Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

AMD's Crimson Radeon Driver For Linux Barely Changes Anything ( 91

An anonymous reader writes: AMD Windows customers were greeted this week to the new "Crimson" Radeon Software that brought many bug fixes, performance improvements, and brand new control panel. While AMD also released this Crimson driver for Linux, it really doesn't change much. The control panel is unchanged except for replacing "Catalyst" strings with "Radeon" and there's been no performance changes but just some isolated slowdowns. The Crimson Linux release notes only mention two changes: a fix for glxgears stuttering and mouse cursor corruption.

Will You Be Able To Run a Modern Desktop Environment In 2016 Without Systemd? 687

New submitter yeupou writes: Early this year, David Edmundson from KDE, concluded that "In many cases [systemd] allows us to throw away large amounts of code whilst at the same time providing a better user experience. Adding it [systemd] as an optional extra defeats the main benefit". A perfectly sensible explanation. But, then, one might wonder to which point KDE would remain usable without systemd?

Recently, on one Devuan box, I noticed that KDE power management (Powerdevil) no longer supported suspend and hibernate. Since pm-utils was still there, for a while, I resorted to call pm-suspend directly, hoping it would get fixed at some point. But it did not. So I wrote a report myself. I was not expecting much. But neither was I expecting it to be immediately marked as RESOLVED and DOWNSTREAM, with a comment accusing the "Debian fork" I'm using to "ripe out" systemd without "coming with any of the supported solutions Plasma provides". I searched beforehand about the issue so I knew that the problem also occurred on some other Debian-based systems and that the bug seemed entirely tied to upower, an upstream software used by Powerdevil. So if anything, at least this bug should have been marked as UPSTREAM.

While no one dares (yet) to claim to write software only for systemd based operating system, it is obvious that it is now getting quite hard to get support otherwise. At the same time, bricks that worked for years without now just get ruined, since, as pointed out by Edmunson, adding systemd as "optional extra defeats its main benefit". So, is it likely that we'll still have in 2016 a modern desktop environment, without recent regressions, running without systemd?

AMD's 'Crimson' Driver Software Released ( 50

An anonymous reader writes: Yesterday marked the launch of AMD's 'Crimson' driver software. It replaces the old Catalyst driver software, and represents a change in how AMD develops bug fixes, improves performance, and adds features. AnandTech took a detailed look at the new driver software. They say, "By focusing feature releases around the end of the year driver, AMD is able to cut down on what parts of the driver they change (and thereby can possibly break) at other times of the year, and try to knock out all of their feature-related bugs at once. At the same time it makes the annual driver release a significant event, as AMD releases a number of new features all at once. However on the other hand this means that AMD has few features launching any other time of the year, which can make it look like they're not heavily invested in feature development at those points." On a more positive note, the article adds, "Looking under the hood there's no single feature that's going to blow every Radeon user away at once, but overall there are a number of neat features here that should be welcomed by various user groups. ... Meanwhile AMD's radical overhaul of their control panel via the new Radeon Settings application will be quickly noticed by everyone."

Video Meet Mårten Mickos, Serial Open Source CEO (Video) 23

Marten was the MySQL CEO who built the company from a small-time free software database developer into a worldwide software juggernaut he sold to Sun Microsystems. Next, he became CEO of Eucalyptus Systems, another open source operation, which Hewlett Packard bought in 2014. Now Mårten is CEO of hackerone, a company that hooks security-worried companies up with any one of thousands of ethical hackers worldwide.

Some of those hackers might be companies that grew out of university CS departments, and some of them may be individual high school students working from their kitchen tables. Would a large company Board of Directors trust a kid hacker who came to them with a bug he found in their software? Probably not. But if Mårten or one of his hackerone people contacts that company, it's likely to listen -- and set up a bug bounty program if they don't have one already.

Essentially, once again Mårten is working as an intermediary between technically proficient people -- who may or may not conform to sociey's idea of a successful person -- and corporate executives who need hackers' skills and services but may not know how to find non-mainstream individuals or even know the difference between "hackers" and "crackers." Editor's note: I have known and respected Mårten for many years. If this interview seems like a conversation between two old friends, it is.
The Almighty Buck

Exploit Vendor Publishes Prices For Zero-Day Vulnerabilities 21

An anonymous reader writes: An exploit vendor published a price list for the zero-day bugs it's willing to buy. The highest paid bugs are for remote jailbreaks for iOS. Second is Android and Windows Phone. Third there are remote code execution bugs for Chrome, Flash, and Adobe's PDF Reader. This is the same company that just paid $1 million to a hacker for the first iOS9 jailbreak.

Grow Your Daily Protein At Home With an Edible Insect Desktop Hive 381 writes: Fast Coexist reports on the Edible Insect Desktop Hive, a kitchen gadget designed to raise mealworms (beetle larva), a food that has the protein content of beef without the environmental footprint. The hive can grow between 200 and 500 grams of mealworms a week, enough to replace traditional meat in four or five dishes. The hive comes with a starter kit of "microlivestock," and controls the climate inside so the bugs have the right amount of fresh air and the right temperature to thrive. If you push a button, the mealworms pop out in a harvest drawer that chills them. You're supposed to pop them in the freezer, then fry them up or mix them into soup, smoothies, or bug-filled burgers. "Insects give us the opportunity to grow on small spaces, with few resources," says designer Katharina Unger, founder of Livin Farms, the company making the new home farming gadget. "A pig cannot easily be raised on your balcony, insects can. With their benefits, insects are one part of the solution to make currently inefficient industrial-scale production of meat obsolete."

Of course, that assumes people will be willing to eat them. Unger thinks bugs just need a little rebranding to succeed, and points out that other foods have overcome bad reputations in the past. "Even the potato, that is now a staple food, was once considered ugly and was given to pigs," says Unger adding that sushi, raw fish, and tofu were once considered obscure products. "Food is about perception and cultural associations. Within only a short time and the right measures, it can be rebranded. . . . Growing insects in our hive at home is our first measure to make insects a healthy and sustainable food for everyone."

GPS Always Overestimates Distances ( 131

mikejuk writes: Have you had a suspicion that your GPS app is overestimating the distance traveled? It is something that runners and walkers complain about a lot. If so, you are probably correct -- but the reason isn't an algorithmic glitch. The answer lies in the statistics, and it is a strange story. If you make a measurement and it is subject to a random unbiased error, then you generally are safe in assuming that the random component will make the quantity larger as often as it makes it smaller. Researchers at the University of Salzburg (UoS), Salzburg Forschungsgesellchaft (SFG), and the Delft University of Technology have done some fairly simple calculations that prove that this is not the case for GPS distance measurement. Consider the distance between two points — this is along a straight line, and hence it is the shortest distance. Now add some unbiased random noise, and guess what? This tends to increase the distance. So unbiased errors in position give rise to a biased overestimate of the distance. There is an exact formula for the bias and in some cases it can be more than 20%. Is there a solution? Perhaps using velocity measurements and time to work out distance is better — it isn't biased in the same way, but how accurate it could be remains to be seen. So when your fitness band tells you you have run a 4-minute mile — don't believe it.

Mozilla Has 'No Plans' To Offer Firefox Without Pocket ( 199

An anonymous reader writes: In June, Mozilla integrated Pocket into Firefox, garnering a mixed response from the browser's community. This week, VentureBeat stumbled upon a Bugzilla ticket (bug 1215694) to "move Pocket to a built-in add-on" and immediately reached out to the company. "There are currently no plans to offer a version of Firefox that doesn't include Pocket," said Dave Camp, Firefox's director of engineering.

Mac App Store Apps 'Damaged' Following Security Certificate Bug ( 66

An anonymous reader writes: A slew of complaints are emerging against Apple after users were forced to delete and re-install Mac App Store apps in the wake of a major security management error. The problem manifested with the apparent expiry of security certificates which validated the apps, but even after the certificates were updated yesterday to expire in 2035, the problems were not resolved; some users were unable to verify the new certificates, and others could not even connect to the internet. In some cases the programs had to be reinstalled from scratch, deleting the user's existing settings.
Open Source

Corporations and OSS Do Not Mix ( 213

An anonymous reader writes: Ian Cordasco, a prolific open source developer, wrote a lengthy post about his experiences working on code that gets used by companies as part of their business. His basic thesis is that the open source development process is not particularly compatible with for-profit corporations, and having them involved frequently makes progress more difficult. "As soon as a bug affects them, they want it fixed immediately. If you don't fix it in 24 hours (because maybe you have a real life or a family or you're sick or any number of other very valid reasons) then the threats start." He adds, "When companies do 'contribute,' it's often not in the best interest of the community, it isn't enough, or it's thoroughly misguided." Cordasco is quick to note that there are exceptions, but he has an idea why the majority behave that way: "I don't have the complete answer, but one important point is that there is toxicity in the community, its leaders, and or its contributors, and the companies have learned their behavior from this toxicity." He provides a list of suggestions both for companies using open source software, and also some further reading on the subject from Ashe Dryden, David MacIver, and Cory Benfield.

Celebrating 30th Anniversary of the First C++ Compiler: Let's Find Bugs In It 153

New submitter Andrey_Karpov writes: Cfront is a C++ compiler which came into existence in 1983 and was developed by Bjarne Stroustrup ("30 YEARS OF C++"). At that time it was known as "C with Classes". Cfront had a complete parser, symbol tables, and built a tree for each class, function, etc. Cfront was based on CPre. Cfront defined the language until circa 1990. Many of the obscure corner cases in C++ are related to the Cfront implementation limitations. The reason is that Cfront performed translation from C++ to C. In short, Cfront is a sacred artifact for a C++ programmer. So I just couldn't help checking such a project [for bugs].

Google Hackers Expose 11 Major Security Flaws In Samsung Galaxy S6 Edge ( 61

MojoKid writes: Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive. As a result of Project Zero's efforts to root out security flaws in Samsung's Galaxy S6 Edge device (and by association, likely the entire Galaxy S6 line), owners are now more secure. The team gave themselves a week to root out vulnerabilities. To keep everyone sharp, the researchers made a contest out of it, pitting the North American and European participants against each other. Their efforts resulted in the discovery of 11 vulnerabilities, the "most interesting" of which was CVE-2015-7888. It's a directory traversal bug that allows a file to be written as a system. Project Zero said it was trivially exploitable, though it's also one of several that Samsung has since fixed.
GNU is Not Unix

GNU Hurd 0.7 and GNU Mach 1.6 Released 129

jones_supa writes: Halloween brought us GNU Hurd 0.7, GNU Mach 1.6, and GNU MIG 1.6. The new Hurd comes with filesystem driver improvements, provides a new rpcscan utility, and the Hurd code has been ported to work with newer versions of GCC and GNU C Library. The Mach microkernel has updates for compiler compatibility, improvements to the lock debugging infrastructure, the kernel now lets non-privileged users write to a small amount of memory, timestamps are now kept relative to boot time, and there are various bugfixes. MIG 1.6 is a small update which improves compatibility with newer dialects of C programming language. Specific details on all of the updates can be found in the full release announcement. jrepin adds some more details: The GNU Hurd 0.7 improves the node cache for the EXT2 file-system code (ext2fs), improves the native fakeroot tool, provides a new rpcscan utility, and fixes a long-standing synchronization issue with the file-system translators and other components. The GNU Mach 1.6 microkernel also has updates for compiler compatibility, improvements to the lock debugging infrastructure, the kernel now lets non-privileged users write to a small amount of memory, timestamps are now kept relative to boot time, and there are various bug-fixes.

Bug Bounties Are Bonanza, For a Few Persistent Hackers ( 27

chicksdaddy writes: Bug bounty programs are all the rage these days, with companies from Asana to Zendesk ( offering cash rewards for finding holes in their web sites. But is spending your weekends fuzzing someone else's application code really worth it? And is anyone really getting rich off bug bounties? The short answer is 'yes.' As this article at The Christian Science Monitor notes, top bounty researchers on sites like HackerOne and BugCrowd are indeed seeing big paydays — often in return for just hours of work perusing buggy websites. Among the eye-popping figures: researcher Mark Litchfield's $63,000 take over Labor Day weekend, which included the discovery of multiple remotely exploitable holes in a major web property, paying $15,000 each through HackerOne. Also profiled is researcher Frans Rosen and Sean "Meals" Melia, the number four ranked researcher on BugCrowd. Both claim to have netted six figure incomes in the last year on bug bounties alone. "It's like finding a gold nugget," Litchfield is quoted as saying. "Sometimes it's like finding my own gold mine."

Xen Patches 7-Year-Old Bug That Shattered Hypervisor Security ( 61

williamyf writes: ArsTechinca, The Register, and other outlets are reporting that today the XEN project patched a vulnerability in the ParaVirtualized VMs that allowed a guest to access the control OS of the hypervisor. Qubes researchers wrote: "On the other hand, it is really shocking that such a bug has been lurking in the core of the hypervisor for so many years. In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again".


Joomla SQL-Injection Flaw Affects Millions of Websites ( 120

An anonymous reader writes: Joomla has just issued a patch that fixes a SQL-injection vulnerability discovered by a researcher at Trustwave SpiderLabs. The flaw allowed malicious users to extract a browser cookie assigned to a site's administrator, giving them access to restricted parts of the server. The flaw first appeared in Joomla 3.2, released in November, 2013. An estimated 2.8 million websites rely on Joomla. The Joomla team and the researcher who found the flaw recommend an immediate update to version 3.4.5.
The Military

The Army Bug Bounty Program: a Critical Need In Defense ( 90

hypercard writes: It seems just about every major tech company and even a few other large non-tech corporations have bug bounty programs as part of an effort to improve security through a community effort. Captains Rock Stevens and Michael Weigand, both Cyber officers in the U.S. Army, recently published Army Vulnerability Response Program, an outline for a legal way of disclosing bugs in Army software and networks. They say, "[T]he Army does not have a central location for responsibly disclosing vulnerabilities found through daily use, much less a program that can permit active security assessments of networks or software solutions. Without a legal means to disclose vulnerabilities in Army software or networks, vulnerabilities are going unreported and unresolved."

Microsoft To Pay Up To $15K For Bugs In Two Visual Studio Tools ( 43

itwbennett writes: Yesterday, Microsoft started a three-month bug bounty program for two open source tools that are part of Visual Studio 2015. The program applies to the beta versions of Core CLR, which is the execution engine for .NET Core, and ASP.NET, Microsoft's framework for building websites and web applications. Bounties range from $500 to $15,000, although Microsoft will reward more 'depending on the entry quality and complexity.' The highest reward will go to researchers who've found a remote code execution bug with a functioning exploit and an accompanying, high-quality white paper. On the low end, cross-site scripting or cross-site request forgery bugs with a low-quality report will get $500.
Open Source

Microsoft Publishes OpenSSH For Windows Code ( 164

An anonymous reader writes: Microsoft has published early source code for its OpenSSH-for-Windows port for developers to pick apart and improve. In a blog post on Monday, Steve Lee – the PowerShell team's principal software engineer manager – said Redmond has finished early work on a Windows port of OpenSSH 7.1, built in a joint-effort with NoMachine. Their rough roadmap from here: 1) Leverage Windows crypto APIs instead of OpenSSL/LibreSSL and run as Windows Service. 2) Address POSIX compatibility concerns. 3) Stabilize the code and address reported issues. 4) Production quality release.

Why You Should Be Suspicious of Online Movie Ratings ( 184

An anonymous reader writes: Statistical news blog noticed some odd discrepancies in online movie ratings, which caused them to do some investigating. They found it was generally a bad idea to rely on such ratings, particularly from sites like Fandango. "When I focused on movies that had 308 or more user reviews, none of the 209 films had below a 3-star rating. Seventy-eight percent had a rating of 4 stars or higher." Further, "In a normal rounding system, a site would round to the nearest half-star — up or down. In the case of Ted 2 [which was displaying 4.5 stars], then, we'd expect the rating to be rounded down to 4 stars. But Fandango rounded the 'ratingValue' [4.1] up. I pulled the number of stars listed on the page of each film in our sample of 437 (with at least one user review), as well as the ratingValue listed on the page's source. And I found that Fandango doesn't round a rating down when we'd mathematically expect that ...'s rounding methodology, even if it was just an innocent bug, is a good example of why you should be skeptical of online movie ratings, especially from companies selling you tickets."