on them for drug development. Result: 47 of the 53 could not be replicated. He described his findings in a commentary piece published on Wednesday in the journal Nature (paywalled) . ... But they and others fear the phenomenon is the product of a skewed system of incentives that has academics cutting corners to further their careers." As is the fashion at Nature, you can only read the actual article if you are a subscriber or want to fork over $32. Anyone with access care to provide more insight? Update: 04/06 14:00 GMT by U L : Naffer pointed us toward informative commentary in Pipeline. Thanks!

New submitter smarq2 writes "Chessbase reports that chess programmer IM Vasik Rajlich has solved the King's Gambit chess opening with technical means. 3000 processor cores, running for over four months, exhaustively analyzed all lines that follow after 1.e4 e5 2.f4 exf4 and came to some extraordinary conclusions." Update: 04/02 22:11 GMT by U L : Skuto points out that this is the same person who was found guilty of plagiarizing GNU Chess and Crafty.

JoeRobe writes "For the first time in 30 years, the US Nuclear Regulatory Commission has approved licenses to build two new nuclear reactors in Georgia. These are the first licenses to be issued since the Three Mile Island incident in 1979. The pair of facilities will cost $14 billion and produce 2.2 GW of power (able to power ~1 million homes). They will be Westinghouse AP1000 designs, which are the newest reactors approved by the NRC. These models passively cool their fuel rods using condensation and gravity, rather than electricity, preventing the possibility of another Fukushima Daiichi-type meltdown due to loss of power to cooling water pumps." Adds Unknown Lamer: "Expected to begin operation in 2016 or 2017, the pair of new AP1000 reactors will produce around 2GW of power for the southeast. This is the first of the new combined construction and operating licenses ever issued by the NRC; hopefully this bodes well for the many other pending applications."

concertina226 writes with sad news for Swedish pirates. Quoting the article: "The Swedish Supreme Court will not hear an appeal from the founders of The Pirate Bay against prison sentences and fines imposed by the Swedish Court of Appeals, the court said on Wednesday. Over a year ago, the Court of Appeals sentenced Fredrik Neij, Peter Sunde, and Carl Lundström to 10 months, eight months, and four months of jail time, respectively. The court also said they must collectively pay a 46 million kronor (£4.3 million) fine." The Pirate Bay has issued a response: "With this said, we hear news from our old admins that they have received a verdict in Sweden. Our 3 friends and blood brothers have been sentenced to prison. This might sound worse than it is. Since no one of them no longer lives in Sweden, they won't go to jail. They are as free today as they were yesterday."
Update: 02/01 15:15 GMT by U L :Reader think_nix helpfully copied the Pirate Bay response in a comment for those who cannot access the site.

Sparrowvsrevolution writes "At the SysCan conference in Taiwan next week, Charlie Miller plans to present a method that exploits a flaw in Apple's restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone's or iPad's memory. Using his method, an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user's photos, reading contacts, making the phone vibrate or play sounds, or otherwise using iOS app functions for malicious ends. Miller created a proof-of-concept app called Instastock that appears to show stock tickers but actually runs commands from his server, and even got it approved by Apple's App Store." Update: 11/08 02:54 GMT by U L : Not unexpectedly, Apple revoked Miller's developer license.

Apple is currently announcing various things about a new iPhone; the CNN Live has coverage as it is happening. Watch for updates as more information comes in. For those of you who like to read instead of watch, PC Magazine is^W was^W is running a live commentary stream (it broke and then unbroke). The New York Times also has a working live stream which seems more reliable. Update: 10/04 19:04 GMT by U L :Unexpectedly, Apple did not announce an iPhone 5, but rather an incremental update. CNet has a decent article about the features of the iPhone 4S. Additionally, all major carriers except T-Mobile will be getting the phone October 14th.

riverat1 writes "The Next Web has a story on Muammar Gaddafi's monitoring of the internet and other telecommunications. As you might expect, the monitoring was intense. The story names companies that supplied the monitoring software, most notably Amesys, a unit of the French company Bull SA. There is a more detailed story behind the paywall at the Wall Street Journal." Boeing's Narus division may also have been involved (collecting very important Analytics and nothing suspicious of course). Update: 09/01 16:08 GMT by UL :Axure pointed out that VASTech (South Africa), ZTE (China), and the aforementioned Narus (US) also provided assistance, making the title of the article a bit inaccurate. It seems the Libyan Internet monitoring was an international affair (my apologies to Europe).