Slashdot

buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"

Charbax writes "While Archos' current 'Archos 5 Internet Tablet with Android' is a 4.8" WVGA tablet that runs Android 1.5 (and perhaps 2.0 soon with the full Google Marketplace Experience), users of last year's 4.8" and 7" Archos Linux tablets have been complaining that Archos' firmware updates to its proprietary, embedded Linux OS were too infrequent, and added too little of the requested functionality. Under pressure from hackers demonstrating jailbreak methods, Archos has just now officially released (PDF) the open-source Special Developer Edition firmware based on Angstrom Linux, generated from a customized, open embedded build for last year's Archos 5 and 7 Internet Media tablets. If many talented developers join the community of Archos hackers to make software for this new Archos SDE firmware, then Android, Angstrom Linux, Maemo Mer, Qt and Ubuntu Linux could be expected to run smoothly on it soon. That could make it the ultimate pocket Linux Internet tablet for Linux hackers. Installing Archos' new SDE firmware permanently disables DRM playback and voids the warranty."

cuttheredwire writes "Evidence on the Gizmo5 forum (login required) confirms that since Google's takeover of Gizmo5, only the Windows, Mac, and iPhone clients are available for download from the official Web page. The Linux download link no longer works. This is a potential problem for happy Linux users with paid-up credit in their Gizmo5 accounts if they need to reinstall the software. A back-door download is still available, although it is speculated on the forums that it will go away soon. Does this mean that (as with other Google projects such as Google Talk) Linux will be the poor relation for Google Voice also?"

shadowmage13 writes "After months of planning, I am happy to announce finally that the Ubuntu Massachusetts Local Community Team will be preparing a booth at the upcoming 2010 Anime Boston convention. We need support from the community to secure a booth and print materials, including copies of the Ubunchu! manga. I really believe the Anime fandom is a perfect match for Ubuntu, as they are by nature very much in line with open source and remix culture."

bleedingpegasus sends word that the US Air Force will be grabbing up 2,200 new PlayStation 3 consoles for research into supercomputing. They already have a cluster made from 336 of the old-style (non-Slim) consoles, which they've used for a variety of purposes, including "processing multiple radar images into higher resolution composite images (known as synthetic aperture radar image formation), high-def video processing, and 'neuromorphic computing.'" According to the Justification Review Document (DOC), "Once the hardware configuration is implemented, software code will be developed in-house for cluster implementation utilizing a Linux-based operating software."

An anonymous reader writes "I'm as much of a Linux fanboy as anyone else, but I've never thought of anything in computing as being worth a Nobel Peace Prize. Apparently, there are those who take global collaboration seriously, though..." The suggestion has been bouncing around the Portland Linux community, where Torvalds lives. Is it worthy of wider attention and discussion?

AdamWill writes "After the controversy over Fedora 12's controversial package installation authentication policy, including our discussion this week, the package maintainers have agreed that the controversial policy will be tightened to require root authentication for trusted package installation. Please see the official announcement and the development mailing list post for more details."

kai_hiwatari writes "It looks like the Ubuntu developers consider GIMP to be too powerful for a normal desktop user. They are removing it from the upcoming Ubuntu 10.04. Among the reasons cited are that the UI is too complex, it takes up room on the disc, and 'desktop users just want to edit photos and they can do that in F-Spot.''"

Entropy98 writes "It seems that the US Immigration and Customs Enforcement Cyber Crimes Center, known as C3, has replaced its '$8,000 Tableau/Dell server combination' with more efficient and much cheaper $300 PS3s. Each PS3 is capable of 4 million passwords per second, and C3 currently has 20 PS3s with plans to buy 40 more. Naturally this is only being used to break encryption on computers seized with a warrant and suspected of harboring child pornography."

eqisow writes "The new default policy for Fedora 12 allows local, unprivileged users to install signed packages without root access. This change apparently went mostly unnoticed until after the Fedora 12 GA release, at which point it sparked a mailing list thread that is, as of this writing, over 100 posts long."

AdamWill writes "The Fedora Project is pleased to announce the release of Fedora 12 today. With all the latest open source software and major improvements to graphics support, networking, virtualization and more, Fedora 12 is one of the most exciting releases so far. You can download it here. There's a one-page guide to the new release for those in a hurry. The full release announcement has details on the major features, and the release notes contain comprehensive information on changes in this new release. Known issues are documented on the common bugs page."

Glyn Moody writes "Last year, we discussed here a Russian plan to install free software in all its schools. Seems things aren't going so well. Funds for the project have been cut back, some of the free software discs already sent out were faulty, and — inevitably — Microsoft has agreed to a 'special price' for Windows XP used in Russian schools."

badger.foo writes "The Australian rickrolling of jailbroken iPhones only goes to prove that bad passwords are bad for you, Peter Hansteen points out, as he reports on the further exploits of the password-guessing Hail Mary Cloud (which we've discussed in the past). The article contains log data that could indicate that the cloud of distributed, password-guessing hosts is growing. 'With 1767 hosts in the current sample it is likely that we have a cloud of at least several thousand, and most likely no single guessing host in the cloud ever gets around to contacting every host in the target list. The busier your SSH deamon is with normal traffic, the harder it will be to detect the footprint of Hail Mary activity, and likely a lot of this goes undetected.'"

supersloshy writes "Contrary to popular opinion, GNOME 3 will not be released in March next year. It has been delayed until September 2010, six months later. According to the news message, this is because 'our community wants GNOME 3.0 to be fully working for users and why we believe September is more appropriate.' GNOME 3's main goal is to re-define the ways people interact with the desktop, mainly through a new UI design (currently called 'GNOME Shell'), while GNOME 2.30, set for release in March, will have a focus on being stable. An early visual tour of GNOME 3 has been posted at Digitizor."

spongman writes "Microsoft's Senior Vice President, Developer Division, S. Somasegar has announced that Microsoft has acquired Teamprise from Sourcegear, LLC, and will be shipping it as part of the upcoming Visual Studio 2010 release. Teamprise is an Eclipse plugin (and related tools) for connecting to Team Foundation Server, Microsoft's source-control/project-management system. What's most interesting about this is not only that Microsoft has realized that heterogeneous development platforms are important to their developer customers, but the fact that Microsoft themselves will now be developing and shipping products based on those heterogeneous platforms, including 5 versions of Unix."

An anonymous reader tips news that openSUSE 11.2 has reached its official release. You can get it from their download page, or just grab the torrents (32-bit, 64-bit). "openSUSE 11.2 will come with the latest version 2.6.31 of the Linux kernel, the beating heart of every openSUSE system. The default file system of openSUSE will be switched to the new Ext4 as well. Of course, openSUSE will continue to support Ext3 and other filesystems — but on install, new partitions will automatically be designated Ext4. ... Desktops and servers can use the same kernel, but it's better to tune the kernel for the job at hand. That's why openSUSE now includes a desktop kernel specially tuned for desktop users. ... In addition to the work of the openSUSE Project in the desktop, openSUSE 11.2 includes the latest versions of the two desktop environments, KDE 4.3 and GNOME 2.28. KDE users will enjoy the new Firefox KDE integration, OpenOffice.org KDE4 integration, consistent KDE artwork and all standard applications being ported to KDE4 including KNetworkManager, Amarok, Digikam, k3b, Konversation and more."

Foofoobar writes "Just when you thought all was safe on the crazy patent front, Microsoft has come out of the obvious patent closet to file patent number 7617530, which basically duplicates the functionality of 'sudo' which is found in all Linux systems. PJ over at groklaw has a wonderful writeup on the entire fiasco."

DangerFace writes "Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The team installed HookSafe on a machine running Ubuntu 8.04, and found the system successfully prevented nine real-world rootkits targeting that platform from installing or hiding themselves. The program was able to achieve that protection with only a 6 percent reduction in performance benchmarks."

eldavojohn writes "In July, the Software Freedom Law Center (SFLC) leveled the finger at Microsoft for a GPL violation but how often does this actually happen? Sunday, Brad M. Kuhn (tech director at the SFLC) stated in his blog that since August of 2009 he has been finding about one per day. So why is it that we have only covered a handful of these cases in the news? Brad offers sage wisdom; surprisingly, he recommends, 'Don't go public first. Back around late 1999, when I found my first GPL violation from scratch, I wanted to post it to every mailing list I could find and shame that company that failed to respect and cooperate with the software freedom community. I'm glad that I didn't do that, because I've since seen similar actions destroy the lines of communication with violators, and make resolution tougher.' Public shame is evidently not always the best answer. Ars has a few more details and notes that (in accordance with Brad's advice) lawsuits are usually a dead last resort."

uyguremre writes "After a little over a year and a half in the making, the developers of MythTV announced that MythTV 0.22 is now available. There have been a lot of large changes since 0.21, including a port from Qt v3 to Qt v4 and a major UI rewrite to convert to MythTV's new MythUI user interface libary. As always, this release adds support for some new hardware, in this case VDPAU video acceleration, DVB-S2, and the Hauppauge HD-PVR. The MythUI toolkit allows themes much greater control over the user interface and today we're announcing a competition to design new themes for MythTV. With the new release comes a theming competition too. For a more complete list of changes and new features, read the Release Notes on the wiki."