Bonum Certa Men Certa

Links 9/8/2019: LibreOffice 6.3, Red Hat Joins The RISC-V Foundation, KernelShark 1.0, End of LJ

  • GNU/Linux

    • Desktop

      • System76's First 4K OLED Linux Laptop Is Now Available to Order

        Unveiled last week, the Linux-powered Adder WS laptop is System76's very first computer to feature a beautiful and vibrant 4K OLED glossy display with true-to-life blacks. The 15.6-inch 4K OLED display is capable of 3840x2160 resolutions and it's perfect for the latest games and 3D apps.

        "Discover a world of prismatic color. With the finest pixels imaginable, the Adder WS’ 4K OLED display features nebulaic hues and blacks deep as the void to bring the universe home," said System76. "And on the Adder WS’ OLED display, Pop!_OS and its Dark Mode aesthetic reach the pinnacle of visual appeal."

    • Server

      • My Favorite Infrastructure

        PCI policy pays a lot of attention to systems that manage sensitive cardholder data. These systems are labeled as "in scope", which means they must comply with PCI-DSS standards. This scope extends to systems that interact with these sensitive systems, and there is a strong emphasis on compartmentation—separating and isolating the systems that are in scope from the rest of the systems, so you can put tight controls on their network access, including which administrators can access them and how.

        Our architecture started with a strict separation between development and production environments. In a traditional data center, you might accomplish this by using separate physical network and server equipment (or using abstractions to virtualize the separation). In the case of cloud providers, one of the easiest, safest and most portable ways to do it is by using completely separate accounts for each environment. In this way, there's no risk that a misconfiguration would expose production to development, and it has a side benefit of making it easy to calculate how much each environment is costing you per month.

        When it came to the actual server architecture, we divided servers into individual roles and gave them generic role-based names. We then took advantage of the Virtual Private Cloud feature in Amazon Web Services to isolate each of these roles into its own subnet, so we could isolate each type of server from others and tightly control access between them.

        By default, Virtual Private Cloud servers are either in the DMZ and have public IP addresses, or they have only internal addresses. We opted to put as few servers as possible in the DMZ, so most servers in the environment only had a private IP address. We intentionally did not set up a gateway server that routed all of these servers' traffic to the internet—their isolation from the internet was a feature!

        Of course, some internal servers did need some internet access. For those servers, it was only to talk to a small number of external web services. We set up a series of HTTP proxies in the DMZ that handled different use cases and had strict whitelists in place. That way we could restrict internet access from outside the host itself to just the sites it needed, while also not having to worry about collecting lists of IP blocks for a particular service (particularly challenging these days since everyone uses cloud servers).


        Although I covered a lot of ground in this infrastructure write-up, I still covered only a lot of the higher-level details. For instance, deploying a fault-tolerant, scalable Postgres database could be an article all by itself. I also didn't talk much about the extensive documentation I wrote that, much like my articles in Linux Journal, walks the reader through how to use all of these tools we built.

        As I mentioned at the beginning of this article, this is only an example of an infrastructure design that I found worked well for me with my constraints. Your constraints might be different and might lead to a different design. The goal here is to provide you with one successful approach, so you might be inspired to adapt it to your own needs.

      • IBM

    • Audiocasts/Shows

      • Ubuntu Podcast from the UK LoCo: S12E18 – Pilotwings

        This week we’ve been running Steam in the cloud via an NVIDIA SHIELD TV. We discuss if we even need new distros and whether its more Linux apps we need. Plus we bring you some GUI love and go over all your feedback.

        It’s Season 12 Episode 18 of the Ubuntu Podcast! Mark Johnson, Martin Wimpress and Mattias Wernér are connected and speaking to your brain.

      • Python Bytes: #142 There's a bandit in the Python space
      • Bad Voltage 2×57: Banned, On The Run

        Stuart Langridge, Jono Bacon, and Jeremy Garcia present Bad Voltage, in which we h4XX0r the Dark Web to pwn your s3ns3s, other people are inexplicably less annoyed about this than Stuart is...

      • OBS Studio + Endless OS | Choose Linux 15

        Distrohoppers delivers a distro that divides us, and we check out the video streaming and recording software OBS Studio.

        Plus a handy audio recorder that’s as simple as it gets.

      • My New Free NAS | BSD Now 310

        OPNsense 19.7.1 is out, ZFS on Linux still has annoying issues with ARC size, Hammer2 is now default, NetBSD audio – an application perspective, new FreeNAS Mini, and more.

    • Kernel Space

      • Bounded loops in BPF for the 5.3 kernel

        BPF programs have gained significantly in capabilities over the last few years and can now perform many useful operations. That said, BPF developers have had to work around an annoying limitation until recently: they could not use loops. This restriction was recently lifted by a patch set from Alexei Starovoitov that was merged for Linux 5.3. In addition to adding support for loops, it also greatly decreases the load time of most BPF programs.

      • KernelShark releases version 1.0

        It has been the better part of a decade since the last KernelShark article appeared here; in the interim, the kernel-tracing visualization tool has undergone some major changes. While the high-level appearance is largely similar, the underlying code has switched from GTK+ 2.0 to Qt 5. On July 26, maintainer Steven Rostedt announced the release of KernelShark version 1.0, which makes it a good time to take another peek.

        KernelShark is a graphical interface to help track down information in the voluminous kernel traces that trace-cmd can produce. trace-cmd is a front end for the ftrace kernel tracer. Rostedt wrote about trace-cmd and ftrace (part 1 and part 2) for LWN nearly a decade ago as well. Ftrace can collect an enormous amount of information from within a running kernel; trace-cmd simply makes it much easier for users to configure and manage those traces. KernelShark adds yet another level of capabilities.

      • Another Episode of "Seems Perfectly Feasible and Then Dies"--Script to Simplify the Process of Changing System Call Tables

        David Howells put in quite a bit of work on a script, ./scripts/, to simplify the entire process of changing the system call tables. With this script, it was a simple matter to add, remove, rename or renumber any system call you liked. The script also would resolve git conflicts, in the event that two repositories renumbered the system calls in conflicting ways.

        Why did David need to write this patch? Why weren't system calls already fairly easy to manage? When you make a system call, you add it to a master list, and then you add it to the system call "tables", which is where the running kernel looks up which kernel function corresponds to which system call number. Kernel developers need to make sure system calls are represented in all relevant spots in the source tree. Renaming, renumbering and making other changes to system calls involves a lot of fiddly little details. David's script simply would do everything right—end of story no problemo hasta la vista.

        Arnd Bergmann remarked, "Ah, fun. You had already threatened to add that script in the past. The implementation of course looks fine, I was just hoping we could instead eliminate the need for it first." But, bowing to necessity, Arnd offered some technical suggestions for improvements to the patch.

      • Completing the pidfd API

        Unix-like systems traditionally represent many objects as files, but processes have always been an exception. They are, instead, represented by process IDs (PIDs), which are small integers — limited to 32767 by default, though that limit can be raised on Linux systems. There are a few problems with this representation, but the biggest one is arguably that PIDs are reused; when a process exits, its PID can be assigned to a new, unrelated process, and this can happen quickly. That creates a race condition where code that operates on a process, most often by sending it a signal, might end up performing an action on the wrong process.

        A pidfd is, instead, a file descriptor that refers to an existing process. Once the pidfd exists, it will only refer to that one process, so it can be used to send signals without worry that the wrong process might end up being the recipient. This feature is valuable enough that some process-management systems, most notably the one used by Android, are being rewritten to take advantage of it.

        There are two ways to create a pidfd. The preferred method in most cases will be to supply the CLONE_F_PIDFD flag to the clone() system call (or perhaps clone3() in the future); upon successful process creation, a pidfd representing the child will be returned to the parent. It is also possible to create a pidfd for an existing process with pidfd_open(), which was merged for the 5.3 kernel.

      • Graphics Stack

        • libinput 1.14.0
          libinput 1.14.0 is now available.

          A flurry of patches over the last RC but most of these were CI related. Two new significant bugfixes: the calibration matrix is now returned correctly even when it is the identity matrix. And the tablet pressure range is scaled correctly into the available physical range. Previously, the bottom 5% where effectively missing and pressure offset on worn-out pens handling took some of the scale away from the top.

          Below is the text from the 1.14.rc1 announcement which lists the other big features added since the 1.13 release.

          We have new and improved thumb detection for touchpads, thanks to Matt Mayfield. On Clickpad devices this should make interactions where a thumb is resting on the touchpad or dropped during an interaction more reliable. A summary of the changes can be found here:

          The Dell Canvas Totem is now supported by libinput. It is exposed as a new tool type through the tablet interface along with two new axes. Note that this is only low-level support, the actual integration of the totem needs Wayland protocol changes and significant changes in all applications that want to make use of it. A summary of the changes can be found here.

          Touch-capable tablets now tie both devices together for rotation. If you set the tablet to left-handed, the touchpad will be rotated along with the tablet. Note that this does not affect the left-handed-ness of the touchpad, merely the rotation.

          Tablet proximity out handling for tablets that are unreliably sending proximity out events is now always timeout-based. It is no longer necessary to add per-device quirks to enable this feature and it is completely transparent on devices that work correctly anyway. The blog post below has a summary:

          Tablets that send duplicate tools (BTN_TOOL_PEN and BTN_TOOL_ERASER) now ignore the latter. This is an intermediate fix only but at least makes those tablets more usable than they are now. Issue #259 is the tracker for this particular behaviour if you are affected by it.

          The handling of kernel fuzz has been slightly improved. Where our udev rule fails to reset the fuzz on the kernel device, we disable the hysteresis and rely on the kernel now to handle it. Previously our hysteresis would take effect on top of the kernel's, causing nonresponsive behaviour.

          Note to distribitors: the python-evdev dependency has been dropped, the tools that used it are now using python-libevdev instead.

          As usual, the git shortlog is below.

          Benjamin Tissoires (3): gitlab-ci: allow to run on unprivileged containers gitlab-ci: force using docker format for the generated images tests: increase the timeout for the subprocess to receive the quit signal

          Brian Ashworth (1): evdev: always store user calibration matrix

          Peter Hutterer (14): tools: record: fix segfault on exit tools: record: fix two memory leaks drop explicit install:true from configure_file gitlab CI: replace the user:password with a netrc file gitlab CI: fetch the WAYLAND_WEB_TOKEN from a file tablet: point the pressure offset log messages to the right URL tablet: add a comment explaining why we adjust the pressure offset downwards Add the ck_double_eq_tol() macros to the backwards compat headers test: fix the pressure offset tests tablet: make the pressure-offset inclusive of the axis minimum tablet: reduce the pressure range by the offset test: don't test at the 100 y range tablet: scale the available pressure range into the pressure thresholds libinput 1.14.0

          git tag: 1.14.0
        • Libinput 1.14 Released With Dell Canvas Totem Support, Touchpad Improvements

          Version 1.14 of the libinput library for unified input handling on Linux X.Org and Wayland systems is now available.

          Libinput 1.14 is notable for introducing support for the Dell Canvas Totem input device as a unique input device and we could be seeing more of these types of devices in the future.

        • Khronos Releases OpenCL 2.2-11 While Still Waiting For OpenCL-Next

          The Khronos Group has released the OpenCL 2.2-11 specification to address various issues with the existing OpenCL specification while the next major release as "OpenCL-Next" is likely still a number of months away.

          OpenCL 2.2-11 was released overnight with various bug fixes, clarifications, better formatting of the documentation, and integration with the OpenCL reference pages. That updated specification is available from the Registry.

    • Benchmarks

      • Summing Up The AMD EPYC 7742 2P Performance In One Graphic

        If you didn't have a chance since last night to check out our benchmarks of the AMD EPYC 7742 and EPYC 7502 Linux performance, I certainly encourage you to do so. Even if you aren't a server enthusiast, it's incredible to see the engineering achievement of AMD with Zen 2 and how the race is certainly back on in the CPU space. If you are short on time, here's the quick summary of our initial AMD EPYC 7002 benchmark results.

        As all independent reviewers seem to be in consensus, the EPYC 7002 series is a godsend for just about everyone, sans Intel. The EPYC 7002 line-up provides the most competitive option against Intel we've seen in the server space in many years if not ever, customers have these lower-cost CPUs that actually perform better and more power efficient in a majority of real-world workloads, and Rome further benefits consumers by reigniting Intel's engine and they will certainly need to respond in some manner by either (much) better pricing or some card up their sleeves.

    • Applications

      • 20 Vector Graphics Software For Linux: Tools To Create Beautiful Designs

        Vector graphics software paves the way of editing, manipulating, drawing and modifying images, diagram and figure seamlessly with sophistication and perfectness. There are far-ranges of vector graphics editors that are commonly used on the Linux platform. These vector graphics tools smooth the way of creating digital objects for the designers, and the objects can be scaled indefinitely without losing quality. Graphics applications are frequently used to generate high regulations illustration to use in web, multimedia, and games.

      • Markdown beginner's cheat sheet

        Markdown is a widely adopted plain-text formatting syntax used to specify HTML rendering. It is also an essential skill to learn if you want to contribute to open source software.

        Like many concepts in open source communities, there are multiple, domain-specific distributions of Markdown. CommonMark provides an unambiguous rendering specification for defined Markdown incantations while many communities offer extensions to the official specification.

        This cheat sheet provides you with a reliable baseline for writing and reading Markdown using the CommonMark specification. It also includes syntax for the two most popular Git repository services, GitHub and GitLab. Each service extends CommonMark to give users helpful shortcuts to common, or just plain fun, markup.

      • Mark Text Markdown Editor 0.15.0 Adds GUI Settings, New Find In Files Backend

        A new version of Mark Text, a popular Markdown editor, is out. Mark Text 0.15.0 includes a new find in files backend, new GUI settings, and a rewritten image component.

        Mark Text is a free and open source Electron Markdown editor for Windows, Mac and Linux. It features support for CommonMark and GitHub Flavored Markdown, seamless live preview, multiple edit modes, and support for code fence for all popular languages.

        In the latest 0.15 release, Mark Text has received a new preferences window (File > Preferences). In earlier versions, the application preferences could only be chanced by editing a configuration file (, which opened in Mark Text. This is now deprecated in favor of the new Preferences window.

      • Cockpit Project: Cockpit 200

        Cockpit is the modern Linux admin interface. We release regularly. This is version Two Hundred, prepared for you live and in person from the Cockpit team sprint in Berlin!

      • GTK-VNC 1.0 Released With GTK3 Requirement & Other Improvements

        GTK-VNC 1.0 switched from Autotools to Meson as its build system but more notably it finally gutted its GTK2 support and now mandates the GTK3 tool-kit. GTK-VNC 1.0 also has improved demos for showing off this VNC viewing widget, fixes a variety of authentication issues, and has a number of other fixes throughout.

      • Darling: macOS compatibility for Linux

        There is an increasingly active development effort, known as Darling, that is aiming to provide a translation layer for macOS software on Linux; it is inspired in part by Wine. While Darling isn't nearly as mature as Wine, contributors are continuing to build out capabilities that could make the project more useful to a wider group of users in the future.


        Darling is licensed under GPLv3 and, according to the project home page, it does not violate Apple's End User License Agreement (EULA) since it only uses the parts of Darwin that have been released as free software. Darwin, however, is licensed under the Apple Public Source License (APSL), which is a free-software license, but is not compatible with the GPL according to the FSF.

    • Instructionals/Technical

    • Games

      • Eagle Island's first major update is out now, with a plenty of tweaks included

        Eagle Island, the gorgeous pixel-art rogue-lite platformers from Pixelnicks just had a major update. Solving some issues players were having, along with some new options to tweak how you play.

        The developer said one of their major aims with Eagle Island was to make rogue-lites more accessible. They mostly succeeded on that too but this update aims to enable even more players to enjoy what it has to offer.

      • In the noire detective game Interrogation, you will take down a mysterious terrorist organization

        Interrogation seems like it could be good, a noire detective game where you will take down a mysterious terrorist organization named The Liberation Front.

      • The monster taming metroidvania "Monster Sanctuary" enters Early Access this month

        Now this is exciting, as a huge fan of creature collecting and battling games, I've been closely following Monster Sanctuary since the original Kickstarter.

      • Steam Play Proton 4.11-2 is out, upgrading DXVK and FAudio

        Valve along with CodeWeavers today issued a small and focused update to Proton, the software behind Steam Play.

      • Proton 4.11-2 Pulls In Newest DXVK While Fixing High Refresh Rates For Older Games

        Following the big Proton 4.11 update for Valve's Steam Play that just arrived over one week ago, a second update to this Wine-derived software is now available for enhancing the Windows games on Linux experience.

        Proton 4.11-2 updates now against the new and improved DXVK 1.3.2. Just pulling in new DXVK updates tend to be worthwhile but this 4.11-2 release also upgrades to FAudio 19.08 and Wine-Mono 4.9.2.

      • Animated entirely in ASCII symbols, Stone Story RPG enters Early Access

        I'm very much used to seeing roguelikes with ASCII art, but an RPG? That's quite different! After around five years in development, Stone Story RPG enters Early Access. Note: Key provided by the developer.

        A very strange experience this, with no direct control of your character it initially feels a bit like a clicker. You pick a location and watch as your ASCII character travels across the screen gathering resources, fighting and more. However, the game gradually expands and opens up, turning it into a very unique adventure. It's also very weirdly relaxing.

      • Action RPG platformer "Indivisible" from the creator of Skullgirls is releasing in October

        Lab Zero Games (Skullgirls) and 505 Games have announced that the action RPG platformer Indivisible finally has a release date.

        Blending together the side-scrolling exploration from a platformer, with beautifully hand-painted background art and fast-paced real-time battles it's been high up on my "wanted" list for some time. After getting funded on IndieGoGo way back in 2015, they managed to pull in quite a lot of support with over thirty thousand backers and around two million dollars raised. It's been a long wait but it's finally about to end, as today they've revealed the launch date to be October 8th.

      • Charming puzzle game OXXO officially released with Linux support

        Yesterday, OXXO from game developer Hamster On Coke Games was released as their latest sweet puzzle game. I've been playing it through and it's wonderful. Note: Copy provided by the developer to our Steam Curator.

        Much like some of their previous games including Scalak, PUSH and Art Of Gravity it has a very simple and inviting style to it. Starting off extremely easy so you learn the controls and the idea, it quickly starts getting a little complicated.

      • SteamWorld Quest: Hand of Gilgamech has a free update with a New Game Plus mode

        Making it into this update is a New Game Plus mode, unlocked by completing the story. It allows you to play again, while keeping most non-story progress gained from your previous playthrough. Additionally, there's a new higher difficulty setting "Legend Remix", it's not just more challenging but also contains some "gameplay twists of its own" although it's only available for New Game Plus. They also added a sweet art gallery, containing a bunch of unseen concept art, illustrations and a jukebox.

      • Comedy cosmic horror adventure Gibbous - A Cthulhu Adventure is now out

        Gibbous - A Cthulhu Adventure, a comedy cosmic horror adventure from Transylvanian developer Stuck In Attic has released with same-day Linux support and it's a wild ride.

      • How to install Minecraft Server on Ubuntu
    • Desktop Environments/WMs

      • Catfish 1.4.8 Released

        The latest release of Catfish improves integration with OpenBSD, Wayland, Xfce, and numerous other desktop configurations. It also features a wealth of translation updates to improve Catfish’s international support.

      • K Desktop Environment/KDE SC/Qt

        • Finally, I’m back… more or less

          I called this wallpaper Mountain, because … well, there are mountains with a sun made with the KDE Neon logo.

        • Google Code-in 2018 trip report

          In June, I had the opportunity to be the mentor representing KDE in the Google Code-in (GCi) 2018 trip in San Francisco, California. For those who don’t know what GCi is, it is basically a competition organized by Google for students with ages between 13-17 years old that introduces them into open source contributions with some tasks involving coding, documentation, artwork, etc.

          In the end of this program, each participant open source organization selects two winners based on their involvement with the community projects and the number of tasks that they have completed. I have participated in this program as one of the mentors for the KDE community and this previous post explains about how amazing my experience was.

      • GNOME Desktop/GTK

        • Age rating data for Flathub apps

          OARS (Open Age Ratings Service) defines a scheme to include content rating information in apps’ AppData/AppStream file. GNOME Software and similar tools use this metadata to show age ratings for applications. In Endless OS, we also support restricting which applications a given user can install based on this data – see this page, and the reports it links to, for a bit more information about this feature and its future.

        • Bastien Nocera: libfprint 1.0 (and fprintd 0.9.0)

          After more than a year of work libfprint 1.0 has just been released!

          It contains a lot of bug fixes for a number of different drivers, which would make it better for any stable or unstable release of your OS.

          There was a small ABI break between versions 0.8.1 and 0.8.2, which means that any dependency (really just fprintd) will need to be recompiled. And it's good seeing as we also have a new fprintd release which also fixes a number of bugs.

    • Distributions

      • New Releases

        • Sparky 2019.08 Special Editions

          There are new live/install iso images of SparkyLinux 2019.08 “Po Tolo” special editions: GameOver, Multimedia & Rescue available to download. Sparky ‘Po Tolo’ follows rolling release model and is based on Debian testing “Bullseye”.

          GameOver Edition features a very large number of preinstalled games, useful tools and scripts. It’s targeted to gamers.

          Multimedia Edition features a large set of tools for creating and editing graphics, audio, video and HTML pages.

        • Call for testing: [Tails] 4.0~beta1

          You can help Tails by testing the first beta for the upcoming version 4.0!

          We are very excited about it and cannot wait to hear your feedback :)

        • OSMC's July update is here

          OSMC's July update is now here and we continue to improve the OSMC experience for all of our users over the Summer. We have also been working on adding support for 3D Frame Packed (MVC) output for Vero 4K / 4K + and will make test builds available during the week on the forums. We are still preparing Raspberry Pi 4 images and will make these available soon.

      • Arch Family

        • Newcomer EndeavourOS Offers a Friendlier Arch Linux Experience

          EndeavourOS has a lot of potential. It is an impressive addition to the shortlist of distros that want to make using Arch a more rewarding experience.

          For a Linux distro built around one of the more challenging Linux families, EndeavourOS is a stable, solid performer with few, if any, noticeable quirks. That shouts volumes, given the relative youth of the first stable release following beta development.

          EndeavourOS is not an easy choice for Linux users with no hands-on experience with the Arch Linux ecosystem. Despite its newness, though, it is a better Arch Linux choice than other Arch variants.

          It is a great choice for those willing to roll up their sleeves and learn Arch Linux's inner workings. Hopefully, EndeavourOS succeeds in making the Arch-based neighborhood a more inviting place for new users and seasoned Arch users as well.

      • Fedora Family

        • Cute Qt applications in Fedora Workstation

          Fedora Workstation is all about Gnome and it has been since the beginning, but that doesn’t mean we don’t care about Qt applications, the opposite is true. Many users use Qt applications, even on Gnome, mainly because many KDE/Qt applications don’t have adequate replacement written in Gtk or they are just used to them and don’t really have reason to switch to another one.

          For Qt integration, there is some sort of Gnome support in Qt itself, which includes a platform theme reading Gnome configuration, like fonts and icons. This platform theme also provides native file dialogs, but don’t expect native look of Qt applications. There used to be a gtk2 style, which used gtk calls directly to render natively looking Qt widgets, but it was moved from qtbase to qt5-styleplugins, because it cannot be used today in combination with gtk3.

          For reasons mentioned above, we have been working on a Qt style to make Qt applications look natively in Gnome. This style is named adwaita-qt and from the name you can guess that it makes Qt applications look like Gtk applications with Adwaita style. Adwaita-qt is actually not a new project, it’s been there for years and it was developed by Martin BÅ™íza. Unfortunately, Martin left Red Hat long time ago and since then a new version of Gnome’s Adwaita was released, completely changing colors and made the Adwaita theme look more modern. Being the one who takes care of these things nowadays, I started slowly updating adwaita-qt to make it look like the current Gnome Adwaita theme and voilà, a new version was released after 3 months of intermittent work.

        • Fedora Community Blog: Friday with Infra

          Friday with Infra is a new event done by CPE (Community Platform Engineering) Team, that will help potential contributors to start working on some of the applications we maintain. During this event members of the CPE team will help you to start working on those applications and help you with any issue you may encounter. At the end of this event you should be able to maintain the application by yourself.

      • Canonical/Ubuntu Family

        • Ubuntu 18.04.3 LTS Released - Switches To Using 19.04's Linux 5.0 HWE

          Canonical has announced the immediate availability of Ubuntu 18.04.3 LTS as the newest update to this long-term support series.

          Ubuntu 18.04.3 LTS incorporates the latest stable bug/security fixes into the release ISOs and also pulls in the "hardware enablement stack" from Ubuntu 19.04. For Ubuntu 18.04.3 desktop users this means having an updated Mesa and other components, most prominently being the switch from Linux 4.18 now to using Linux 5.0.

        • Ubuntu 18.04.3 LTS Is Out with Linux Kernel 5.0 from Ubuntu 19.04, Download Now

          Coming six months after the Ubuntu 18.04.2 LTS release, which shipped with the hardware enablement (HWE) kernel from the not deprecated Ubuntu 18.10 (Cosmic Cuttlefish) operating system, Ubuntu 18.04.3 LTS here as the third point release in the Ubuntu 18.04 LTS (Bionic Beaver) series with up-to-date components.

          Ubuntu 18.04.3 LTS includes all the latest software and security fixes that have been published on the official repositories of the Ubuntu 18.04 LTS release since February 14th, 2019, when Ubuntu 18.04.2 LTS hit the streets. It also ships with updated kernel and graphics stacks from Ubuntu 19.04 (Disco Dingo), such as Linux kernel 5.0.

        • Ubuntu 18.04.3 LTS Arrives with Linux Kernel 5.0

          Ubuntu 18.04.3 is the third of five point releases planned to accompany the latest Ubuntu long-term support release, and is the second to see release this year.

          If you’re sure what the point of a point release is I can explain it to you in one simple word: convenience.

          Ubuntu point releases are new .iso install images which contain all of the bug fixes, security patches, performance enhancements, and key app updates released to the OS since the previous install image was produced.

    • Devices/Embedded

    • Free, Libre, and Open Source Software

      • Linux Journal Ceases Publication: An Awkward Goodbye

        On August 7, 2019, Linux Journal shut its doors for good. All staff were laid off and the company is left with no operating funds to continue in any capacity. The website will continue to stay up for the next few weeks, hopefully longer for archival purposes if we can make it happen.

      • Linux Journal ceases publication

        It is with sadness that we report that Linux Journal has ceased publication. The magazine announced its demise at the end of 2017, then was happily reborn in early 2018, but apparently that was not to last. Editor Kyle Rankin posted "An Awkward Goodbye" on August 7.

      • The End Of Linux Journal

        Due to this change in the market, most major publications have either shut down or been acquired and have lost their primary focus. The list includes IDG (acquired by a Chinese company and laid of writers), Recode (sold to Vox), Anandtech, TechCrunch (sold to Verizon), eWeek and more. The list is long.

        A very minuscule chunk of these publications is made up of publications focused on consumer Linux. As someone who once ran a ‘consumer desktop Linux’ publication, I am aware of the fact that there is only so much one can do in that space. There is nothing new to write about it from a consumer’s perspective. Linux Desktop space has stagnated and not much innovation is happening in that area. There isn’t much scope of valuable content in that space. What could have been written has already been written?

        The real work is happening at a low level. LWN is doing an incredible job of covering low-level kernel stuff. It’s sustainable and healthy.

      • Linux Journal shuts down, because cheapskate Linux users don't spend money [Ed: And Brian Fagioli goes into troll mode again; many publishers shut down, so this headline is a provocative lie (Linux users spend more money than Windows users)]
      • How Can AMD EPYC "Rome" 7002 Series Be Even Better? Open-Source BIOS / Coreboot

        By now you've likely seen the fantastic performance out of AMD's new "Rome" 7002 series processors. The performance is phenomenal and generally blowing well past Intel's Xeon Cascade Lake processors. So that's all good and it can get even better outside of performance: I asked AMD about the prospects of Coreboot / open-source BIOS support and got a surprising response.

        At an event in Austin last month when AMD was talking up Rome, when they weren't talking about the new server CPU's performance potential they were often mentioning the chip's security. That set the stage for bringing up open-source support and Coreboot support without coming across as just an open-source zealot/nerd question. After all, if their lower-level bits were (again) open-source it would ensure a more auditable boot process and ensuring the integrity of their Platform Security Processor (PSP) and the like, which in this day and age is important and trying to ensure no nefarious back-doors to the system. Companies like Facebook and Google are also genuinely interested in this open-source functionality with their work on the likes of Coreboot and LinuxBoot.

      • Events

        • Access to complex video devices with libcamera

          Laurent Pinchart began his Open Source Summit Japan 2019 talk with a statement that, once upon a time, camera devices were simple pipelines that produced a sequence of video frames. Applications could control cameras using the Video4Linux (V4L) API by way of a single device node; there were "lots of knobs", but the overall task was straightforward. That situation has changed over the years, and application developers need more help; that is where the libcamera project comes in. In truth, if your editor may interject a brief comment, even the basic V4L API is not entirely straightforward for the uninitiated. There is a negotiation process that must happen so that the application can determine whether a given camera can deliver the sort of data stream that is needed. The number of parameters to tweak is large. It was not uncommon to find applications that worked with some camera devices, but not others. V4L makes many things possible, but even the simplest tasks may not be easy.

        • DevNation Live: Revisiting Effective Java in 2019

          DevNation Live tech talks are hosted by the Red Hat technologists who create our products. These sessions include real solutions and code and sample projects to help you get started. In this talk, Edson Yanaga, Director of Developer Experience at Red Hat, reviews some tips from the classic Effective Java book to help you update your Java skills.

          Joshua Bloch has given us the third edition of Effective Java, but almost 10 years have passed since the last edition. And, now we have a whole generation of Java developers who could benefit from this knowledge.

          It’s about time to revisit all of this wonderful content and upgrade your skills to the latest versions of the Java platform. Join us in this deep session to check what’s new in the updated Effective Java and even add some more tips not included in the book.

        • The Linux Foundation Announces Full Agenda for Open Source Summit and Embedded Linux Conference Europe

          The Linux Foundation today announced the session line-up for its Open Source Summit Europe, the leading conference for open source developers, architects and other technologists and a hotbed for emerging technologies, and Embedded Linux Conference Europe. The event takes place October 28-30 in Lyon, France.

      • Web Browsers

        • Mozilla

          • Community Management Update

            I have a couple announcements for today. I’d like you all to welcome our two new community managers.

            First off Kiki has officially joined the SUMO team as a community manager. Kiki has been filling in with Konstantina and Ruben on our social support activities. We had an opportunity to bring her onto the SUMO team full time starting last week. She will be transitioning out of her responsibilities at the Community Development Team and will be continuing her work on the social program as well as managing SUMO days going forward.

            In addition, we have hired a new SUMO community manager to join the team. Please welcome Giulia Guizzardi to the SUMO team.

          • Mike Hoye: Ten More Simple Rules

            The Public Library of Science‘s Ten Simple Rules series can be fun reading; they’re introductory papers intended to provide novices or non-domain-experts with a set of quick, evidence-based guidelines for dealing with common problems in and around various fields, and it’s become a pretty popular, accessible format as far as scientific publication goes.

          • Henrik Skupin: Example in how to investigate CPU spikes in Firefox

            So a couple of months ago when I was looking for some new interesting and challenging sport events, which I could participate in to reach my own limits, I was made aware of the Mega Hike event. It sounded like fun and it was also good to see that one particular event is annually organized in my own city since 2018. As such I accepted it together with a friend, and we had an amazing day. But hey… that’s not what I actually want to talk about in this post!

            The thing I was actually more interested in while reading content on this web site, was the high CPU load of Firefox while the page was open in my browser. Once the tab got closed the CPU load dropped back to normal numbers, and went up again once I reopened the tab. Given that I haven’t had that much time to further investigate this behavior, I simply logged bug 1530071 to make people aware of the problem. Sadly the bug got lost in my incoming queue of daily bug mail, and I missed to respond, which itself lead in no further progress been made.

            Yesterday I stumbled over the website again, and by any change have been made aware of the problem again. Nothing seemed to have been changed, and Firefox Nightly (70.0a1) was still using around 70% of CPU even with the tab’s content not visible; means moved to a background tab. Given that this is a serious performance and power related issue I thought that investigation might be pretty helpful for developers.

            In the following sections I want to lay out the steps I did to nail down this problem.

          • My StarCon 2019 Talk: Collecting Data Responsibly and at Scale

            Back in January I was privileged to speak at StarCon 2019 at the University of Waterloo about responsible data collection. It was a bitterly-cold weekend with beautiful sun dogs ringing the morning sun. I spent it inside talking about good ways to collect data and how Mozilla serves as a concrete example. It’s 15 minutes short and aimed at a general audience. I hope you like it.

      • Productivity Software/LibreOffice/Calligra

        • LibreOffice 6.3 Open-Source Office Suite Officially Released, Here's What's New

          The third major, feature-full update to the latest LibreOffice 6 office suite series, LibreOffice 6.3, comes exactly six months after the LibreOffice 6.2 release to add better performance, enhanced interoperability with proprietary document formats, as well as a set of new features and other improvements.

          The LibreOffice 6.3 office suite will be supported for the next ten months with smaller maintenance updates until May 29, 2020. The Document Foundation has planned a total of six point releases for LibreOffice 6.3, but currently recommends users the LibreOffice 6.2 series for extra stability in production environments.

        • The Document Foundation announces LibreOffice 6.3

          LibreOffice 6.3’s new features have been developed by a large community of code contributors: 65% of commits are from developers employed by companies sitting in the Advisory Board like Collabora, Red Hat and CIB, plus other organizations, and 35% are from individual volunteers.

          In addition, there is a global community of individual volunteers taking care of other fundamental activities such as quality assurance, software localization, user interface design and user experience, editing of help system and documentation, plus free software and open document standards advocacy.

        • LibreOffice 6.3 Released With Better Performance, UI Enhancements

          After a slight delay, The Document Foundation this morning announced the release of the LibreOffice 6.3 cross-platform open-source office suite.

          This leading Microsoft Office alternative has performance improvements particularly around Writer (its word processor) and Calc (spreadsheet) components, the tabbed compact user-interface work is now available throughout more of the suite, better PDF export support, continually ongoing improvements to the Microsoft Office file format interoperability support, and a plethora of other improvements.

        • LibreOffice 6.3 Released, Up to 97% Faster At Opening Files

          LibreOffice 6.3 is the latest version of The Document Foundation’ open source office suite for Windows, macOS and Linux — and it’s pretty big on changes.

          Among the new LibreOffice 6.3 features that productivity-focused folks will benefit from are A, B and, important for secret government agencies, the ability to redact information from documents.

          You’ll see a new “tip of the day” dialog open on startup (once per day). There’s also a new “what’s new? infobar” linking to the LibreOffice release notes when launching an updated version of the suite for the first time.

      • Programming/Development

        • Python virtualenvs talk

          I had the pleasure of giving a talk about Python virtual environments at this week's Christchurch Python meetup. It described the problem that virtualenvs solve, some gotchas and the tools people use to create and manage them. We also spent some time on some of the newer entrants in this space including pew, pipenv and poetry. The slides are available.

          Giving presentations is a great way of solidifying your knowledge of a particular subject - you want to make sure you're describing things accurately so end up doing extra research and thinking more deeply. I'm sure I get as much out of preparing for a talk as the people who attend.

        • AMD Optimizing C/C++ Compiler 2.0 Released With Zen 2 Support

          Coinciding with yesterday's glorious AMD EPYC "Rome" 7002 series CPU launch, AMD's software folks released AOCC 2.0 as their LLVM/Clang-based compiler optimized for Zen processors. AOCC 2.0 brings optimized compiler support now for Zen 2 processors not just only the EPYC 7002 line-up but also the Ryzen 3000 series consumer processors.

          AMD Optimizing C/C++ Compiler 2.0 is the update adding in their Zen 2 "Znver2" bits and the first update to AOCC since the end of last year. Besides adding in Zen 2 support, they re-based their entire compiler toolchain against LLVM 8.0 and its sub-projects like the Clang 8.0 front-end. They also moved to using FLANG as their default Fortran language front-end.

        • Why Linux & DevOps go hand in hand

          Public License (GPL). Linux, like any OS, mediates between the hardware of the machine (CPU, memory, and storage) and its software. The OS manages how the hardware is used to meet the needs of the software.

          A Linux-based OS uses a Linux kernel, which is used to manage the hardware resources. A bootloader runs the machine through a startup sequence, and daemons—background services—work in the background to ensure key functions run smoothly. The OS shell, or command line, receive code instructions from the developer and transmits them to the machine.

        • Scrum vs. kanban: Which agile methodology is better?

          Because scrum and kanban both fall under the agile methodology umbrella, many people confuse them or think they're the same thing. There are differences, however. For one, scrum is more specific to software development teams, while kanban is used by many kinds of teams and focuses on providing a visual representation of an agile team's workflow. Some argue that kanban is about getting things done, and scrum is about talking about getting things done.

        • Python 3.8.0b3 is now available for testing

          This release is the third of four planned beta release previews. Beta release previews are intended to give the wider community the opportunity to test new features and bug fixes and to prepare their projects to support the new feature release. The next pre-release of Python 3.8 will be 3.8.0b4, the last beta release, currently scheduled for 2019-08-26.

        • Sending custom emails with Python

          One of the highlights of my work as the Fedora Community Action and Impact Coordinator is giving people good news about travel funding. I often send this information over email. Here, I'll show you how I send custom messages to groups of people using Mailmerge, a command-line Python program that can handle simple and complex emails.

        • Welcome to Real Python!

          Welcome! In this series of videos you’ll get an overview of the features of the Real Python platform, so you can make the most of your membership.

        • Inheritance and Composition: A Python Guide

          In this article, you’ll explore inheritance and composition in Python. Inheritance and composition are two important concepts in object oriented programming that model the relationship between two classes. They are the building blocks of object oriented design, and they help programmers to write reusable code.

        • Sajeer Ahamed: Making Rust HTTP source Feature equivalent - Part 1 | GSoC 2019

          souphttpsrc is the C version of HTTP source plugin of GStreamer. Making reqwesthttpsrc feature equivalent to that of souphttpsrc is a very important part of the conversion. Although Rust HTTP source is functioning well, it is not fully in to use because it is not equivalent to C HTTP source.

          For now there is only one property implemented from C HTTP source apart from the ones which come from base class. That is 'location'. We can set a URL to read using this property.

        • Kate - Initial Rust LSP support landed!

          Initial support for the rls Rust LSP server has landed in kate.git master. The matching rls issue about this can be found here.

          Given I am no Rust expert, I can only verify that at least some operations seem to work for me if the Rust toolchain is setup correctly ;=)

        • A second life for the Sandbox

          Anvil is a UK-based company sponsoring one month of work to revive PyPy's "sandbox" mode and upgrade it to PyPy3. Thanks to them, sandboxing will be given a second life!

          The sandboxed PyPy is a special version of PyPy that runs fully isolated. It gives a safe way to execute arbitrary Python programs (whole programs, not small bits of code inside your larger Python program). Such scripts can be fully untrusted, and they can try to do anything—there are no syntax-based restrictions, for example—but whatever they do, any communication with the external world is not actually done but delegated to the parent process. This is similar but much more flexible than Linux's Seccomp approach, and it is more lightweight than setting up a full virtual machine. It also works without operating system support.

        • 31 Excellent Free Books to Learn Python

          Python is a high-level, general-purpose, structured, powerful, open source programming language that’s used for a wide variety of programming tasks. It features a fully dynamic type system and automatic memory management, similar to that of Scheme, Ruby, Perl, and Tcl, avoiding many of the complexities and overheads of compiled languages. The language was created by Guido van Rossum in 1991, and continues to grow in popularity, in part because it is easy to learn with a readable syntax. The name Python derives from the sketch comedy group Monty Python, not from the snake.

          Python is a versatile language. It’s frequently used as a scripting language for web applications, embedded in software products, as well as artificial intelligence and system administration tasks. It’s both simple and powerful, perfectly suited for beginners and professional programmers alike.

        • Portworx Enterprise Operator on Red Hat OpenShift

          This is a guest blog by Vick Kelkar from Portworx. Vick is a Product person at Portworx. With over 15 years in the technology and software industry, Vick’s focus is on developing new data infrastructure products for platforms like PCF, PKS, Docker, and Kubernetes.

          Kubernetes adoption initially was powered by stateless applications. As the project matured, Kubernetes introduced the StatefulSet object so that applications can run with persistent data in a cloud native manner. As stateful applications, like PostgreSQL, started running on Kubernetes clusters, the need to easily manage complex deployments became clear. The built-in Kubernetes constructs did not allow for more complex install, upgrade or management of Kubernetes resources which resulted in a person doing manual post install deployment tasks.

          To solve this problem, the CoreOS team (now part of Red Hat) launched the Operator Framework project. The idea of an Operator is to introduce a custom controller and custom resource into Kubernetes cluster which understands the life cycle of a stateful application. At Portworx, we decided to adopt the Operator Framework in order to embed domain-specific knowledge into our CustomResource called StorageCluster and introduced a new Kubernetes object to make maintenance and management of Portworx platform easier.

        • 5 Steps to Learning Python the Right Way

          Python is an important programming language that any developer should know. Many programmers use this language to build websites, create learning algorithms, and perform other important tasks. But trying to learn Python can be intimidating, frustrating, and difficult, especially if you’re not sure how to approach it.

          One of the things that I found most frustrating when I was learning Python was how generic all the learning resources were. I wanted to learn how to make websites using Python, but it seemed like every learning resource wanted me to spend two long, boring, months on Python syntax before I could even think about doing what interested me.

        • PyCon Ireland 2019

          Python Ireland is the Irish organisation representing the various chapters of Python users. We organise meet ups and events for software developers, students, academics and anyone who wants to learn the language. One of our aims is to help grow and diversify the Python community in Ireland.

        • The lat/lon floating point delusion

          This morning I had a shower for 6.11686718 minutes. For breakfast I had 189.41576911 ml of fruit juice, followed by 75.24902503 g of muesli topped with 36.55668786 ml of milk and 15.44171338 g of yogurt.

          Something wrong?

          Maybe you think I'm a bit crazy — or at least very silly — to have so many decimal places in those numbers? Then how about the latitude/longitude of I Love Istanbul, one of my favourite eateries in Melbourne, Australia? According to the city's "Census of Land Use and Employment" in Melbourne's open data portal, ILI is at -37.80467681 144.9659498.

          I've written before about too many lat/lon digits and so have many other people, including Randall Munroe in a recent xkcd webcomic. In Wikipedia there's a table explaining how the number of decimal places in a decimal-degree lat/lon relates to length. Following that table, ILI at 95 Lygon Street has been located €±0.55 mm in latitude and €±4.6 mm in longitude. Not bad for a property with a footprint maybe 20 x 20 m.

        • PyCharm 2019.2.1 Preview

          PyCharm 2019.2.1 Preview is now available!

        • Kogan Dev: Making Heroku Subdirectories Easier

          To keep your codebase clean, it helps to have a separation of concerns. Splitting your codebase into a backend and frontend directory a great way to do this.

        • Moshe Zadka: Designing Interfaces

          One of the items of feedback I got from the article about interface immutability is that it did not give any concrete feedback for how to design interfaces. Given that they are forever, it would be good to have some sort of guidance.

          The first item is that you want something that uses the implementation, as well as several distinct implementations. However, this item is too obvious: in almost all cases I have seen in the wild of a bad interface, this guideline was followed.

          It was also followed in all cases of a good interface.

        • Ripping Out Node.js - Building SaaS #30

          In this episode, we removed Node.js from deployment. We had to finish off an issue with permissions first, but the deployment got simpler. Then we continued on the steps to make deployment do even less.

          Last episode, we got the static assets to the staging environment, but we ended the session with a permissions problem. The files extracted from the tarball had the wrong user and group permissions.

          I fixed the permissions by running an Ansible task that ran chown to use the www-data user and group. To make sure that the directories had proper permissions, I used 755 to ensure they were executable.

          Then we wrote another task to set the permission of non-directory files to 644. This change removes the executable bit from regular files and reduces their security risk.

        • PyQt5 Widgets Overview

          In Qt (and most User Interfaces) ‘widget’ is the name given to a component of the UI that the user can interact with. User interfaces are made up of multiple widgets, arranged within the window.

          Qt comes with a large selection of widgets available, and even allows you to create your own custom and customised widgets.

          Load up a fresh copy of and save it under a new name for this section.

        • Rounding Numbers in Python

          Using a computer in order to do rather complex Math is one of the reasons this machine was originally developed. As long as integer numbers and additions, subtractions, and multiplications are exclusively involved in the calculations, everything is fine. As soon as floating point numbers or fractions, as well as divisions, come into play it enormously complicates the whole matter.

          As a regular user, we are not fully aware of these issues that happen behind the scenes and may end up with rather surprising, and possibly inaccurate results for our calculations. As developers, we have to ensure that appropriate measures are taken into account in order to instruct the computer to work in the right way.

        • Python and public APIs

          In theory, the public API of a Python standard library module is fully specified as part of its documentation, but in practice it may not be quite so clear cut. There are other ways to specify the names in a module that are meant to be public, and there are naming conventions for things that should not be public (e.g. the name starts with an underscore), but there is no real consistency in how those are used throughout the standard library. A mid-July discussion on the python-dev mailing list considered the problem and some possible solutions; the main outcome seems to be interest in making the rules more explicit.

          It should be noted that the Python language does not enforce any access restrictions at all; any program that can import a module can access any top-level name defined in it. All of the "rules" that govern access restrictions are simply conventions, though they are meant to delineate things that can be changed by a module maintainer without going through the usual deprecation cycle. A big part of the public API is effectively a list of names that the module maintainer promises not to change without a good deal of warning (at least two full development cycles).

  • Leftovers

    • Minecraft’s recent surge on YouTube proves that the ‘PewDiePie Effect’ is still real

      “Essentially PewDiePie has embraced the most basic principal in the YouTube playbook,” Wilson wrote. “Focus on a topic, and deliver that to your audience with every single video that you make.”

      His reignited interest in the game has led to other YouTube creators picking up on the trend. Sean “Jacksepticeye” McLoughlin, a creator with more than 22 million subscribers, has started to play the game, too. People have picked up on Minecraft having a moment and have decided to jump on the train before it goes away again. It’s not entirely because of Kjellberg — YouTube creator Keemstar’s weekly Minecraft tournaments, for example, also drive traffic and interest — but Kjellberg’s visibility is a major factor, according to Wilson.

    • Hardware

      • Attack on Connected Cars Could Could Kill Thousands, Advocacy Group Claims [iophk: bad design at the bottom of this]

        Meanwhile, the auto industry is doing little, or not enough, to protect a mass attack on the most critical mode of transport, the car, within a critical industry.

      • What Linux needs to do to reach the masses [iophk: This is a red herring. Reinstalling an OS is like changing the engine on your car. The strangle hold on the OEMs needs to be released.]

        I understand the problem is a combination of proprietary hardware and the mixing and matching of components. But Linux has managed to work flawlessly on desktop hardware for a very long time. To me this says Linux can work with similar success on mobile hardware. And it should. The landscape of current users won't revert back to the desktop any time soon. In fact, if we're to believe any of the prognostications, users will continue the mass migration toward mobile, until there's only a handful of us hardcore users still working diligently at desktop machines.

    • Security (Confidentiality/Integrity/Availability)

      • Vulnerability Exposed Microsoft Azure Users to Cyberattack

        New data from Check Point Research says dozens of vulnerabilities found in a commonly used protocol left millions of Microsoft cloud users open to attack.

        In a presentation this week at the Black Hat security conference in Las Vegas, the firm noted that flaws in the Remote Desktop Protocol (RDP)—routinely used to access remote Windows machines—could be exploited to execute arbitrary code on a target’s system, allowing them to view, change, and delete data or create new accounts with full administrative rights.

        RDP was originally developed by Microsoft, and is frequently used by users looking to connect to a remote Windows machine. There’s several popular open-source clients for the RDP protocol utilized by Linux and Mac users as well.

      • IBM researchers show how “warshipping” turns physical mail into [an attack] vector

        The researchers pulled it off with a simple hand-built computer they cobbled together from off-the-shelf components. The device, which cost about $100 to assemble, consisted of a single circuit board packing a 3G modem for communicating with a remote-control server and executing attacks.

        “While in transit, the device does periodic basic wireless scans, similar to what a laptop does when looking for Wi-Fi hotspots. It transmits its location coordinates via GPS back to the C&C [command and control server,” Henderson detailed.

        “Once we see that a warship device has arrived at the target’s front door, mailroom or loading dock, we are able to remotely control the system and run tools to either passively or actively attempt to attack the target’s wireless access,” he elaborated. “The goal of these attacks is to obtain data that can be cracked by more powerful systems in the lab.”

      • Warshipping: Attackers can access corporate networks through the mailroom

        The expression has been coined by IBM X-Force Red researchers to describe a new attack vector, which consists of covertly delivering to the target’s premises small devices that can be used to gain access to the home or office wireless network and assets connected to it.

      • What's behind the Google Cloud-VMware partnership? [Ed: VMware is a back doors company; Snowden showed EMC/RSA role.]

        Kurian and his peer Sanjay Poonen, chief operating officer for customer operations at VMware, each used that post to identify a pool of customers that had been asking for better interoperability between the two vendors, with the Google Cloud VMware Solution by CloudSimple announced as a result.

        This new product, which will be generally available later this year, allows customers to run workloads on VMware's flagship vSphere platform natively in Google Cloud Platform.

      • [Attackers] Can Break Into an iPhone Just by Sending a Text

        At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device. And while Apple has already patched five of them, a few have yet to be patched.

      • A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

        At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible.

        Santamarta admits that he doesn't have enough visibility into the 787's internals to know if those security barriers are circumventable. But he says his research nonetheless represents a significant step toward showing the possibility of an actual plane-hacking technique. "We don't have a 787 to test, so we can't assess the impact," Santamarta says. "We’re not saying it’s doomsday, or that we can take a plane down. But we can say: This shouldn’t happen."

      • Security updates for Thursday

        Security updates have been issued by Arch Linux (exim, python-django, python2-django, and sdl2), Debian (proftpd-dfsg), Fedora (php and sqlite), openSUSE (proftpd), Red Hat (kernel), Slackware (kdelibs), SUSE (nodejs10, squid, and tcpdump), and Ubuntu (php5 and ruby-rack).

      • KDE rips out ability for KConfig to run shell code [Ed: This is hardly a threat unless you download and then tamper with malicious files from arbitrary, untrusted sources]

        KDE has fixed a vulnerability within its KDE Framework that allowed for malicious code execution simply by viewing a .desktop file, by removing the feature being exploited altogether.

        Earlier this week, a security researcher Dominik Penner published a proof of concept that showed how users could be compromised simply by viewing a malicious .desktop file, which is typically used to show an icon for a file or directory, in the KDE file browser.

        The researcher did not notify KDE before dropping the vulnerability.

      • Captain, we've detected a disturbance in space-time. It's coming from Earth. Someone audited the Kubernetes source

        The Cloud Native Computing Foundation (CNCF) today released a security audit of Kubernetes, the widely used container orchestration software, and the findings are about what you'd expect for a project with about two million lines of code: there are plenty of flaws that need to be addressed.

        The CNCF engaged two security firms, Trail of Bits and Atredis Partners, to poke around Kubernetes code over the course of four months. The companies looked at Kubernetes components involved in networking, cryptography, authentication, authorization, secrets management, and multi-tenancy.

        Having identified 34 vulnerabilities – 4 high severity, 15 medium severity, 8 low severity and 7 informational severity – the Trail of Bits report advises project developers to rely more on standard libraries, to avoid custom parsers and specialized configuration systems, to choose "sane defaults," and to ensure correct filesystem and kernel interactions prior to performing operations.

      • Kubernetes reports the results of its open-source security audit

        Unless you've been living under a rock, hardly a day goes by anymore without a new software security problem popping up. The folks at the Cloud Native Computing Foundation (CNCF) certainly have noticed. So, when it came time to give Kubernetes, the most important container orchestration program, a security audit, the CNCF tried an open-source approach for checking it for security problems.

        This wasn't a new idea. That credit goes to the Core Infrastructure Initiative (CII) Best Practices Badge program. Open-source projects that get this badge must show they follow security best practices. The CII used this approach on three other projects: CoreDNS, Envoy, and Prometheus. Then, it used it on the big one: Kubernetes.

      • A Blunt Reminder About Security for Embedded Computing

        The ICS Advisory (ICSA-19-211-01) released on July 30th by the Cybersecurity and Infrastructure Security Agency (CISA) is chilling to read. According to the documentation, VxWorks is “exploitable remotely” and requires “low skill level to exploit.” Elaborating further, CISA risk assessment concludes, “Successful exploitation of these vulnerabilities could allow remote code execution.” The potential consequences of this security breech are astounding to measure, particularly when I look back on my own personal experiences in this space, and now as an Account Executive for Embedded Systems here at SUSE.


        At the time, VxWorks was the standard go-to OS in the majority of the embedded production platforms I worked with. It was an ideal way to replace the legacy stove-piped platforms with an Open Architecture (OA) COTS solution. In light of the recent CISA warning, however, it is concerning to know that many of those affected systems processed highly-classified intelligence data at home and abroad.

      • Transport Layer Security version 1.3 in Red Hat Enterprise Linux 8

        TLS 1.3 is the sixth iteration of the Secure Sockets Layer (SSL) protocol. Originally designed by Netscape in the mid-1990’s to serve the purposes of online shopping, it quickly became the primary security protocol of the Internet. Now not limited just to web browsing, among other things, it secures email transfers, database accesses or business to business communication.

        Because it had its roots in the early days of public cryptography, when public knowledge about securely designing cryptographic protocols was limited, the first two iterations: SSLv2 and SSLv3 are now quite thoroughly broken. The next two iterations, TLS 1.0 and TLS 1.1 depend on the security of Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA1).

    • Environment

      • 'Extinction Rebellion' Dubbed Cult, But Supporters Say Radical Change Needed

        Extinction Rebellion (XR), a campaign of civil disobedience born in Britain and aiming to address a worldwide climate crisis, has been endorsed by Swedish climate activist Greta Thunberg, the teenage poster child of environmentalism. XR has pledged to cause more disruption, arguing that governments are not doing enough to stop the "climate emergency."

        The group, which is spawning similar campaigns in the United States and Australia, says climate activists have no choice but to take matters into their own hands. It demands that governments prevent further biodiversity loss and commit to producing net-zero greenhouse gases by 2025. Otherwise, XR says, there will be a mass extinction of life forms on the planet within the lifetimes of the demonstrators themselves.

      • Traffic noise an increasing burden in Danish homes

        Since 2000, the number of Danes bothered by traffic-related noise has more than doubled from 6 to 14 percent, according to a new report from the national institute of public health, Statens Institut forFolkesundhed.

      • Energy

        • Green Party calls Interrail decision ‘entirely the wrong direction of travel’

          Reacting to the decision by train companies in the UK to stop accepting Interrail passes from January (1), Green Party Deputy Leader Amelia Womack said:

          “This is entirely the wrong direction of travel, in both environmental and international relations terms.

          “We need to be encouraging people to travel by train rather than taking the plane. It needs to be the easiest, simplest and cheapest option, as well as being as it already is by far the most pleasant.

        • Bleak Financial Outlook for US Fracking Industry

          In early 2018 when major financial publications like the Wall Street Journal were predicting a bright and profitable future for the fracking industry, DeSmog began a series detailing the failing business model of fracking shale deposits for oil and gas in America.

          Over a year later, the fracking industry is having to reckon with many of the issues DeSmog highlighted, in addition to one new issue — investors are finally giving up on the industry.

      • Wildlife/Nature

        • Wanted: Participants for nature therapy study

          The universities of Tampere and Jyväskylä will conduct the study funded by Kela, the national social insurance agency, to examine how nature and the support of a group can help in the rehabilitation and recovery from depression. As part of the study, free nature therapy groups will be held in August and next April.

        • ‘A Complete Enigma’ — New Zealand Lizard Declared Extinct 130 Years After Only Sighting

          In 1887 the Belgian-British zoologist George Albert Boulenger, who famously named more than 2,000 species around the world, scientifically described a slim New Zealand lizard he called Oligosoma infrapunctatum — the speckled skink.

          More than 130 years later, a new paper examines the genetics and morphology of speckled skinks from around New Zealand and comes up with a surprising conclusion: They’re actually at least six different species, one of which — ironically enough, the one first identified by Boulenger — may now be extinct.

          The research, published in the journal Zootaxa, builds upon work done over the past several years that analyzed and alternately named and renamed various populations of speckled skinks. Now, by examining the lizards’ physical characteristics and mitochondrial DNA, the researchers were able to conclusively determine that the speckled skink represents an entire species complex. Each species lives in a different part of the country and has small but significant variations in genetics, coloration, scale composition and limb structure.

          There’s something they all have in common, though: None of them are doing very well, as the five remaining species all face enormous pressures from introduced predators and habitat loss. Using New Zealand’s classification system for endangered species, the paper recommends that two of the skink species should be considered as “nationally critical,” a third as “nationally vulnerable” and the final two as “at risk.”

      • Overpopulation

        • Balkan water reserves may soon run short

          The Balkans is one of the world’s most troubled regions, often the setting for outbreaks of territorial, ethnic and religious conflict.

          Now the area is also having to face up to the problems caused by a changing climate – in particular the prospect of severe water shortages in the years ahead.

          Albania, a mountainous country with a population of just under 3 million, has abundant water resources at present. But government studies predict that due to increasing temperatures and declining rainfall, there could be severe water shortages within ten years.

          The government says that within a decade water levels in three of the country’s biggest rivers – the Drin, Mat and Vjosa – will be up to 20% lower than at present.

    • Finance

      • U.S. Teachers and Firefighters Are Funding Rise of China Tech Firms

        It works like this: Pension funds from California to New Jersey and college endowments pour money into venture capital and private equity firms, which scour the globe for the best investment opportunities. In recent years, many of these firms have turned to China, helping fuel the success of global giants such as Alibaba Group Holding Ltd. and rising stars like drone-maker DJI and artificial-intelligence pioneer SenseTime Group Ltd. Pension and endowment fund managers may recognize such investments could become politically unacceptable, but they also have a fiduciary responsibility to pursue lucrative returns for their clients.

      • Can’t Afford a Vacation? Get Another Credit Card! - News about Americans’ dire financial straits turns into a credit card commercial

        Summertime is well and truly here, and for many of us, that means sunny vacations. Disneyland? Florida? A European adventure?

        But for tens of millions of Americans, there will be none, because they cannot afford one. A new and widely reported poll from financial services company found that over one in four people are forgoing a vacation, primarily because they cannot pay for it.

        The average expected cost of a vacation, for those planning one, was $1,979. But, as a well-publicized survey found, the large majority of millennials (and a majority of Americans overall) are living paycheck-to-paycheck and could not even afford a $1,000 emergency, let alone a $2,000 luxury.


        Under greater time pressure than ever, media resort to rewriting or copying and pasting press releases, then branding them as news. At the same time, advertorials—paid advertisements presented as news—are becoming an increasingly common way for media to increase their income.

        Advertorials work. The general public has great difficulty distinguishing between paid for content and traditional news. A Reader’s Digest study found news consumers were 500 times more likely to read an advertorial than a traditional advertisement, and that advertorials generated 81 per cent more sales than standard commercials. Were the BankRate stories advertorials, or simply media lazily repeating PR? CNBC responded with a comment that suggested it was an organic story, while Fox did not reply.

        Either way, Americans are in perilous financial straits, and millions are trapped in debt. Media should not be handing out highly questionable recommendations for the sake of extra content. There could be expensive consequences for those who take advice from cheap news.

    • AstroTurf/Lobbying/Politics

      • 8chan owner says he has returned to the US following El Paso shooting

        The owner of 8chan, the fringe messaging board that has been linked to a string of mass shootings this year, told lawmakers that he is coming back to the U.S. this week as Congress escalates its scrutiny of his website.

        Jim Watkins, who has owned 8chan since 2015, told lawmakers in an email on Tuesday that he would be back in the U.S. by the next day.

      • Republic TV threatens action after pro-Kashmiri separatist Twitter account shares misleading video of Arnab after dilution of Article 370

        A Twitter account sympathising with the Kashmiri separatists movement and a supporter of secession of Jammu and Kashmir from the union of India uploaded a highly doctored old video of journalist Arnab Goswami. The account uploaded Goswami’s edited video from February this year to imply as if Goswami is calling for the genocide of Kashmiris opposing the recent abrogation of Article 370.

      • A Farewell To Mike Gravel, 2020’s Weirdest Presidential Candidate

        Instead, the “Gravel teens” conducted the campaign almost entirely online, via the aforementioned caustic Twitter account and over-the-top YouTube videos — including a jacked-up sequel to the infamous “rock” ad from Gravel’s first presidential run. Essentially, it was a modern, digital version of the “front-porch campaign,” a turn-of-the-century phenomenon whereby presidential candidates mostly stayed at home and waited for voters to come to them.

        And … it kind of worked? No, Gravel didn’t get anywhere close to the nomination, but the tweets and stunts did convince 65,000 people to donate to the campaign, thus qualifying Gravel to participate in the July primary debate. (He ultimately was not invited to appear, [...]

    • Censorship/Free Speech

    • Privacy/Surveillance

      • WhatsApp Flaws Could Allow [Attackers] to Alter Messages: Cyber Firm

        Check Point Software Technologies Ltd., an Israeli company that provides security for computer networks, said its researchers found three potential ways to alter conversations. One uses the "quote" feature in a group conversation to change the appearance of the identity of a sender. Another lets a hacker change the text of someone else’s reply. And the other, which has been fixed, would let a person send a private message to another group participant disguised as a public message to all, so when the targeted individual responded, it was visible to everyone in the conversation.

        A WhatsApp spokeswoman declined to comment.

      • Amazon is coaching cops how to obtain Ring footage without a warrant

        It's alarming (arf) at the very least for users, as parent company Amazon can now release Ring footage directly to cops without a warrant. It has also been accused of ghostwriting police documentation on the service, turning local forces into free advertising and implied an endorsement for its products. Users can even gain discounts on Ring products if they opt-in, with police forces managing a reward system.

      • Amazon Is Coaching Cops on How to Obtain Surveillance Footage Without a Warrant

        Emails obtained from police department in Maywood, NJ—and emails from the police department of Bloomfield, NJ, which were also posted by Wired—show that Ring coaches police on how to obtain footage. The company provides cops with templates for requesting footage, which they do not need a court warrant to do. Ring suggests cops post often on Neighbors, Ring’s free “neighborhood watch” app, where Ring camera owners have the option of sharing their camera footage.

      • Another Day, Another Company Leaving Sensitive User Data Exposed Publicly On The Amazon Cloud

        What is it about companies leaving consumer data publicly exposed on an Amazon cloud server? Verizon made headlines after one of its customer service vendors left the personal data of around 6 million consumers just sitting on an Amazon server without adequate password protection. A GOP data analytics firm was also recently soundly ridiculed after it left the personal data of around 198 million citizens (read: most of you) similarly just sitting on an Amazon server without protection. Time Warner Cable also recently left 4 million user records sitting in an openly-accessible Amazon bucket.

      • They Grow Up So Fast These Days: Facial Recognition Tech Edition

        Nothing nefarious about this if you subtract the slow drip of surveillance tech into every corner of everyone's existence. By the time the little scamps roll into adulthood, they won't even view omnipresent cameras and their surveillance add-ons as encroachments. They'll just be a normal part of life, like cellphones and high-speed internet connections.

        This situation is better than most. Waldo's service is completely opt-in. Parents who want to use it have to go through several affirmative steps, like uploading photos of their kids to be used by the software. The end result is a curated collection of photos containing opted-in kids, saving parents the trouble of weeding through hundreds of photos to find the ones they actually care about.

        This is a far more responsible use of facial recognition tech on children than the New York Police Department's version.

      • Amazon’s Ring Is a Perfect Storm of Privacy Threats

        Even though government statistics show that crime in the United States has been steadily decreasing for decades, people’s perception of crime and danger in their communities often conflict with the data. Vendors prey on these fears by creating products that inflame our greatest anxieties about crime.

        Ring works by sending notifications to a person’s phone every time the doorbell rings or motion near the door is detected. With every update, Ring turns the delivery person or census-taker innocently standing on at the door into a potential criminal.

        Neighborhood watch apps only increase the paranoia. Amazon promotes its free Neighbors app to accompany Ring. Other vendors sell competing apps such as Nextdoor and Citizen. All are marketed as localized social networks where people in a neighborhood can discuss local issues or share concerns. But all too often, they facilitate reporting of so-called “suspicious” behavior that really amounts to racial profiling. Take, for example, the story of an African-American real estate agent who was stopped by police because neighbors thought it was “suspicious” for him to ring a doorbell.

        Even law enforcement are noticing the social consequences of public-safety-by-push-notification. At the International Associations of Chiefs of Police conference earlier this year, which EFF attended, Chandler Police Assistant Chief Jason Zdilla said that his city in Arizona embraced the Ring program, registering thousands of new Ring cameras per month. Though Chandler is experiencing a historic low for violent crime for the fourth year in a row, Ring is giving the public another impression.

        “What happens is when someone opens up the social media, and every day they see maybe a potential criminal act, or every day they see a suspicious person, they start believing that this is prevalent, and that crime is really high,” Zdilla said.

        If getting an alert from your front door or your neighbor every time a stranger walks down the street doesn’t cause enough paranoia, Ring is trying to alert users to local 911 calls. The Ring-police partnerships would allow the company to tap into the computer-aided dispatch system, and alert users to local 911 calls as part of the “crime news” alerts on its app, Neighbors. Such push alerts based on 911 calls could be used to instill fear and sell additional Ring services.

      • Ring Is Teaching Cops How To Obtain Doorbell Camera Footage Without A Warrant

        To be part of your local law enforcement's surveillance network, all you need is a little tech from Amazon. Amazon's Ring doorbell/camera is being handed out to cops, who can then give them to citizens with the implication the recipients of this corporate/government largesse will deliver recordings upon request.

        Every Ring installed is another contributor to this ad hoc network of cameras -- something both cops and Amazon have access to. Amazon is looking to corner two markets at one time, roping in both the public and private sectors with an eye on dominating both. The added bonus -- at least as far as Amazon is concerned -- is its Neighbors app. Neighbors allows people to report suspicious things to other neighbors, as well as law enforcement. Unsurprisingly, early adopters have tended to report the existence of brown people in their neighborhoods more often than anything else.

        The whole process is guided by Amazon's heavy hand. Government agencies participating in the Ring handouts are given talking points, pre-written press releases, and contractual obligations to promote the product they're giving away. Recently-obtained documents show Amazon has even crafted scripts for police officers and press relations staff to use when questioned by citizens.

        But there's even more to this partnership than everything you see above. Lucas Ropek of GovTech reports cops have an Amazon-enabled workaround if Ring recipients aren't willing to turn over footage without a warrant.

    • Civil Rights/Policing

      • Facing Extinction in Iraq, Can Assyrians Hope for Aid From the West?

        With ISIS defeated, 40,000 Christians have returned to their ancient homeland, repopulating nine historically Christian towns. Overall, about 250,000 remain in Iraq, down from 1.5 million in 2003, on the eve of the U.S. invasion. For the moment, they are safe, but Sunni Muslims and Iran-backed militias have designs on their land and property.

      • Mass shootings aren't growing more common — and evidence contradicts common stereotypes about the killers

        Overall, though, the ethnic composition of the group of all mass shooters in the US is roughly equivalent to the American population.

      • NYPD, Prosecutors Illegally Using Expunged Criminal Records To Perform Investigations, Ask For Longer Sentences

        You'd think an entity with the name "New York Police Department" would at least have some passing respect for the law. But the more time you spend examining the NYPD, the more you find it acts in opposition of almost every law meant to control it. Sure, it's more than willing to kill you over unlicensed cigarette sales, but it can't seem to hold any of its own accountable for their multiple violations.

        Anything meant to bring a modicum of accountability to the agency is met with a shrug of official indifference. The only thing that's been proven to effect change in the department is orders from federal judges, and even these are greeted with foot-dragging and brass-enabled resistance.

        Adding to the annals of the PD's refusal to play by rules it doesn't like is this report from The Marshall Project. The NYPD and city prosecutors are using supposedly expunged arrests to push for plea deals, longer sentences, and the denial of bail.

        In one case examined by The Marshall Project, a man arrested for being in a vehicle that also contained an unlicensed handgun assumed he'd get cited and fined because of his lack of a criminal record. Instead, the man (referred to only as J.J.) watched as the city prosecutor produced printouts of expunged charges from back in the PD's stop-and-frisk heyday to argue for a prison sentence. J.J. had never been convicted of a crime, but the city was presenting records that should have been removed from the system to argue he was a career criminal.

      • North Carolina Court Says Retaliatory Arrests Over Protected Speech Are Cool And Legal

        Hey, SCOTUS says it's OK so it must be OK. Via Greg Doucette comes another WTF decision [PDF] -- one that gives North Carolina cops the green light to engage in retaliatory arrests over protected speech.

        It's not like there's no case law to work with. The Eighth Circuit Appeals Court denied immunity to an officer who arrested someone for shouting "Fuck you!" at him as they drove by. Other federal courts have come to the same conclusion: flipping the bird/dropping f-bombs in the direction of police officers is protected speech and cannot form the basis for traffic stops or arrests.

        In the state court of appeals, North Carolina judges have come to pretty much the same conclusion our nation's top court did: so long as an officer can imagine a crime has been committed, they're allowed to detain and arrest people who have offended them with their words and/or hand gestures.

    • Internet Policy/Net Neutrality

      • EU charges Czech mobile operators with blocking rivals

        The move by the European Commission could make it more difficult for telecoms operators to do similar deals to share networks, seen as key to saving costs and reducing time in the face of regulatory barriers to mergers.

        The European Commission said the deal, which the country’s two biggest mobile operators and Cetin, then part of O2 CZ, struck in 2011 and subsequently expanded, may breach the bloc’s competition rules.

        The network sharing agreement now covers all mobile technologies including 4G and 85% of the Czech population.

      • Google to allow rival search engines to compete on Android - at a price

        In its latest proposal to ward off fresh EU antitrust penalties, Google on Friday announced plans to auction spots on a “choice screen” from which users will select their preferred search engine.

        The move comes a year after the European Commission fined the U.S. tech giant 4.34 billion euros ($4.81 billion) for blocking rivals by pre-installing its Chrome browser and search app on Android smartphones and notebooks.

        The EU competition enforcer also ordered the company to halt its anti-competitive practices or face fines up to 5% of Alphabet’s average daily worldwide turnover.

      • Loadsharers: Funding the Load-Bearing Internet Person

        The internet has a sustainability problem. Many of its critical services depend on the dedication of unpaid volunteers, because they can't be monetized and thus don't have any revenue stream for the maintainers to live on. I'm talking about services like DNS, time synchronization, crypto libraries—software without which the net and the browser you're using couldn't function.

        These volunteer maintainers are the Load-Bearing Internet People (LBIP). Underfunding them is a problem, because underfunded critical services tend to have gaps and holes that could have been fixed if there were more full-time attention on them. As our civilization becomes increasingly dependent on this software infrastructure, that attention shortfall could lead to disastrous outages.

        I've been worrying about this problem since 2012, when I watched a hacker I know wreck his health while working on a critical infrastructure problem nobody else understood at the time. Billions of dollars in e-commerce hung on getting the particular software problem he had spotted solved, but because it masqueraded as network undercapacity, he had a lot of trouble getting even technically-savvy people to understand where the problem was. He solved it, but unable to afford medical insurance and literally living in a tent, he eventually went blind in one eye and is now prone to depressive spells.

    • Monopolies

      • Lawyers commend Turkey decision on TM non-use

        Turkey’s Supreme Court has ended more than two years of speculation regarding when non-use cancellation actions against trademarks can be filed, lawyers tell Managing IP, arguing that the court has come to a logical conclusion.

      • Facebook in Talks to Take More Space at Manhattan's Hudson Yards

        The deal could involve some 1.5 million square feet (139,000 square meters), about 50% more than was previously reported, said the people, who asked not to be identified discussing the private negotiations. While much of the space would be at 50 Hudson Yards -- a 2.9 million-square-foot tower being built by Related Cos. and Oxford Properties Group -- Facebook is also looking at 30 Hudson Yards and 55 Hudson Yards, the people said.

      • Patents and Software Patents

        • Singapore litigation reforms: concerns over heavy caseload for High Court

          Singapore will consolidate civil IP disputes in the High Court, the lower division of the Supreme Court, but in-house counsel air concerns over the potentially heavy caseload.

        • Not Invented By A Human—AI As An Inventor

          Recently, a group of patent attorneys—along with the self-proclaimed “patent holder for all neural systems that contemplate, invent, and discover via such confabulations”—has filed a set of patent applications at the U.S. Patent and Trademark Office, European Patent Office, and the UK Intellectual Property Office. But—reminiscent of the infamous “monkey selfie” copyright case, and unlike any other patent application filed with those offices—these applications list an artificial intelligence (AI) as the inventor, but claim that the AI’s owner should receive the patent.

          Setting aside any arguments about whether the law currently recognizes an AI as an inventor—though at least in the U.S., the requirement that the inventor be human seems clear based on the monkey selfies decision, the patent statute’s use of the term “person,” and the requirement that an inventor sign an oath or declaration—the real question is whether permitting AI owners to own the output of the machine would be a wise policy choice. Would permitting AI output to be patented by the AI’s owner promote progress?


          But even if we assume that the developed idea is non-obvious, it’s equally non-obvious that assigning the invention to the AI’s owner would meaningfully promote innovation. The owner hasn’t performed any intellectual creative act and would simply receive a windfall for the output of something they bought. 1And the AI itself doesn’t need any incentive to create the new idea—it would create the idea whether or not a patent was available, meaning that there’s no reason to think that providing a patent on the output of the machine would promote progress. At most, providing a patent on the output of the machine might incentivize people to design better idea-creating AIs—but such an AI would already be patentable and doesn’t require additional incentive.

          At the end of the day, the question really is “why give anyone exclusive rights to work generated by non-human entities?” That’s an extension of the question asked—and answered—over 30 years ago by Prof. Pamela Samuelson, concluding that perhaps no one should own the output of a computer. There’s no reason to think that answer has changed—especially since, in the past 30 years, we’ve seen an explosion in AI without any need to assign ownership of its output to the operators of the AI.

        • Lord Kitchin interview: ‘You have to balance reason with humanity’

          Less than a year into his role, Kitchin talks about life as a UK Supreme Court justice and why – despite his extensive IP background – he is being excluded from one of the biggest patent cases in years

        • No CBM: Check Deposit Patent Claims Technological Invention

          Patent claims reciting a “medium comprising computer-readable instructions for depositing a check” included a “technological invention,” and thus were not eligible for Covered Business Method (CBM) review, held the Patent Trial and Appeal Board (PTAB) in Wells Fargo Bank, NA et al v. United Services Automobile Ass’n., Case CBM2019-00004, Patent 8,977,571 B1 (May 15, 2019). Even though U.S. Patent No. 8,977,571B1 may otherwise have been directed to a “financial product or service,” it qualified for the statute’s provision “that the term does not include patents for technological inventions.” America Invents Action €§ 18(d).

          Representative claim 1 of the ’571 patent recites:

          A non-transitory computer-readable medium comprising computer-readable instructions for depositing a check that, when executed by a processor, cause the processor to:

          monitor an image of the check in a field of view of a camera of a mobile device with respect to a monitoring criterion using an image monitoring and capture module of the mobile device;

        • State Universities Not Entitled to Sovereign Immunity from IPRs

          Sovereign immunity does not exempt state governments from inter partes review, according to a Federal Circuit decision issued on Friday in Regents of the University of Minnesota v. LSI Corp. The decision extends the Federal Circuit’s earlier decision in Saint Regis Mohawk Tribe v. Mylan Pharmaceuticals that Native American tribes cannot rely on sovereign immunity against an IPR.

          This case began with the University of Minnesota suing semiconductor supplier LSI and customers of telecommunications company Ericsson for infringement. LSI and Ericsson responded with inter partes review petitions. Despite Minnesota’s status as a public university, that is, part of the state government of Minnesota, the Patent Trial and Appeal Board ruled that sovereign immunity did not prevent the IPR petition from being instituted. The decisions to institute the IPRs was appealed immediately to the Federal Circuit. Pharmaceutical company Gilead, facing a similar situation, successfully intervened in the appeal.

        • No Technical Improvement Means No Patent-Eligibility

          Citing Federal Circuit decisions including SAP America, Inc. v. Investpic, LLC, 898 F.3d 1161 (Fed. Cir. 2018) and Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350 (Fed. Cir. 2016), the court characterized the claims as providing “results of data collection and analysis” and thus “resid[ing] squarely in the realm of abstract ideas.” The claims recited only generic computing technology, i.e., although court did not use these words, lacked a technical improvement, and therefore “fail[ed] both steps of the Alice test.”

          So this was an easy €§ 101 case for a district judge. And it was evidently an easy €§ 101 case for the USPTO, which allowed the claims in the second Office action, with nary a €§ 101 rejection. (Take a look at the file history for U.S. Patent No. 9,978,107.) The ’107 patent issued from a long priority chain, and I confess I did not look at those file histories – but regardless, the lack of a €§ 101 rejection in the application for the ’107 patent is certainly striking in light of the ultimate fate of the claims. (And I would bet this is the ultimate fate – even if appealed, can anyone see the Federal Circuit reversing?)

        • Check Processing Claims Fail Alice Test at Federal Circuit

          The defendant had argued that “the claims were directed to the ‘abstract idea of delaying and outsourcing the scanning of paper checks.” The Federal Circuit agreed that the claims were “directed to an abstract idea, although we articulate it a bit differently.” The abstract idea of these patent claims, said the court, is “crediting a merchant’s account as early as possible while electronically processing a check.

          This case was like Ultramercial, LLC, et al. v. WildTangent, Inc. (Fed. Cir. 2014), in that it depending simply on rerdering steps of a transactions. It was even more like Content Extraction & Transmission Llc v. Wells Fargo Bank, N.A. (Fed. Cir 2014), where the court held that “extracting and then processing information from hard copy documents, including paper checks, was drawn to the abstract idea of collecting data, recognizing certain data within the collected data set, and storing that recognized data.” And there was no improvement to how computers operate, so under the second prong of the €§ 101 test, there was not a significant additional innovation beyond the abstract idea.

        • Patent case: Genzyme et. al. v. Salmon, Switzerland

          The Federal Supreme Court confirmed the Federal Patents Court’s (FPC) Decision of 12 June 2018 in which the FPC decided that article 140k of the Swiss Patent Act lists in an exhaustive manner all nullity grounds which can be invoked against SPCs. The six month application deadline of article 140f PA is not listed in this catalogue and, therefore, an allegedly wrong reinstatement of said deadline cannot be invoked as a nullity ground in civil proceedings.

        • Tragic news: Professor Shamnad Basheer has passed away

          It is with profound sadness that IPkat reports that Professor Shamnad Basheer, 43 years of age, passed away earlier today in his beloved India, where he was born and flourished. Shamnad was one of the IP world's great human beings. The founder of the iconic IP blog, Spicy IP, this Kat had the honor of joining with him as co-editors of the book, "Overlapping Intellectual Property Rights", by which this Kat came to view Shamnad as a dear friend. IPKat will publish more on Shamnad as soon as it gathers more complete information.

        • DoEPHETAN: Applying the “merely tangential” exception to the “prosecution history estoppel” limitation of the “doctrine of equivalents” expansion of the definition of infringement

          Some aspects of patent law are unduly complicated. Here is one: Prosecution History Estoppel (PHE) as applied to the Doctrine of Equivalents (DOE).

          The DOE finds infringement when someone is practicing something very similar (albeit different) than what is literally claimed. Although the doctrine is court-created, courts are also wary of the potentially unmoored doctrine and thus have created a number of major limitations on the doctrine that have severely limited its scope. Prosecution History Estoppel is one such limitation and arises when patent claims are narrowed during patent prosecution (something that happens in the vast majority of cases).

          Under PHE, a narrowing limitation during prosecution is “presumed to be a general disclaimer of the territory between the original claim and the amended claim.” Festo Corp. v. Shoketsu Kinzoku Kogyo Kabushiki Co., 535 U.S. 722 (2002). In Festo though, the Supreme Court identified the disclaimer as rebuttable upon proof that “the amendment cannot reasonably be viewed as surrendering a particular equivalent.”


          The original claim language covered SEQ ID NO: 2 along with modification such as “deletion, substitution, insertion or addition of one or several amino acids” of SEQ ID NO: 2. That claim was narrowed after an anticipation rejection to get around a different naturally occurring protein (YfiK). By narrowing the claim, it also now excludes the particular YddG protein variation used by CJ.

          On appeal, the Federal Circuit held that the purpose of the appeal was to get around the YfiK prior art, not the YddG prior art. As such, the reasons for the amendment were merely tangential to the equivalent in question.

        • CLE, Fees, and the USPTO

          The listservs I’m on have exploded lately with concern, and some anger, about proposed fees on practitioners, and the potential for CLE requirements. Today, I happened to be reading an article, in a peer reviewed journal, by Frank Fagan, that purportedly shows that every one-hour of CLE decreases charges brought to state bars by 10%.

        • Reducing Ethical Misconduct of Attorneys with Mandatory Ethics Training: A Dynamic Panel Approach

          State bar associations require bar applicants to pass the Multistate Professional Responsibility Examination over a range of scores and earn a variable number continuing legal education credits in ethics annually. Panel data from 2007-2014 across the fifty states and the District of Columbia are used to assess whether these requirements reduce charges of ethical misconduct against attorneys. Deviations GMM estimation provides evidence that increases in MCLE annual credit-hours in ethics reduce charges. Specifically, a one-hour increase in MCLE reduces the number of charges of ethical misconduct by 10.506%. The result is robust to different types of models and estimators, but requires making several strong assumptions which are discussed in detail.

      • Trademarks

        • 'Going down' is a trade mark that causes a bad influence on morality, says the Beijng High Court in China

          ‘Going down’ is a common English phrase whose meaning is descending or sinking. But when it tried to be registered as a trade mark for some sex-related products in China, it encounters the issue whether such a phrase leads to a bad influence on morality.

          Similar to Article 7(1)(f) EUTMR, Article 10 (8) of the PRC trade mark law prevents a mark from registering if it is harmful to socialism morality or has other bad influence.

          In its recent decision(here, in Chinese), the Beijing High Court affirms that ‘going down’ is a trade mark that causes bad social influence when it is designated for sex-related products.


          A trade mark is a commercial sign attached to products that disseminate to the public. In addition to distinguishing goods and services from others and bearing reputation, a trademark can also disseminate value and culture. A trade mark's influential power and contact in the public are wide and uncertain. The cultural taste and the value represented by a trade mark would be widely disseminated through the use.

          The trade mark 'going down' is designated for the goods such as vaginal syringes, condoms, non-chemical contraceptives and sex dolls. The applicant uses the vulgar implication of the trade mark as a marketing gimmick to attract public attention. Such an act causes bad influence on the public order, business culture and morality.

          Based on the above reasoning, the Court decides that the trade mark shall not be registered.

        • AG opinion regarding Aceto Balsamico leaves a sour taste for Modena

          "Aceto Balsamico di Modena (PGI)" has PGI status under Regulation 1151/2012, as conferred by Regulation No. 583/2009. Balema produces and markets in Germany vinegar-based products under the names "Balsamico" and "Deutscher Balsamico"; their labels note that the products are manufactured from local (Baden) wine. The Consorzio (owner of the PGI) alleged trade mark infringement by Balema on the basis that Balema’s products do not conform to the product specifications required for lawful use of the PGI. Balema sought a declaration that there had been no infringement.

          Balema failed at first instance but succeeded on appeal, because the appeal court considered that only the whole name - "Aceto Balsamico de Modena" - was protected, and not the non-geographical component parts of the PGI. The case was further appealed to the Bundesgerichtshof (Federal Court of Germany), which referred the following question to the Court of Justice:

          "Does the protection of the entire name 'Aceto Balsamico de Modena' extend to the use of the individual non-geographical components of the term as a whole ('Aceto', 'Balsamico', 'Aceto Balsamico')?"


          The AG’s Opinion looks to be legally correct (even if some might question his view of genericness under Articles 3(6) / 13(1). One would expect the Court of Justice to follow the AG's reasoning.

          The Bundesgerichtshof (BGH) has already indicated that if the above terms are not protected under Regulation 1151/2012, Balema’s appeal will succeed. This presumably means that the BGH is satisfied that Balema's product names do not use the contested terms in a misleading manner that might be contrary to Article 13(1)(c) or (d) (which are not subject to the exemption under Article 13(1) discussed above), or such claims are not being run. Presumably this also means that a legal alternative such as an unfair competition claim (perhaps a claim akin to extended passing off in the UK) will not get off the ground.

        • EUIPO sides with GoPro in trademark opposition

          GoPro has been successful in its bid to stop a Chinese competitor from registering a trademark at the European Intellectual Property Office (EUIPO).

      • Copyrights

        • ‘Cheating’ Fortnite Kid Wants Copyright Lawsuit Dismissed

          Epic Games' efforts to take several "Fortnite" cheaters to court over copyright infringement continues. In one of the cases, the defendant, who's still a minor, has asked the court to dismiss the complaint. The kid's attorneys, however, argue that the court doesn't have jurisdiction and that requiring a minor to defend himself in another state would be unreasonable.

        • Appeals Court Says Banana Costume Is Infringing

          It's been a bit of a roller coaster ride for Kangaroo Manufacturing over the past few weeks. The company -- which has admitted that it looks for popular items that are being sold on Amazon, and then develops competing products -- won its lawsuit a few weeks back, in which it was accused of copyright infringement for copying a floating duck pool float. In that case, the court determined that the ducks in question were not similar enough to be infringing. However, in another case, involving banana costumes, Kangaroo was not so lucky. Back in April we wrote about the appeals court hearing in that case, in which the judges joked that they were disappointed none of the lawyers showed up in the costume. However, in the end, the 3rd Circuit appeals court upheld the lower court's injunction that the two banana costumes were too similar and that Kangaroo's violated the copyright of Rasta Imposta (ht to Bill Donahue for spotting this one).

          There were two keys to this particular ruling. The first was the Supreme Court's terrible ruling in the Star Athletica case upturning decades of copyright law saying that you can't get a copyright on "useful articles," (which many people believed included clothing). In Star Athletica, the Supreme Court effectively changed that, saying that if there's artwork within the clothing, that could be viewed separately from the clothing, it's a different story. That's why there is suddenly a bunch of these kinds of copyright lawsuits. Here, the judges feel that Star Athletica means that if two banana costumes are too close, well, that's infringement.


          Kangaroo also tried a different approach, saying that even if Rasta's banana design met that minimal level of creativity to be eligible for copyright, it was ineligible due to two other copyright doctrines: the merger doctrine and scenes a faire. The merger doctrine is related to the idea/expression doctrine and says that certain types of expression can only be done in one way, and therefore you shouldn't be able to copyright that expression, as it would effectively be banning the idea. Here, Kangaroo argued that was the case with a banana costume. Scenes a faire is a similar doctrine that basically says certain "background" elements in a work are so common that it's ridiculous to think they could be copyrightable, as you'd block out lots of other works.

        • Elsevier Says It's Infringing To Link To Sci-Hub; Hypocrite Elsevier Links To Sci-Hub All The Time

          Academic publishing giant Elsevier really, really, really hates Sci-Hub, the site that offers up access to lots of academic research. Elsevier has sued the site directly and tried many times to get it blocked (which, to date, seems to have only helped it get more attention). Last week, Elsevier got all legal-threaty against Citationsy, a site that helps scholars create citations. Elsevier claimed that Citationsy was infringing its copyright by linking to Sci-Hub.


          Of course, expecting Elsevier to recognize how hypocritical it's being is a fool's errand as well. Elsevier is not in the business of actually understanding how academics work. It's in the business of squeezing as much cash as possible from universities.

Recent Techrights' Posts

[Meme] 'Secure' Boot in a Nutshell
Ask Microsoft if it is "safe" to boot Linux
A 3-Year Campaign to Coerce/Intimidate Us Into Censorship: Targeting Guest Writers (Intimidation)
Some high-profile people have told me that the serial defamer is a "monster" (their word), so why would Neil Brown wish to help him?
GNU/Linux in Cameroon: Rising Steadily While Windows Falls From 99% to Just 6%
If one also counts mobile (mostly Android)
Monkey See, Monkey Share
on deprivation of users
From 0.17% to 10% or More (GNU/Linux in Dominica)
Dominica isn't well known, but it does seem to have embraced Chromebooks in recent years
Links 28/05/2024: Tensions in East Asia, UK Mandatory National Service
Links for the day
Gemini Links 28/05/2024: NetCrawl and Living in Lagrange
Links for the day
Guardian Digital, Inc ( Handed Over Its Web Site to Chatbots That Generate SEO Garbage
They need to be called out on it
statCounter Sees Microsoft Windows at Below 1% in American Samoa
Not even 1%!
Windows Down to 60% of Guam's Desktops/Laptops and Down to a Quarter Overall
No wonder Microsoft is panicking
Today in UEFI 'Secure' Boot Debates (the Frog is Already Boiling and Melting)
Over at LQ today
[Meme] A "Modern" Web's Message in a Bottle
So-called 'security'
Brittany Day: Still Chatbot Slinging, Producing Fake 'Articles' About "Linux"
random garbage produced (and censored) by Microsoft
Almost 4k Gemini Capsules, 5th Anniversary Only Weeks Away
The Web will continue to deteriorate
Microsoft: $1 Million a Day for Contempt of Court Orders (Justice Department)
Microsoft behaves as if it's 100% exempt from laws
Catbodia? In Cambodia, Microsoft's Windows Fell to All-Time Low of Less Than a Quarter.
Cambodia is leaving Microsoft behind
[Meme] Deadnaming
Guess who uses a name that was deprecated well over a decade ago?
New Press Report Explains Microsoft Severance and Quiet (Undisclosed) Layoffs
Some people will call this "loophole", whereas others will opine that it is outright illegal (but kept secret to circumvent scrutiny)
Global South is Android/Linux (Windows Era Has Come to an End Already)
I've decided to take a quick glance at South American trends for all operating systems
[Meme] Unified Patent Troll
Unified Patent Court remains illegal and unconstitutional
The European Patent Office is Sinking
Officials (or national delegates) at the European Patent Organisation have long been warned about this (by staff representatives from the European Patent Office), but they ignored the warnings
Summer in the Air
We have a good pace going on owing to health, positivity, inertia and good software tools
GNU/Linux Activity in Belize
From an economic point of view, Microsoft needn't worry about Belize, but when it comes to preserving the Windows monopoly/monoculture Belize matters
Links 28/05/2024: Back to MP3, NVIDIA Sued by Authors
Links for the day
Gemini Links 28/05/2024: Bad Beach and TLS
Links for the day
Microsoft Windows Fell From 100% to Just 7.5% in Sierra Leone
Based on statCounter
In Benin, Microsoft's Windows Fell Below 10%, GNU/Linux Surged to 6% or Higher on Desktops/Laptops
That's nearly 7% - a lot higher than the average in Africa
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, May 27, 2024
IRC logs for Monday, May 27, 2024
Delayed Series About Dr. Richard Stallman
A lot of the attacks on him boil down to petty things
[Meme] Elephant in the Asian Room
With ChromeOS included GNU/Linux is at 6% across Asia
GNU/Linux in Bangladesh Up From 0.5% to Over 4% (Windows Slid From 95% to 18%)
Bangladesh is one of the world's most densely-populated countries
A 3-Year Campaign to Coerce/Intimidate Us Into Censorship: Targeting Several Webhosts (in Collaboration and Conjunction With Mentally-Ill Flunkies)
Every attempt to nuke the current hosting failed, but it's still worth noting
Links 27/05/2024: One Month Left for ICQ, More Openwashing Highlighted
Links for the day
Gemini Links 27/05/2024: Back to GNU/Linux, Librem 5 Assessed
Links for the day
StatCounter (or statCounter) Has Mostly Recovered From a Day's Downtime (Malfunction)
Some of the material we've published based on the statCounter datasets truly annoys Microsofters
Google: We Don't Have Source Diversity, But We Have Chatbot Spew in Place of Sources (and It's Not Even Accurate)
Search engines and news search never looked this bad...
[Meme] Security is Not a Failure to Boot (or Illusion of Security Due to 'Unknown' System)
Red Hat is largely responsible for this mess
What is Secure Boot?
Security means the user feels safe and secure - i.e. confident that the machine would continue to work following a reboot or a system upgrade (or kernel upgrade)
StatCounter (or statCounter) Has Been Broken for Nearly 24 Hours. Who Benefits? Microsoft.
StatCounter is broken right now and has been broken for nearly 24 hours already
Links 27/05/2024: Chatbots Generate Hateful Output, TPM Performance Scrutinised
Links for the day
David Heinemeier Hansson (DHH) Realises What He Should Have Decades Ago
seeing that DHH is moving away from Apple is kind of a big deal
Reinvigorating the Voice of GNU/Linux Users (Not Companies Whose Chiefs Don't Even Use GNU/Linux!)
Scott Ruecker has just announced his return
"Tech" in the Context of Even Bigger Issues
"Tech" (or technology) activism is important; but there's a bigger picture
A Decade of In-Depth Coverage of Corruption at the European Patent Office (EPO)
The world needs transparency and sunlight
Hopefully Not Sunset for StatCounter
We hope that StatCounter will be back soon.
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, May 26, 2024
IRC logs for Sunday, May 26, 2024
Links 27/05/2024: Self-Publishing, Patent Monopolies, and Armed Conflicts
Links for the day
Gemini Links 27/05/2024: Tethering Connection and PFAs
Links for the day
Imagine Canada Enabling Rapists to Harass Their (Rape) Victims
This analogy is applicable because abusers are empowered against the abused
A 3-Year Campaign to Coerce/Intimidate Us Into Censorship: Targeting My Old "Tweets"
This was basically an act of vandalism no better and no worse than UEFI restricted boot
Links 26/05/2024: Google 'Search' Morphing Into Disinformation Factory, Discussion of Maze of the Prison Industrial Complex
Links for the day
In the Pacific (Mostly Islands Around Oceania) GNU/Linux Grew a Lot
Microsoft cannot compete fairly
A Toast to Tux Machines
Food ready for the party, no photos yet...
IBM/Red Hat Failing to Meet Its WARN Obligations in NC (STATE OF NORTH CAROLINA), or Perhaps It's Constantly Delaying the Layoffs
IBM isn't named even once
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, May 25, 2024
IRC logs for Saturday, May 25, 2024
GNU/Linux in Greenland
The sharp increases for GNU/Linux started last summer
The Sheer Absurdity of the EPO's Career System Explained by EPO Staff
"Staff representation has previously pointed this out to management, and the career system has been the reason for several industrial actions and litigation cases initiated by SUEPO."
[Meme] Productivity Champ Nellie Simon: It Takes Me 3+ Weeks to Write 6 Paragraphs
Congrats to Nellie Simon!
It Took EPO Management 3+ Weeks to Respond to a Letter About an Urgent Problem (Defunding of EPO Staff)
The funny thing about it is that Nellie Simon expects examiners to work day and night (which is illegal) while she herself takes 3+ weeks to write a 1-page letter
Staff Union of the EPO (SUEPO) in The Hague Taking Action to Rectify Cuts to Families of Workers
they "are active in challenging this measure via the legal system"