Links 11/1/2018: City of Barcelona Moves to GNU/Linux, Julian Assange Becomes Ecuadorian

Posted in News Roundup at 6:55 pm by Dr. Roy Schestowitz

GNOME bluefish



  • City Of Barcelona Chooses Linux And Free Software After Ditching Microsoft

    As per the report, Barcelona city plans to replace all user applications on its computers with open source alternatives. After finding a proper replacement for all proprietary software, the final step would be to go ahead with replacing the operating system with Linux.

  • City of Barcelona Kicks Out Microsoft in Favor of Linux and Open Source

    Barcelona city administration has prepared the roadmap to migrate its existing system from Microsoft and proprietary software to Linux and Open Source software.

  • Look Munich, City of Barcelona Is Dumping Windows and Switches to Ubuntu Linux

    While the City of Munich is switching back to Windows after running Linux on their public PCs, a move that will cost them over €100 million euros, the City of Barcelona is making the smart choice of dumping Microsoft’s products and switch to Linux and Open Source.

    First spotted by It’s FOSS, this fantastic news was reported by Spanish newspaper El País, stating that the City of Barcelona is currently in talks of migrating all of their public computer systems to Open Source software products like LibreOffice and Open-Xchange, replacing Microsoft’s expensive products.

  • Desktop

  • Kernel Space

    • Meltdown and Spectre Linux Kernel Status

      By now, everyone knows that something “big” just got announced regarding computer security. Heck, when the Daily Mail does a report on it , you know something is bad…

      Anyway, I’m not going to go into the details about the problems being reported, other than to point you at the wonderfully written Project Zero paper on the issues involved here. They should just give out the 2018 Pwnie award right now, it’s that amazingly good.

    • Linux Kernels 4.14.13, 4.9.76, and 4.4.111 Bring More Security Fixes, Update Now

      As promised, Linux kernel maintainer Greg Kroah-Hartman released today new versions of the Linux 4.14, 4.9, and 4.4 kernel series to address some of the regressions from previous builds and fix more bugs.

      Linux kernels 4.14.13, 4.9.76 LTS, and 4.4.111 LTS are now available for download from kernel.org, and they include more fixes against the Spectre security vulnerability, as well as some regressions from the Linux 4.14.12, 4.9.75 LTS, and 4.4.110 LTS kernels released last week, as some reported minor issues.

    • Freedreno’s MSM DRM Driver Wires In DEVFREQ Re-Clocking Support

      Freedreno open-source Qualcomm Adreno driver creator Rob Clark has sent in the set of updates for the MSM DRM driver targeting the Linux 4.16 kernel.

      The MSM Direct Rendering Manager updates for DRM-Next to go into Linux 4.16 are a bit late for the DRM staging, but these changes are mostly small. Besides some bug fixes and other minor code changes, the main feature addition for MSM in Linux 4.16 is DEVFREQ support for controlling the GPU clock frequency.

    • Linux Foundation

      • The Linux Foundation Announces New Linux on Azure Training Course [Ed: The Linux Foundation works for Microsoft now. Corrupted by the money. Microsoft meanwhile attacks Linux with patents.]
      • Automotive Grade Linux gets support from Toyota and Amazon as it eyes autonomous driving

        Open-source software was once something that large businesses shied away from, but over the course of the last few years, it’s made inroads into virtually every enterprise company. With Automotive Grade Linux (AGL), the Linux Foundation hosts a project that aims to bring open source to the car industry. As the AGL group announced at CES in Las Vegas today, Toyota and Amazon have now signed up to support the project, as well.

        Toyota, which is using AGL in the 2018 Camry, is joining as a platinum member, while Amazon opted for the silver level. Indeed, you may have seen another Toyota and Amazon mashup today, which is probably no coincidence.

    • Graphics Stack

      • R600 Gallium3D Gets More Fixes, Experimental SB Tessellation Support

        If you are still running with a pre-GCN AMD graphics card, a number of R600 Gallium3D commits landed in Mesa Git over night as well as an interesting patch series on the Mesa mailing list.

        Hitting Mesa 17.4-dev Git a few hours ago were a number of R600 Gallium3D fixes. This time around the various fixes come courtesy of VMware’s Roland Scheidegger, a long time Mesa developer. They are a variety of minor fixes. It’s nice to see nevertheless as R600g doesn’t get too much action these days.

      • xf86-video-intel Gets Coffee Lake Support

        The xf86-video-intel DDX driver now has support for the first “Coffee Lake” processors.

      • The Current CPU Driver Usage Difference Between RADV/RadeonSI & NVIDIA

        Yesterday I posted some fresh GPU/driver benchmark results for discrete AMD Radeon and NVIDIA GeForce graphics cards. These were some of the most competitive numbers yet we’ve seen out of the open-source RadeonSI OpenGL and RADV drivers while using the latest Linux 4.15 kernel, especially for the GTX 1060 vs. RX 580 battle. In the comments were requests to see some CPU utilization numbers, including from one of the Radeon Linux developers, so here is a look at how the CPU usage compares.

        With having some spare cycles this morning on that Core i7 8700K “Coffee Lake” desktop, I ran a CPU usage comparison with various Linux games when using the Radeon RX 580 (on Linux 4.15 + Mesa 17.4-dev + LLVM 6.0 SVN) vs. the comparable GeForce GTX 1060 (on Linux 4.15 + NVIDIA 390.12) for showing the latest CPU utilization difference for both OpenGL and Vulkan games.

      • RADV Vulkan Driver Now Supports VK_EXT_discard_rectangles

        RADV co-founder Bas Nieuwenhuizen has landed support for the Vulkan VK_EXT_discard_rectangles extension within Mesa 17.4-dev.

      • RADV Gets Another Optimization For Micro-Benchmarks

        David Airlie and Bas Nieuwenhuizen’s work on the RADV open-source Vulkan driver is quite relentless. David has posted yet another patch working on further optimizing the performance of this unofficial Radeon Vulkan driver living within Mesa.

      • The NVIDIA 390 Driver Is Playing Nicely With Linux 4.15 Kernel

        For those NVIDIA Linux users reliant upon the proprietary driver and wanting to upgrade to the Linux 4.15 kernel that will be officially released within the next two weeks, the 390.12 driver is playing nicely.

        Earlier NVIDIA driver releases ran into compatibility issues with the Linux 4.15 interfaces following the merge window (not due to KPTI, as some other FUD previously passed around by others). But with last week’s NVIDIA 390.12 beta it has been working fine atop the Linux 4.15 Git kernel, including when Kernel Page Table Isolation is enabled for Meltdown prevention. (Retpoline support has yet to be mainlined, haven’t tested the NVIDIA driver there yet to formally confirm if any breakage may happen.)

      • AMDGPU Queues More Fixes For Linux 4.16

        AMD sent in a fair number of AMDGPU updates slated for Linux 4.16 but now hitting the cut-off for major feature updates for DRM-Next code looking to make it into 4.16, AMD has submitted some fixes.

    • Benchmarks

      • NVIDIA GeForce vs. AMD Radeon Linux Gaming Performance At The Start Of 2018

        Here is a fresh look at the NVIDIA GeForce and AMD Radeon Linux graphics card performance as we start 2018. Testing was done using the latest Linux 4.15 Git kernel — including the KPTI page table isolation support — as well as using the newest Mesa 17.4-dev driver code for RadeonSI/RADV and on the NVIDIA side is their brand new 390.12 beta driver.

      • What Linux storage benchmarking tools are best?

        The Linux hdparm tool enables administrators to establish a basic, low-level measure of disk performance. Using hdparm with the -t option takes advantage of the Linux disk cache, while the -t option also accesses the disk through the cache, but doesn’t pre-cache the results. Low-level Linux storage benchmarking tools such as hdparm are very sensitive to file systems and other higher level constructs, however, so results can vary dramatically.

        Admins often use the Linux dd — data duplicator — command for tasks such as backup and copy, but its interaction with storage can also enable sequential throughput for storage performance.

        Flexible I/O Tester (FIO) is perhaps the most versatile and popular tool for benchmarking hard disk drive and solid-state drive devices. It enables administrators to run sequential read/write tests with varied I/O block sizes and queue depths.

      • KPTI + Retpoline Linux Benchmarking On Old Laptops

        Over the past week and a half of running many benchmarks looking at the performance impact of the Linux KPTI and Retpoline patches for Spectre and Meltdown mitigation, one of the most common test requests is some thorough benchmarks on older systems. Why that’s important is with older (pre-Westmere) CPUs there isn’t PCID (Process Context Identifier) support that’s used by KPTI, which helps offset some of the performance loss. So for some test results to share today are two old ThinkPads from the Clarksfield and Penryn days compared to a newer Broadwell ThinkPad in looking at the performance difference.

  • Applications

  • Desktop Environments/WMs

    • K Desktop Environment/KDE SC/Qt

      • KStars 2.9.1 is off to a fantastic start in 2018!

        We’re kicking off 2018 with a new fantastic release of KStars for Windows & MacOS. Linux users should wait a few more days to get the release in the official PPA due to Canonical’s Launchpad downtime because of the Meltdown and Spectre CPU vulnerabilities discovered recently.

        KStars 2.9.1 aka “Lancaster” release is primarily a bugfix release, but it brings with it as well several new features and improvements to existing technologies.

      • Akademy 2018 Call for Participation

        Akademy is the KDE Community conference. The 2018 edition is from Saturday 11th to Friday 17th August in Vienna, Austria. If you are working on topics relevant to KDE or Qt, this is your chance to present your work and ideas at the Conference. The days for talks are Saturday and Sunday, 11th and 12th. The rest of the week will be BoFs, unconference sessions and workshops.

      • Qt 3D Studio Remote Deployment on Android Devices
      • New in Qt 5.10: QThread::create
      • Kdenlive cafés #25 and #26 – Everybody is invited
      • Krita 4.0 Beta 1

        We’ve officially gone into String Freeze mode now! That’s developer speak for “No New Features, Honest”. Everything that’s going into Krita 4.0 now is in, and the only thing left to do is fixing bugs and refining stuff.

        Given how much has changed between Krita 3 and Krita 4, that’s an important part of the job! Let us here repeat a very serious warning.

      • Krita Digital Painting Program Hits The 4.0 Beta Milestone

        The KDE/Qt-aligned Krita digital painting program has released its first beta release of the major 4.0 update that also marks its string freeze. Now marks the period of bug fixing before shipping Krita 4.0 within a few months.

      • Nextcloud Talk is here

        Today is a big day. The Nextcloud community is launching a new product and solution called Nextcloud Talk. It’s a full audio/video/chat communication solution which is self hosted, open source and super easy to use and run. This is the result of over 1.5 years of planing and development.

        For a long time it was clear to me that the next step for a file sync and share solution like Nextcloud is to have communication and collaboration features build into the same platform. You want to have a group chat with the people you have a group file share with. You want to have a video call with the people while you are collaborative editing a document. You want to call a person directly from within Nextcloud to collaborate and discuss a shared file, a calendar invite, an email or anything else. And you want to do this using the same login, the same contacts and the same server infrastructure and webinterface.

      • Introducing a Full Self-hosted Audio/video and Chat Communication Platform: Nextcloud Talk

        We’re very proud to announce today Nextcloud Talk, the first enterprise-ready, self-hosted communication technology giving users the highest degree of control over their data and communication. Nextcloud Talk is a fully open source video meeting software, on-premise hosted and end-to-end encrypted. It features a text chat and is available for web and mobile. In related news, Nextcloud has become the vendor with the greatest momentum in the self-hosted Enterprise File Sync and Share market and increased its customer base by 7 times in 2017. And over 500 individuals contributed more than 6.6 million lines of code to Nextcloud last year!

      • Nextcloud Talk is an Open Source Alternative to Google Hangouts

        Nextcloud has launched a self-hosted open source alternative to Google Hangouts, Skype, and similar chat services.

        Called ‘Nextcloud Talk’, the feature brings audio, video and messaging features based on WebRTC to the personal cloud server software, which was forked from OwnCloud back in 2016.

      • Nextcloud Rolls Out Audio/Video/Chat Support

        The Nextcloud cloud hosting software forked from ownCloud now has audio/video/chat abilities.

    • GNOME Desktop/GTK

      • Phoning home after updating firmware?

        Somebody made a proposal on the fwupd mailing list that the machine running fwupd should “phone home” to the LVFS with success or failure after the firmware update has been attempted.

        This would let the hardware vendor that uploaded firmware know there are problems straight away, rather than waiting for thousands of frustrated users to file bugs. The report should needs to contain something that identifies the machine and a boolean, and in the event of an error, enough debug information to actually be useful. It would obviously involve sending the users IP address to the server too.


        This means vendors using the LVFS know first of all how many downloads they have, and also the number of success and failures. This allows us to offer the same kind of staged deployment that Microsoft Update does, where you can limit the number of updated machines to 10,000/day or automatically pause the specific firmware deployment if > 1% of the reports come back with failures.

  • Distributions

    • OpenSUSE/SUSE

      • GeckoLinux: A Polished Distro Just Got Smoother

        I was disappointed in GeckoLinux in only one situation. The practice of including a password for the live session demo mode was a new feature promised in this release. The product description hawks the convenience of not having to enter passwords for the live session user account.

        Yet the brief documentation for the ISO download mentions the user password for the live session as “linux.” I was hoping that the developer merely forgot to update the download information.

        Alas, the new version still needs a password. Oh well, maybe the next release.

        Otherwise, GeckoLinux 423 is a worthy release that provides improvements over the standard openSuse mindset.

      • New Python3, LibreOffice, Google RE2 Packages Released in Tumbleweed

        Several openSUSE Tumbleweed snapshots arrive before and after the new year and this post will focus on the most recent snapshots released this week.

        Much of the efforts of developers this week have focused on patching the Meltdown and Spectre vulnerabilities. openSUSE’s rolling distribution produced four openSUSE Tumbleweed snapshots so far this week.

        While the Long-Term Support 4.4 Linux Kernel has patched many of the vulnerabilities associated with Meltdown and Spectre, the 4.14.12 Linux Kernel released in snapshot 20180107 hasn’t, but Tumbleweed users will likely see the vulnerabilities patched soon.

    • Red Hat Family

    • Debian Family

      • Derivatives

        • Canonical/Ubuntu

          • PSA: Ubuntu 17.04 Zesty Zapus support ends on Saturday

            Support for Ubuntu 17.04 Zesty Zapus will be coming to an end this Saturday, nine months after being pushed out. The end of life applies to all systems no matter whether you’re running it on a desktop or a server. Once the end of life date arrives, you should have a plan to move to Ubuntu 17.10 or downgrade to Ubuntu 16.04.

          • Flavours and Variants

            • Ubuntu Unity Remix Day 1: 27-Dec ISO

              Ubuntu Unity Remix 18.04 is already functional even though it’s still very new. For you who don’t know, Unity Remix is a new Ubuntu distro with Unity 7 desktop created after the official Ubuntu switched to GNOME 3. Unity Remix is based on the effort of Unity 7 Continuation Project by Khurshid Alam and Dale Beaudoin, and it calls for developers & testers right now. Today I, an Ubuntu user who likes Unity Desktop, start a series of article about my days in personal testing Ubuntu Unity Remix. This ‘Day 1′ covers a short overview about the latest ISO from 27-Dec-2017. This series is (again) inspired by Didier Roche’s series at early Artful days. Enjoy!

            • Ubuntu Unity Remix Day 2: Nemo & Caja

              Do you like Nemo and Caja file managers? Good news for you, you can use them at Ubuntu Unity Remix now. More good news is there are 2 ISOs available (for testing purpose) for both Unity Remix Nemo and Unity Remix Caja editions! Having these two is like continuing the 17.04 but with the feels of Linux Mint ‘MATE’ and ‘Cinnamon’ editions. For you who don’t know, you will find Nemo or Caja even more useful than Nautilus, because you’ll have more features you cannot find at (like normal menu bar, F3, and status bar). This ‘Day 2′ covers simple overview about both file managers at Ubuntu Unity Remix 18.04. Enjoy!

  • Devices/Embedded

Free Software/Open Source

  • Telecommunications Infrastructure Project looks to apply open source technologies

    The Telecommunications Infrastructure Project is looking to apply open source technologies to next generation fixed and mobile networks.

    The Telecom Infra Project (TIP), conceived by Facebook to light a fire under the traditional telecommunications infrastructure market, continues to expand into new areas.

    Launched at the 2016 Mobile World Congress in Barcelona, the highly disruptive project takes an open ecosystem approach to foster network innovation and improve the cost efficiencies of both equipment suppliers and network operators.“We know from our experience with the Open Compute Project that the best way to accelerate the pace of innovation is for companies to collaborate and work in the open. We helped to found TIP with the same goal – bringing different parties together and strengthen and improve efficiencies in the telecom industry,” according to Aaron Bernstein, Director of Connectivity Ecosystem Programmmes at Facebook.

  • Introducing Ad Inspector: Our open-source ad inspection tool
  • AI and machine learning bias has dangerous implications

    Algorithms are everywhere in our world, and so is bias. From social media news feeds to streaming service recommendations to online shopping, computer algorithms—specifically, machine learning algorithms—have permeated our day-to-day world. As for bias, we need only examine the 2016 American election to understand how deeply—both implicitly and explicitly—it permeates our society as well.

    What’s often overlooked, however, is the intersection between these two: bias in computer algorithms themselves.

    Contrary to what many of us might think, technology is not objective. AI algorithms and their decision-making processes are directly shaped by those who build them—what code they write, what data they use to “train” the machine learning models, and how they stress-test the models after they’re finished. This means that the programmers’ values, biases, and human flaws are reflected in the software. If I fed an image-recognition algorithm the faces of only white researchers in my lab, for instance, it wouldn’t recognize non-white faces as human. Such a conclusion isn’t the result of a “stupid” or “unsophisticated” AI, but to a bias in training data: a lack of diverse faces. This has dangerous consequences.

  • Events

    • Mozilla Release Management Team: Firefox Release management at FOSDEM 2018
    • Mozilla Reps Community: Reps Council at Austin

      The All Hands is a special time of the year where Mozilla employees along with core volunteers gather for a week of many meetings and brainstorming. The All Hands Wiki page has more information about the general setting. During the All Hands, the Reps Council participated in the Open Innovation meetings as well as had meetings about what 2018 planning. One of our main topics was about the Mission Driven Mozillians proposal.

    • openSUSE Conference Registration, Call For Papers Opens Today

      openSUSE is pleased to announce that registration and the call for papers for the openSUSE Conference 2018 (oSC18), which takes place in Prague, Czech Republic, are open.

      The dates for this year’s conference will be May 25 through May 27 at Faculty of Information Technologies of Czech Technical University in Prague. Submission for the call for papers will be open until April 20. There are 99 day from today to submit a proposal, but don’t wait until the late minute. Registration will be open from today until the day oSC18 begins; make sure to answer the survey question regarding the T-Shirt size.

  • Web Browsers

    • Mozilla

      • Announcing ESR60 with policy engine

        The Firefox ESR (extended support release) is based on an official release of Firefox desktop for use by organizations including schools, universities, businesses and others who need extended support for mass deployments. Since Firefox 10, ESR has grown in popularity and many large organisations rely on it to let their employees browse the Internet securely.

        We want to make customization of Firefox deployments simpler for system administrators and we’re pleased to announce that our next ESR version, Firefox 60, will include a policy engine that increases customization possibilities and integration into existing management systems.

      • Web. Period.

        Seen from here, EPUB is a technical dead end. The ebook market just cannot absorb newer versions of EPUB any more, and I’m not sure when it will be able to absorb even light incremental changes again. EPUB books based on EPUB 3.0.1 or a light and for once backwards-compatible evolution of 3.0.1, are here to stay for a very, very long time.

      • User Style for bugzilla.mozilla.org

        Yesterday, I was talking with Kohei Yoshino (the person behind the Bugzilla Quantum effort that recently landed significant UX improvements to the header strip) about some visual issues I have on bugzilla.mozilla.org which basically boil down to our default view being a bit too noisy for my taste and not emphasizing enough on the key elements I want to glance at immediately when I visit a bug (bug Status, description, comments).

        Given that I spend a significant amount of time on Bugzilla and that I also spend some time on Github issues, I decided to see if I could improve our default theme on Bugzilla with a user style to make it easier on the eyes and also closer visually to Github, which I think is good when you use both on a daily basis.

  • Funding

    • Pineapple Fund Supports Conservancy

      Software Freedom Conservancy thanks the Pineapple Fund and its anonymous backer for its recent donation of over 18 Bitcoin (approximately $250,000). The Pineapple Fund is run by an early Bitcoin adopter to give about $86 million worth of Bitcoin to various charities. Shortly after the fund’s announcement earlier this month, volunteers and Conservancy staff members applied for its support. That application was granted this week.

  • BSD

    • OPNsense® 18.1 Release Candidate 1

      For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

      We humbly present to you the sum of another major iteration of the OPNsense firewall. Over the second half of 2017 well over 500 changes have made it into this first release candidate. Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. For more details please find the attached list of changes below.

      Meltdown and Spectre patches are currently being worked on in FreeBSD[1], but there is no reliable timeline. We will keep you up to date through the usual channels as more news become available. Hang in there!

  • Licensing/Legal

  • Programming/Development

    • Top Programming Languages That Largest Companies Are Hiring Developers For In 2018

      Learning a programming language involves some important decisions on the part of a professional. Gone are the days when one mastered a single popular programming language and it granted job security. Highlighting these limitations of reliance on a single programming language, Coding Dojo coding school has shared the results of an interesting study.

    • Rust in 2018

      I think 2017 was a great year for Rust. Near the beginning of the year, after custom derive and a bunch of things stabilized, I had a strong feeling that Rust was “complete”. Not really “finished”, there’s still tons of stuff to improve, but this was the first time stable Rust was the language I wanted it to be, and was something I could recommend for most kinds of work without reservations.

      I think this is a good signal to wind down the frightening pace of new features Rust has been getting. And that happened! We had the impl period, which took some time to focus on getting things done before proposing new things. And Rust is feeling more polished than ever.


  • Hardware

    • Second iPhone battery explodes at Apple Store in Europe – this time in Spain

      The explosion occurred at Apple’s Calle Colón Store in Valencia, Spain. According to a report in Las Provincias, the battery overheated while being worked upon and started emitting smoke, triggering immediate evacuation from the building. An entire floor in the building was engulfed in smoke, one of the first responders at the site reported.

    • Another iPhone Battery Explodes Right in the Apple Store

      It’s a tough time for Apple Store staff across the world, not only because iPhone owners rush to change their worn-out batteries as part of the $29 discount program, but also due to some batteries actually catching fire right when being serviced.

      It happened earlier this week in Zurich, when an iPhone battery started emitting smoke all of a sudden, and now the same thing took place in Spain at Apple’s store in Valencia.

      A report from local newspaper LasProvincias reveals that the iPhone battery hasn’t just emitted smoke, but it actually exploded, leading to the entire floor being filled with smoke.

      This obviously triggered the store evacuation given the risks of smoke intoxication, and firefighters and police rushed to the scene. Emergency services, however, weren’t required to intervene because Apple Store staff managed to vent the building by opening all windows and to cover the faulty battery with sand. No injuries were caused to Apple employees or store visitors.

  • Health/Nutrition

  • Security

    • macOS High Sierra’s App Store System Preferences Can Be Unlocked With Any Password

      A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.

    • Red Hat Researchers: Spectre Chip Vulnerability Likely Worse For VMs Than Containers
    • Watching the meltdown.

      I have been watching Meltdown and Spectre unfold from the sidelines. Other than applying available updates, I’m just watching and absorbing the process of the disclosure. This one appears mid way along a long road.

      I teach mostly administrators. I teach some developers. I teach those in, or desiring to be in, infosec. I like teaching security topics. I think securing systems requires more people thinking about security from the beginning of design and as an everyday, no big deal part of life. A question I ask with these newsworthy issues is what normal practices can mitigate even part of the problems? There are two big basics – least privilege and patch management – to always keep in mind. Issues like ShellShock and Venom were mostly mitigated from the beginning with SElinux enabled (least privilege) and WannaCry had little impact on those systems patched long ago when the SMB bug was first found and fixed.

      However, in some cases, both exploits and accidents come from doing something that no one else thought of trying. This is why I like open source. There is the option (not always used) for more people trying different things and finding better uses as well as potential flaws. Any type of cooperation and collaboration can be the source of some of these findings including pull requests, conference talks, or corporations working with academic research projects.

    • Open Source Security Podcast: Episode 77 – npm and the supply chain

      Josh and Kurt talk about the recent npm happenings. What it means for the supply chain, and we end with some thoughts on how maybe none of this matters.

    • Ubuntu systems also having boot-up issues due to Meltdown and Spectre patches
    • Meltdown and Spectre patch stops Ubuntu computers from booting
    • Meltdown and Spectre patches leave some Ubuntu systems unbootable
    • Linux vs Meltdown: Ubuntu gets second update after first one fails to boot
    • Ubuntu takes two on Meltdown CPU patch after first one bricked machines
    • The Spectre And Meltdown Server Tax Bill

      Much has been written about the nature of the Meltdown and Spectre threats, which leverage the speculative execution features of modern processors to give user-level applications access to operating system kernel memory. This is obviously a very big problem. Chip suppliers and operating system and hypervisor makers have known about these exploits since last June, and have been working behind the scenes to provide corrective countermeasures to block them. The idea was to wait until January 9 to have all the fixes lined up in the industry and then tell the world about the exploits. But rumors about the speculative execution threats forced the hands of the industry, and last week Google put out a notice about the bugs and then followed up with details about how it has fixed them in its own code for its own systems.

    • Answering your questions about “Meltdown” and “Spectre”
    • NSA Didn’t Know of Meltdown, Spectre, Trump Cyber Czar Says

      The National Security Agency didn’t know about the Meltdown or Spectre flaws, White House cybersecurity coordinator Rob Joyce said at the International Conference on Cyber Security at Fordham University Law School here today (Jan. 11).

    • spectre and the end of langsec

      Like many I was profoundly saddened by this analysis. I want to believe in constructive correctness, in math and in proofs. And so with the rise of functional programming, I thought that this historical slide from reason towards observation was just that, historical, and that the “safe” languages had a compelling value that would be evident eventually: that “another world is possible”.

      In particular I found solace in “langsec”, an approach to assessing and ensuring system security in terms of constructively correct programs. One obvious application is parsing of untrusted input, and indeed the langsec.org website appears to emphasize this domain as one in which a programming languages approach can be fruitful. It is, after all, a truth universally acknowledged, that a program with good use of data types, will be free from many common bugs. So far so good, and so far so successful.

      The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google’s Caja compiler to isolate components from each other, even when they run in the context of the same web page.

      But the Spectre and Meltdown attacks have seriously set back this endeavor. One manifestation of the Spectre vulnerability is that code running in a process can now read the entirety of its address space, bypassing invariants of the language in which it is written, even if it is written in a “safe” language. This is currently being used by JavaScript programs to exfiltrate passwords from a browser’s password manager, or bitcoin wallets.

    • Is Apple Even Paying Attention To macOS Security Anymore?

      A new Mac security flaw lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.

    • Ubuntu Linux Unbootable After Users Install Meltdown And Spectre Patches
    • Ubuntu Update For Meltdown And Spectre Chip Flaws Leaves Some PCs Unbootable

      Sometimes the cure is worse than the disease. Just ask the affected users of older AMD systems who had their PCs bricked after downloading and installing a Windows update that was supposed to protect them from Meltdown and Spectre. It is not just Windows users who are suffering, either. Some Ubuntu Xenial 16.04 users also report that the latest update for their OS has rendered their system unable to boot.

    • How CoffeeMiner Attack Hacks Public Wi-Fi And Uses Your PC For Mining Cryptocurrency

      After a series of ransomware attacks capturing the headlines past year, crypto mining malware and cryptojacking attacks came into the play. Just last month, a Starbucks customer found that the infected Wi-Fi hotspot was trying to mine Monero digital coins. It was a new kind of threat associated with using public hotspots, which are often labeled unsafe and users are advised to use VPN services for extra privacy.

    • Prosecutors say Mac spyware stole millions of user images over 13 years

      An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.

    • EMC, VMware security bugs throw gasoline on cloud security fire

      While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell’s EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server’s file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

    • Malware based on open source Kotlin language discovered lurking in Google Play [Ed: This has nothing to do with "open source". They don't say "proprietary" when the framework is.]

      Basically, it’s pretty typical of the malware that crops up in dodgy apps that have wormed their way past the digital bouncers on the Play Store.

    • How to increase Linux security by disabling USB support

      This may sound like a crazy way of enhancing security on a server, but if you can get away with it—as in you don’t need any USB devices such as keyboards, mice, external drives—disabling USB support can be an added means of ensuring malicious files do not find their way onto your servers. Obviously, this will only work for headless machines, so you better make certain you can SSH into those servers, otherwise, you’ll find yourself in trouble trying to input anything via keyboard or mouse.

    • Security updates for Thursday
    • Intel Releases Linux CPU Microcodes for Processors Going Back Two Decades
  • Defence/Aggression

    • Ellsberg Takes on US Nuclear Protocol in ‘Confessions of a Nuclear War Planner’

      Former military strategist Daniel Ellsberg, famous for releasing the Pentagon Papers, a top-secret study of U.S. involvement in Vietnam, calls the United States’ nuclear weapons policy “dizzyingly insane and immoral.” In his new memoir, “Doomsday Machine: Confessions of a Nuclear War Planner,” Ellsberg chronicles his years spent as a nuclear policy analyst, which included the near miss of the Cuban Missile Crisis in 1962. Ellsberg joins us to discuss his new book and why he calls for more risk-reduction measures around nuclear weapons. We’ll also get his thoughts on the new movie, “The Post,” which dramatizes the Washington Post’s decision to publish the Pentagon Papers in 1971.

    • A swarm of home-made drones has bombed a Russian airbase

      According to reports, 13 small drones descended on Russian forces, but none did significant damage. Seven were destroyed by anti-aircraft defences and the others were brought down using electronic countermeasures to hijack or jam the drone’s controls and land them intact.

    • Trump Lashes Pakistan over Afghan War

      Though expanding the U.S.-led war in Afghanistan last year, President Trump has shown little interest in the details — until New Year’s Day when he threatened Pakistan in a surprising tweet storm, reports Dennis J Bernstein.

  • Transparency/Investigative Reporting

  • Finance

    • Chinese Workers Abandon Silicon Valley for Riches Back Home

      U.S.-trained Chinese-born talent is becoming a key force in driving Chinese companies’ global expansion and the country’s efforts to dominate next-generation technologies like artificial intelligence and machine learning. Where college graduates once coveted a prestigious overseas job and foreign citizenship, many today gravitate toward career opportunities at home, where venture capital is now plentiful and the government dangles financial incentives for cutting-edge research.

    • Bitcoin falls as one of the world’s biggest cryptocurrency markets readies a bill to ban trading

      South Korea’s justice minister said on Thursday that a bill is being prepared to ban all cryptocurrency trading in the country.

      That news is a major development for the cryptocurrency space, as South Korea is one of the biggest markets for major coins like bitcoin and ethereum.

    • Sadiq Khan’s Brexit warning: UK could lose 500,000 jobs if we crash out of EU without a deal

      A no-deal hard Brexit could cost the UK half a million jobs and £50 billion less investment, according to a study.

      Research for the mayor of London Sadiq Khan warned of a “lost decade” of significantly lower growth.

      The country could have 500,000 fewer jobs in the worst-case scenario and nearly £50 billion less investment by 2030.

      In London alone, there could be 87,000 fewer jobs and the capital’s economic output could be 2% lower by 2030 than predicted under the status quo, it was warned.

    • The ambiguity cannot last – Labour must either back or block a Tory Brexit

      Owen Jones wrote a thoughtful article recently in which he defended Labour for accepting Brexit. He covered electoral triangulation, far-right extremism, and fundamental problems with referenda. Much of what he wrote was spot on. The problem is, like almost all Brexit debate, it looked backwards, not forwards. And here’s why that matters.


      Labour should continue to acquiesce – both for votes, and because acquiescence to a referendum result is to a certain extent moral. But rather than look backwards to when Keir Starmer’s six tests were sufficient, we must look forwards – to when Brexit takes shape and acquiescence gets harder.

      For example, consider the criticism of Jeremy Corbyn for not supporting an initial discussion on single market membership. There is a real irony here in that the criticism comes from Remainers and Corbyn pointed out what the Brexiteers denied – i.e. that the single market is not a separate joinable entity.

      Ironic or not, that Remainer criticism matters. As others make better play of being Remain parties – we lose our default “not the Brexit party” position. And worse is to comes as Brexit ceases to be an abstract concept.

      Broadly acquiescing to a referendum result and the word “Brexit” was possible in 2017 but soon we will have to choose between enabling or blocking a specific Tory Brexit.

      That isn’t acquiescence – it is support or opposition. And it could alienate millions of either Brexit or Remain voters who chose Labour in 2017.

    • Publicly funded private school creates “poor kids’ playground” for kids whose parents wouldn’t contribute to new playground equipment

      Wednesdbury Oak Academy in the West Midlands is an “academy school,” similar to a US charter school — a publicly funded, privately operated school, which, theory goes, is able to “experiment” with new educational techniques, by deviating from the standard curriculum, rejecting students on the basis of selection criteria, and hiring teachers without formal qualifications.

      The school solicited £6 contributions from parents to contribute to the cost of new playground apparatus. Contributions from the parents of 80 children out of the 450 who attend the school sent in money. When the school purchased the new equipment, the playground was segregated, with the children whose parents contributed the £6 able to play anywhere, but the remaining majority of children were barred from playing in the area with the new equipment.

  • AstroTurf/Lobbying/Politics

    • Mass Migration: The European Commission’s New “Norm”

      The article illustrates much of what is wrong with European institutions, in particular the European Commission, a mixture of bureaucratic arrogance, false creed based on dogma rather than facts, and a disdain for democratic debate. The Commission, based in Brussels, is not elected but, according to EU treaties, it has a monopoly — yes, a monopoly — on initiating legislation at the European level. Each Commissioner is an appointed bureaucrat, one for each member state — often a former top politician, now sidelined in his country of origin, therefore with very little democratic legitimacy.

    • ‘God Help Us if This Gets Out’: The Full Transcript of Yair Netanyahu’s Wild Tel Aviv Night

      Yair Netanyahu and his friends hoped their night out would not be documented. Accompanied by a bodyguard and a driver provided by the state, the prime minister’s son, the son of gas tycoon Kobi Maimon and Roman Abramov, a representative of billionaire James Packer, went touring strip clubs in Tel Aviv, paying for erotic dances and talking about the natural gas deal that had just been reached. On Monday night, the Israel Television News Company broadcast a recording made that night.

    • Trump uses ‘no collusion’ 7 times in a single Russia answer

      This is a real exchange that happened between President Donald Trump and Fox News’ chief White House correspondent John Roberts in a press conference with the Norwegian prime minister on Wednesday afternoon.

  • Censorship/Free Speech

    • Yelp Accused Of Hiding Positive Reviews For Non-Advertiser

      He said after months of non-stop phone calls from Yelp, he claims his favorable rating dropped after he finally told the company he would not pay for advertising.

    • Trump lawyer: I’m suing ‘BuzzFeed’ over dossier claims

      Cohen also said via Twitter that he is suing the private investigative firm Fusion GPS, which compiled a dossier of claims that say, among other things, that Cohen and Trump had ties with shadowy Russian characters. BuzzFeed published the dossier, which was commissioned in 2016 by Trump’s opponents.

    • No, Trump’s Censorship Bluster Is Truly Worrying

      Your editorial “Book Banning Bunkum” (Jan. 8) is far too serene in dismissing as routine Trumpish “feckless bluster” in his efforts to pressure Michael Wolff’s publisher into abandoning publication of his book. Of course, you are right to recall other such threats by the president which weren’t followed up by actual litigation, including one to this newspaper. But not all publications and journalists can so easily shrug off such threats of financially crippling litigation.

    • New universities minister ‘victim of censorship row’ after inviting Saddam Hussein’s ally to speak at the Oxford Union in 1990s

      But Tariq Aziz, a close ally of Saddam Hussein who served under him for over two decades, was unable to take up the invitation, after he was reportedly refused a visa by the Home Office.

    • Censorship Board is responsible for music and video content

      The Chief censor, Steven Mala says that capacity has been the delaying issue with the PNG Censorship Board.

      The body made a stand last year to work closely with production houses to closely monitor the content of music by local artists.

      Following up on this, Mala revealed that not much focus was given to the industry, to date.

      However he said, recruitment has been completed in 2017 so work should commence this year.

      Mala reiterated that work by artists should be screened by the Censorship Board before being aired.

      He said another circular will be sent to media houses going forward.

    • Psychiatrist Sues A Bunch Of Redditors For Criticizing His Therapy Services

      For reasons only known to the plaintiff, an American psychiatrist offering unlicensed services in Japan is suing a whole bunch of Redditors for defamation. The underlying reason for this lawsuit is obvious: searches for Dr. Douglas Berger or psychiatrists in Japan tend to return lots of links presumably owned by Dr. Berger, but more prominently, a bunch of warnings from Redditors at Japan-focused subreddits to steer clear of his psychiatric services.

    • Trump Once Again Threatens to Change Federal Libel Laws That Don’t Exist

      And even if they did, the First Amendment would stop him in his tracks.

      In the latest in a long line of attacks on freedom of the press, President Trump has once again threatened today to change libel laws to make it easier to sue news organizations, publishers, and others after the publication of an unflattering book.

      “We are going to take a strong look at our country’s libel laws so that when somebody says something that is false and defamatory about someone, that person will have meaningful recourse in our courts,” Trump said.

    • YouTube’s censorship system is flawed

      As internet users in 2018, we are all able to produce content, share it with an audience and be considered “content creators” regardless of background, orientation or qualifications. The internet in the modern day has made it possible for any person with access to it to have the opportunity to create videos for any viewer to see. YouTube is a platform where this opportunity can come to life.

      While YouTube is a positive place where creators put out content in many different genres it is also a place where offensive videos have an opportunity to be shared and reach millions of viewers.

      YouTube currently has a policy that prohibits videos with offensive language, sexual content, or “controversial subjects” including tragedy or violence from being monetized. The algorithm in place is that of a robot, separating the offensive material from the non-offensive. However, like many algorithmic programs, there are flaws within the system.

    • Chuck Johnson Sues Twitter, Copying Dennis Prager’s Lawsuit Against YouTube

      Last summer, we wrote about an important Supreme Court case, Packingham v. North Carolinia, which made the fairly important ruling that the internet was so central to everyday life that courts could not ban people from the internet, even if they were convicted of a horrific crime. It was an important ruling — but almost immediately, some people worried that some would interpret the ruling in a way to suggest that online service providers, themselves, could not kick people off of their service. That’s not what the ruling actually says, but it’s possible to quote it out of context to suggest as much.

      And, indeed, we’ve started to see such cases brought against internet companies. The case Dennis Prager brought against YouTube, for example, cites Packingham to argue that it’s somehow unconstitutional to filter his videos with warning labels. And now we can add famed internet troll Chuck Johnson to the list, as he’s filed a lawsuit against Twitter, long after the site permanently banned Johnson from using their platform.

      As we noted with the Prager/YouTube case, it’s unlikely this case will go anywhere. Courts have held out, repeatedly, that platforms have the right to operate however they want regarding letting people use their services or not (the big distinction with Packingham was that was the government denying individuals access to the internet, not private operators). And there is extensive case law around Section 230 of the CDA as well, which states in fairly plain language that sites not only can filter and moderate however they want without liability, but actually encourages them to do so. There is, of course, at least some amount of irony that it was conservatives who were complaining about “bad stuff” (mainly porn) online who pushed for incentives in the CDA to get internet services to censor via filtering… and now it’s “conservative” commentators like Prager and Johnson, who are suing because those sites are filtering, as is explicitly encouraged by the law.

    • Appeals Court Drives Another Stake Into The Heart Of Idaho’s ‘Ag-Gag’ Law

      The Ninth Circuit Court of Appeals has upheld a 2015 decision finding Idaho’s “ag-gag” law unconstitutional. Despite the protestations of legislators and the state itself, the court finds the law prohibiting people from obtaining access to farms and other agricultural entities under false pretenses a violation of protected speech.

      As the lower court pointed out, the law would have made Upton Sinclair’s expose of the meatpacking industry illegal. The upshot of Sinclair’s book was significant changes to food and employee safety laws. Without the efforts of whistleblowers this law clearly targeted, the safety of the public — both consumers and employees — would be negatively impacted.

      The Appeals Court finds little to like about the state’s arguments the law is meant to protect the privacy of agricultural entities. Instead, it points out statements made by legislators — as well as the law’s wording — indicates the state intended to block speech critical of these entities. The decision [PDF] highlights comments made by legislators during the passage of the law which show the true impetus for the law’s creation.

    • In Keeping And Improving News Comments, The Intercept Shows Websites What Giving A Damn Looks Like

      For the last few years, the trend du jour in online media has been to demonize, vilify, then shutter the traditional news comment section. Usually these closures come with all manner of disingenuous nonsense about how websites are banning comments for the sake of “building relationships” or because the website in question just “really loves conversation.” Usually, on-site users are then shoved toward social media silos at Twitter and Facebook we’re told are “just as good” as an active, on-site community (read: doing this is cheaper and makes it somebody else’s problem).

      Traditionally, readers of these websites are told that news comments simply had to die because it’s impossible to cultivate healthy discourse in the post-truth, mega-troll era. But as Techdirt and countless other websites have made clear for more than a decade, that’s simply not true. And while being lazy, cheap and actively hostile to on-site community is any website’s prerogative, this ignores the fact that online news comments are an excellent avenue for transparency and a tool to hold websites, and authors, accountable.


      Again, for better or worse news in the modern era is a conversation. Muting your on-site audience may feel good to editors on tight budgets, tired of trolls, and wistful for the bygone days of carefully-chosen letters to the editor, but it’s doing your community (and the news industry at large) a disservice. As such, the Intercept’s moves are a welcome change of pace for an industry that has spent the last few years insisting that muzzling your readership somehow represents a breathless dedication to quality online discourse.

    • Controversy over Chinese textbook’s Cultural Revolution chapter as state publisher denies censorship

      Changes made to a middle-school history textbook’s chapter on the Cultural Revolution have sparked controversy in China, with its state-run publisher denying it censored the book.

      The furore came after a post widely shared on Chinese social media suggested that politically sensitive content about the political movement had been removed.

      The post showed photographs of the old version of the textbook and a revised text.

      The pictures appeared to show that a chapter formerly devoted to the Cultural Revolution had been taken out.

      The post also suggested that a sentence referring to the political movement in China in the 1960s and 1970s – which caused a decade of violence and political and social violence upheaval – had been altered to remove a reference to the Communist Party.

    • Rights Groups Demand Active Censorship Board After “Rape” Songs Sparks Controversy
    • Senator Portman Promises To Pass Bills To Harm Tech Companies If They Won’t Support SESTA
  • Privacy/Surveillance

    • Intelligence Oversight Tries Again With Zero-Reform Section 702 Bill, Criticizes Reform Efforts As Threats To Security

      The Congressional showdown on Section 702 reforms/renewal continues to generate little actual debate or reform — but plenty of bad proposals. Both the House and Senate Intelligence Committees have decided there should be a renewal — preferably an extended one — with zero actual reform.

      Members of the House offered up some tepid reforms in the USA Liberty Act, only to find this offering blocked by the House Permanent Select Committee on Intelligence (HPSCI), which offered a zero-reform package at the last minute. Fortunately, no one was able to tack a lousy non-reform bill to the tailend of the annual budget bill, thereby dodging reform discussions and giving the NSA a surveillance blank check for the next 5-10 years.

      Having been stiff-armed for a few weeks, the HPSCI has put together another Section 702 “reform” bill that does nothing to change the status quo and actually has the possibility of making things worse.

    • Trump Doesn’t Understand Surveillance Powers; House Votes To Give Him More Of It

      As discussed this morning, the House voted a few hours ago on a bill to reauthorize Section 702 of the FISA Amendments Act that did not reform the widely abused surveillance rules — other than to codify some of the power allowing them to continue to abuse it for warrantless surveillance on Americans. There was a vote on an important Amendment from Reps. Justin Amash and Zoe Lofgren that would have allowed the reauthorization of the underlying program, but (importantly) required a warrant (as per the 4th Amendment) for spying on Americans. And, unfortunately, the amendment was voted down (183-233) and the awful reauthorization passed, 256 to 164.

      The fight over this bill was… weird in so many ways. There was the expected bullshit: politicians outright lying to the public, arguing that the Amash/Lofgren amendment (which again, just said that the program had to be conducted in accordance with the 4th Amendment) would somehow stop the intelligence and law enforcement community from finding terrorists (it wouldn’t). Again: everyone expected that. What was weird was (1) having some of Donald Trump’s loudest detractors in Congress… then argue against the Amash amendment and in favor of giving the Trump administration more power to warrantlessly spy on Americans and share that data widely among law enforcement. And (2) having President Trump tweet a series of confused tweets this morning that demonstrated that he clearly didn’t know what the debate is actually about… and suggesting he was against the reauthorization, despite the fact that the White House (his White House) had issued a statement strongly supporting the reauthorization.

    • House Fails to Protect Americans from Unconstitutional NSA Surveillance

      The House of Representatives cast a deeply disappointing vote today to extend NSA spying powers for the next six years by a 256-164 margin. In a related vote, the House also failed to adopt meaningful reforms on how the government sweeps up large swaths of data that predictably include Americans’ communications.

      Because of these votes, broad NSA surveillance of the Internet will likely continue, and the government will still have access to Americans’ emails, chat logs, and browsing history without a warrant. Because of these votes, this surveillance will continue to operate in a dark corner, routinely violating the Fourth Amendment and other core constitutional protections.

    • House passes NSA spying bill after Trump tweets cause confusion

      The U.S. House of Representatives on Thursday passed a bill to renew the National Security Agency’s warrantless internet surveillance program, overcoming objections from privacy advocates and confusion prompted by morning tweets from President Donald Trump that initially questioned the spying tool.

      The legislation, which passed 256-164 and split party lines, is the culmination of a yearslong debate in Congress on the proper scope of U.S. intelligence collection – one fueled by the 2013 disclosures of classified surveillance secrets by former NSA contractor Edward Snowden.

    • House votes to renew controversial surveillance program that powers the NSA

      After a contentious debate, the House of Representatives has voted to extend a controversial government surveillance program that powers American spying operations, as it voted down a proposal to include new privacy measures.

      The debate centers on Section 702 of the Foreign Intelligence Surveillance Act, which allows for collection of foreign intelligence data, and that privacy advocates say invasively scoops up Americans’ communications. The authorization for the program is set to expire later this month, if not reauthorized. Section 702 allows the National Security Agency to continue controversial surveillance activities like PRISM, which the agency uses to scan through data held by American tech companies.

    • Trump tweet throws today’s House surveillance votes into chaos [Updated]

      As recently as last night, the Trump administration was strongly in favor of legislation to renew one of the federal government’s most controversial spying powers. Known to insiders as Section 702 of the FISA Amendments Act, the law grants the government surveillance powers that are only supposed to be used on targets outside the United States.

      Civil liberties groups say that the law can too easily be used to sweep up the private communications of Americans. And they’re backing legislation called the USA Rights Act to place new restrictions on the use of 702 spying powers—the House of Representatives was voting on that amendment as we published this story. Last night, the White House put out a statement condemning USA Rights.

    • NSA Mass Surveillance Survives Trump Tweet Attack

      It was a delicate and belated legislative minuet, in pursuit of a goal that aligned Donald Trump, his House GOP allies, some Democratic adversaries, and the intelligence agencies he derides as Nazi-like. Perhaps predictably, Trump disrupted all those complex congressional machinations with a tweet.

    • House passes legislation to renew key NSA surveillance program after Trump’s contradictory tweets

      The House voted decisively Thursday to reauthorize a powerful government authority to conduct foreign surveillance on U.S. soil, overcoming opposition from privacy advocates and confusion sown by contradictory and seemingly misinformed tweets from President Trump questioning his administration’s support for the program.

    • How the Government Hides Secret Surveillance Programs

      IN 2013, 18-YEAR-OLD Tadrae McKenzie robbed a marijuana dealer for $130 worth of pot at a Taco Bell in Tallahassee, Florida. He and two friends had used BB guns to carry out the crime, which under Florida law constitutes robbery with a deadly weapon. McKenzie braced himself to serve the minimum four years in prison.

      But in the end, a state judge offered McKenzie a startlingly lenient plea deal: He was ordered to serve only six months’ probation, after pleading guilty to a second-degree misdemeanor. The remarkable deal was related to evidence McKenzie’s defense team uncovered before the trial: Law enforcement had used a secret surveillance tool often called Stingray to investigate his case.

      Stingrays are devices that behave like fake cellphone towers, tricking phones into believing they’re pinging genuine towers nearby. By using the device, cops can determine a suspect’s precise location, outgoing and incoming calls, and even listen-in on a call or see the content of a text message.

    • CBP: More fliers being asked to allow access to phones, devices

      The American Civil Liberties Union praised the policy for requiring officers to have some suspicion before copying and using electronic methods to search a device. But the Constitution still requires that the agency get a search warrant based on probable cause to search a device, according to the ACLU.

    • Surprise: Women watched more porn in 2017
    • Congress Is About to Vote On Expanding the Warrantless Surveillance of Americans

      Section 702 of the Foreign Intelligence Surveillance Act has been abused by the intelligence agencies to spy on Americans. This week the House of Representatives will vote on a bill to make that legal.

    • Western Digital My Cloud drives have a built-in backdoor : Remote access of files is possible

      [...] No fix has been issued to date.

      More troubling is the existence of a hard coded backdoor with credentials that cannot be changed. Logging in to Western Digital My Cloud services can be done by anybody using “mydlinkBRionyg” as the administrator username and “abc12345cba” as the password. Once logged in, shell access is readily available followed with plenty of opportunity for injection of commands.

    • FBI chief calls encryption a ‘major public safety issue’

      He added: “I just do not buy the claim that it’s impossible.”

    • FBI expert lashes Apple ‘jerks’ over iPhone security
    • FBI Hacker [sic] Says Apple Are ‘Jerks’ and ‘Evil Geniuses’ for Encrypting iPhones

      Cybersecurity experts and civil liberties organizations, meanwhile, have long made the case that iPhone encryption keeps the average consumer’s data safe from hackers and authoritarian surveillance, a net benefit for society.

    • WhatsApp Security Flaws Could Allow Snoops to Slide Into Group Chats

      When WhatsApp added end-to-end encryption to every conversation for its billion users two years ago, the mobile messaging giant significantly raised the bar for the privacy of digital communications worldwide. But one of the tricky elements of encryption—and even trickier in a group chat setting—has always been ensuring that a secure conversation reaches only the intended audience, rather than some impostor or infiltrator. And according to new research from one team of German cryptographers, flaws in WhatsApp make infiltrating the app’s group chats much easier than ought to be possible.

      At the Real World Crypto security conference Wednesday in Zurich, Switzerland, a group of researchers from the Ruhr University Bochum in Germany plan to describe a series of flaws in encrypted messaging apps including WhatsApp, Signal, and Threema. The team argues their findings undermine each app’s security claims for multi-person group conversations to varying degrees.

      But while the Signal and Threema flaws they found were relatively harmless, the researchers unearthed far more significant gaps in WhatsApp’s security: They say that anyone who controls WhatsApp’s servers could effortlessly insert new people into an otherwise private group, even without the permission of the administrator who ostensibly controls access to that conversation.

    • Are Your WhatsApp Encrypted Group Chats Exposed To Strangers?

      According to a Wired report, the flaws allow a person with the control of WhatsApp’s servers to add anyone to a WhatsApp group without admin permission.

    • WhatsApp ‘bug’ raises questions over group message privacy

      Anyone in control of WhatsApp’s servers – like an employee instructed by a government, for example – could spoof security processes and add new members to groups and snoop on private conversations, researchers at Germany’s Ruhr University Bochum have claimed.

    • Peers have a chance to make the UK one of the safest places to be online. They should take it.

      Do you remember that time when Uber didn’t tell us that the data of 57 million of their users got exposed? Or that time when Equifax failed to protect data of 400,000 people in the UK? Or those two Yahoo hacks that breached more than one billion accounts? Oh, and that time when TalkTalk was fined £400,000 for inadequately protecting 156,959 accounts of their customers?

      I could go on. These are just a fraction of the data breaches that have caused leaks of people’s data. Every time you provide your name, date of birth, home address or details for an online payment to a company you do so based on trust that they will keep your data safe. But increasingly, companies fail their customers.

      Currently, the Government’s Data Protection Bill will give citizens the power to instruct a select group of not for profit bodies to represent them in complaints to the data protection authority or the judiciary. This is required of the Government – Article 80(1) is a mandatory provision in the EU’s General Data Protection Regulation (GDPR).

    • The House Intelligence Committee’s Section 702 Bill is a Wolf in Sheep’s Clothing
    • US House To Vote On FISA Mass Surveillance Bill Today
    • Surveillance and Privacy Debate Reaches Pivotal Moment in Congress
    • House headed for cliffhanger vote on NSA surveillance
    • Tight Vote Ahead for House on NSA Surveillance
    • Amash, Paul, and Others Trying to Stop Congress from Expanding Domestic Surveillance Powers
    • Congress Seeks to Increase FBI Surveillance Powers, Here’s What They Already Got
    • These are the favorites to become the next NSA director

      With NSA Director Adm. Mike Rogers set to retire later this year, several prominent names are already being floated among government leaders as to who will become the next leader of the country’s premier signals intelligence agency.

    • Analog Equivalent Privacy Rights (10/21): Analog journalism was protected; digital journalism isn’t

      In the analog world of our parents, leaks to the press were heavily protected in both ends – both for the leaker and for the reporter receiving the leak. In the digital world of our children, this has been unceremoniously thrown out the window while discussing something unrelated entirely. Why aren’t our digital children afforded the same checks and balances?

    • Facebook begins testing local news app

      News specific to these communities will be directed to users by both human curators and algorithms. News appearing on each cities’ “Today In” feed will reportedly be vetted by Facebook’s news partnership team.

    • The most powerful internet of things companies
  • Civil Rights/Policing

    • Myanmar prosecutor seeks Official Secrets Act charges against two Reuters reporters

      Myanmar prosecutors sought charges on Wednesday against two Reuters reporters under the Official Secrets Act, which carries a maximum prison sentence of 14 years, the reporters’ lawyer said.

      Wa Lone, 31, and Kyaw Soe Oo, 27, were detained on Dec. 12 after they had been invited to meet police officers over dinner. Family members have said the two told them they were arrested almost immediately after being handed some documents by the officers they had gone to meet.

      The two had worked on Reuters coverage of a crisis in the western state of Rakhine, where – according to U.N. estimates – about 655,000 Rohingya Muslims have fled from a fierce military crackdown on militants.

    • Ninth Circuit Doubles Down: Violating a Website’s Terms of Service Is Not a Crime

      Good news out of the Ninth Circuit: the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a website’s terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes—in this case, California and Nevada—to enforce their computer use preferences.

      This decision shores up the good precedent from 2012 and makes clear—if it wasn’t clear already—that violating a corporate computer use policy is not a crime.

      Oracle v. Rimini involves Oracle’s terms of use prohibition on the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually—which would have seriously slowed down Rimini’s ability to service customers.

      Rimini stopped using automatic downloading tools for about a year but then resumed using automated scripts to download support documents and files, since downloading all of the materials manually would have been burdensome, and Oracle sued. The jury found Rimini guilty under both the California and Nevada computer crime statues, and the judge upheld that verdict—concluding that, under both statutes, violating a website’s terms of service counts as using a computer without authorization or permission.

    • New Jersey Prisons Reverse Course on Banning ‘The New Jim Crow’ After ACLU of New Jersey Letter

      The state with the worst racial disparities in incarceration lifts ban on Michelle Alexander’s seminal book.

      Michelle Alexander dedicates her book, “The New Jim Crow,” to the people who have been swept up by America’s racist criminal justice system. “You may be locked up or locked out of mainstream society, but you are not forgotten.” For the first time, all prisoners across New Jersey can read her words.

      The ACLU of New Jersey learned that “The New Jim Crow” was banned as a matter of official policy in at least two prisons: New Jersey State Prison and Southern State Correctional Facility. On Monday, we sent a letter to the Department of Corrections commissioner telling him that the ban was not only unconstitutional as a violation of the First Amendment, but also that it was a deeply disturbing policy, especially since New Jersey has the worst racial disparities in incarceration in the entire country.

    • ICE Abused Somalis for 2 Days On a Plane and Now Wants to Send Them Into Harm’s Way

      It is not only immoral to deport people to countries where they will be violently persecuted. It’s illegal.

      Rahim Mohamed’s daughter was born in October, but the 32-year old father, who has been detained in immigration custody since April, has not seen or held her. If Immigration and Customs Enforcement has its way, he won’t get that chance. Instead, he will be summarily deported to Somalia, despite the fact that Rahim fears persecution by Al-Shabaab, the Somali-based affiliate of Al-Qaeda, and would be leaving behind his U.S. citizen wife, toddler son, and infant daughter.

      Rahim is one of 92 Somali nationals, currently locked up in Florida, who ICE is rushing to deport before they have a chance to ask to reopen their immigration cases so that a judge can consider the danger to their lives. The Somalis have filed a lawsuit against ICE to stop their immediate deportations. In addition to the ACLU, they are represented by the Immigration Clinic at the University of Miami School of Law, Americans for Immigrant Justice, the James H. Binger Center for New Americans at the University of Minnesota Law School, the Legal Aid Service of Broward County, and The Advocates for Human Rights.

      On Tuesday, we appeared in federal court to argue that these men and women must receive a full and fair opportunity to reopen their cases before an immigration judge in keeping with due process and habeas corpus rights. It is against U.S. law to deport anyone to a country where they are likely to be persecuted or tortured. Immigration law also permits the reopening of removal orders based on changed circumstances.

      However, ICE seems intent on ignoring both of these facts.

    • Top U.S. Government Computers Linked to Revenge-Porn Site

      Revenge porn, where people share intimate images of others in order to intimidate, harass, or embarrass, is rampant. Now, data obtained by a security analyst and shared with The Daily Beast reveals the behind-the-scenes of the epicenter of revenge porn: a notorious image board called Anon-IB, where users constantly upload non-consensual imagery, comment on it, and trade nudes like baseball cards.

      The data shows Anon-IB users connecting from U.S. Senate, Navy, and other government computers, including the Executive Office of the President, even as senators push for a bill that would further combat the practice, and after the military’s own recent revenge-porn crisis.

      “Wow tig ol bitties. You have any nudes to share?” someone wrote in November, underneath a photo of a woman who apparently works in D.C., while connecting from an IP address registered to the U.S. Senate.

    • A Fourth Young Immigrant Woman Is Being Blocked by the Trump Administration From Obtaining an Abortion

      The ACLU filed papers on behalf of yet another girl 17-year-old whose right to an abortion is being flagrantly disregarded.

      First there was Jane Doe. Then there were Jane Roe and Poe. Now Jane Moe has come to our attention.

      Earlier this week, we learned that yet another 17-year-old immigrant in government custody was being blocked by the Trump administration from obtaining an abortion.

      Jane Moe, who is believed to be in her second trimester of pregnancy, made clear her desire to terminate her pregnancy two weeks ago. Private funds are available to pay for her abortion, and staff at the shelter where she is being held are willing to accompany Ms. Moe to a clinic, but as in three prior cases, the government is refusing to allow it.

    • How Poor Health Care Turned Walter Jordan’s Prison Sentence into a Death Sentence

      Arizona prisons are causing harm and death because of inadequate medical and mental health care.

      Walter Jordan tried to tell the world he was dying in prison in Arizona when he mailed a handwritten message, titled “Notice of Impending Death,” to the federal court in Phoenix. Nine days later, he was dead. According to Dr. Todd Wilcox, a physician who reviewed Jordan’s case, the 67-year-old might have survived if he had received competent treatment by the Arizona Department of Corrections (ADOC) and its private, for-profit health care contractor, Corizon Health.

      Jordan died of an invasive squamous cell skin cancer that ate through his skull and invaded his brain. Dr. Wilcox identified multiple deficiencies in Jordan’s care, concluding that his death was “unfortunate and horrific” and that he had suffered “excruciating needless pain” in the final months of his life.

      Jordan himself testified to his own impending death in his letter. “ADOC and Corizon delayed treating my cancer,” he wrote. “Now because of there [sic] delay, I may be luckey [sic] to be alive for 30 days.”

      Jordan died in prison, but his words have reached us, and they are a call to action against poor prison conditions that lead to pain and death for prisoners who have a right to proper care from the institutions charged with their custody.

      This is not a new problem.

  • Internet Policy/Net Neutrality

    • Trump’s New Rural Broadband Executive Order Doesn’t Actually Do Much Of Anything

      You have probably noticed by now that the biggest problem in the U.S. broadband market is a lack of vibrant competition in many areas. This lack of competition over the “last mile” is the core reason for the majority of the problems in the sector, from privacy violations to net neutrality infractions. And while lawmakers from both parties adore paying empty lip service to making broadband faster, cheaper, and more available, very few have the courage to stand up to AT&T, Verizon, and Comcast and actually implement policies that improve our competitive options.

      More often than not, government’s “solution” for the broadband market involves first ignoring that there’s any real competition problem whatsoever, then hyping “broadband expansion” efforts that fail to truly address the underlying problems.

      That’s usually accomplished via programs with “goals” that would have been accomplished anyway. Like when Obama promised in 2011 to ensure wireless broadband reached 98% of the public (ignoring the problem of high prices and usage caps, or the fact this coverage was going to occur anyway), or when Obama’s former FCC boss Julius Genachowski promised a gigabit ISP in each one of the fifty states (also something that would have happened without government involvement). Such efforts usually comically ignore how limited competition and high prices are the biggest problem.

    • Nebraska The First ‘Red’ State To Craft Its Own Net Neutrality Law

      So we’ve noted repeatedly how the attack on net neutrality is just one small part of a much larger, dumber plan by major ISPs to neuter nearly all federal and state oversight. A plan that involves gutting all meaningful FCC authority over broadband ISPs, then shoveling any remaining authority to the FTC. An FTC (surprise surprise) the broadband industry is currently in court arguing has no authority over broadband providers. Ajit Pai’s FCC (at Verizon and Comcast lobbyists’ request) also included provisions pre-empting states from trying to protect consumer privacy or net neutrality.

      So far individual states aren’t listening. New York, Washington, Minnesota, Massachusetts and California are all pushing their own net neutrality rules. And since the FCC’s net neutrality repeal prohibits states from passing such laws, many of these states are creatively eyeing provisions that require ISPs adhere to net neutrality if they want to win government contracts, or if they want to keep getting taxpayer subsidies for those fiber networks they always tend to leave half built anyway.

      ISP lobbyists have already begun trying to argue that these individual state efforts create a discordant patchwork of regulations that may be difficult to adhere to. But that’s the sort of thing said lobbyists should have thought about before rushing mindlessly to destroy federal net neutrality rules. Rules that were actually among the more modest of any of the developed nations that have passed such protections (see The Netherlands, India, Japan, Canada, Germany).

  • Intellectual Monopolies

    • How International IP Policy Reconfigured National Politics: An Interview With Prof. Ken Shadlen

      One reading of that is that conflicts are now waged over smaller issues, in that the sorts of things that affect how a pharmaceutical patent system functions are more narrow issues than things such as when to start granting patents and whether to do so retroactively (not to mention the first order question of whether to have a patent system at all). But while that’s all correct, the conflicts remain intense in this more narrow space.

    • Copyrights

      • Judge Issues Devastating Order Against BitTorrent Copyright Troll

        A Washington District Court has issued a devastating order against a copyright holder of the film “Once Upon a Time in Venice,” which chases alleged BitTorrent pirates for cash settlements. The Court points out that one of their experts is unqualified, doubts whether declarants even exist, and highlights that IP-address evidence may have been obtained illegally.

EPO Lobby and Team UPC’s ‘Resistance’ to the UPC Opposition in Germany

Posted in Europe, Patents at 3:42 pm by Dr. Roy Schestowitz

Tilmann and co.

German UPC proceedings

Summary: German UPC proceedings have yielded submissions from Team UPC, but will the court know why they are lobbying the court and what destructive agenda they have in mind?

“The first 3rd party statement in the German court proceedings has been made public,” a reader told us today. The deadline was almost a fortnight ago and they have put a document out there (direct link to the PDF, which is in German). Watch the names on it. So objective a group, eh? They are not concerned citizens but greedy, self-serving people who propelled the UPC to where it got.

The EPO is meanwhile pushing hard its so-called ‘paper’ (which it paid academics to produce, allegedly to help lobby the German court). It wrote about it no less than twice today [1, 2]. “Improved harmonisation of Europe’s patent system has the potential to increase trade & FDI in high-tech sectors by up to 2% & 15% in the EU,” said the first tweet and the second said this: “Stronger patent protection has a significant positive impact on high-IP imports and on the value and number of FDI deals in high-IP sectors.”

“Imagine how many European SMEs would be subjected to worldwide or EU-wide embargoes due to just one single action of one patent bully or patent troll. Based on a judgment delivered in a language that the SME does not even understand…”The EPO is basically trying to buy ‘facts’. It’s a new low for the EPO (it was at the time) because it practically corrupts academia.

The UPC is more or less dead (just not officially). No point pushing it in the UK now that Johnson is out, but they are so deseperate that they will attempt anything, even 39 pages of text (as above) and money for corruptible academics.

What’s at stake here is Europe’s future. Will it harbour innovation or embargo? To use this example from today at IAM, China is the next Eastern District of Texas. Shenzhen facilitates embargoes now:

The Intermediate People’s Court in Shenzhen has handed down the latest milestone Chinese FRAND decision, with local telecom Huawei earning an SEP injunction as part of its wide-ranging assertion campaign against Samsung Electronics.

The decision was announced by an official social media channel of the court today. The short notice describes the ruling as the first SEP injunction to be issued in China on the basis of an “international” SEP. The Beijing IP Court previously granted an injunction against Sony back in March 2017, but the standard at issue there was WAPI, a seldom-used protocol which is only implemented in China.

Now consider the UPC. Imagine how many European SMEs would be subjected to worldwide or EU-wide embargoes due to just one single action of one patent bully or patent troll. Based on a judgment delivered in a language that the SME does not even understand… the entire prospect in its own right is insane.

126th Session of the ILO Administrative Tribunal is Around the Corner and EPO Staff Representatives Will Have Their Cases Heard Soon

Posted in Europe, Patents at 10:29 am by Dr. Roy Schestowitz

Remember that it can take many years for ILO to process EPO cases and there’s a massive backlog

ILO Administrative Tribunal Sessions

Summary: With infinitesimal chances of justice inside the EPO, workers turn to ILO, which has fallen really badly behind and is unable to correct injustices in a timely manner; there is, however, still hope

THE EPO will no doubt play a big role in the next (and imminent) session of the ILO Administrative Tribunal. It was the “big story” of the last session, where half the decisions concerned the EPO and several were about Judge Corcoran.

“Battistelli and his cabal just want patents issued as fast as possible and with miminal scrutiny/challenge. EPO is becoming INPI or SIPO.”Based on the above tweets, which someone told us about, some former EPO staff representatives are going to have their cases heard and decided on. Also, based on this new article (just promoted by SUEPO), Ciaran McGinley's departure predates or precedes some profoundly inane organisational chaos. McGinley himself used to be in staff representation albeit people we heard from generally regarded him to be somewhat of a “sellout” (to top-level management). Here is the relevant portion from the article:

In an internal memo, the Staff Union of the EPO (SUEPO) has described the merger as a “disaster in the making”, arguing that it has split patent administration staff into much smaller units of around four to seven members, which are required to provide the same service as the much larger units, which contained around 15 to 20 staff, used before the merge.

To cope with rising workloads, 18 months ago the now ex-director of patent administration at the EPO, Ciaran McGinley implemented a structure of hubs in which staff were regrouped into large units with “sufficient manpower and expertise”, according to SUEPO.

Of the new structure, the memo said: “Such division into small units creates obvious issues of unequally distributed expertise (individual patent administration staff cannot master perfectly the many necessary procedures).”

“Even the patent administration procedures that until now were centralised in a dedicated unit, like the receiving office for WIPO in the EPO, will be decentralised to the small units … expertise will be much more diluted than before.”

The memo added: “To solve the problem they have created, management has decided to train intensively all patent administration staff in basically all procedures. This is taking place while patent administration staff is already struggling with the workload, further increasing work strain. In any event, one cannot reasonably expect that a hasty training will allow building up the necessary level of expertise in all the small teams.”

They don’t care about expertise; as we pointed out in several articles last night, Battistelli and his cabal just want patents issued as fast as possible and with miminal scrutiny/challenge. EPO is becoming INPI or SIPO. In other words, it is becoming the very opposite of what it was once renowned for.

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources




Samba logo

We support

End software patents


GNU project


EFF bloggers

Comcast is Blocktastic? SavetheInternet.com

Recent Posts