Category: Software

Linux had a killer flaw for 11 years and no one noticed

One of the key advantages of Open sauce software is that it is supposed to be easier to spot and fix software flaws, however Linux has had a  local privilege escalation flaw for 11 years and no-one has noticed.

The vulnerability, tracked as CVE-2017-6074, is over 11 years old and was likely introduced in 2005 when the Linux kernel gained support for the Datagram Congestion Control Protocol (DCCP). It was discovered last week and was patched by the kernel developers on Friday.

The flaw can be exploited locally by using heap spraying techniques to execute arbitrary code inside the kernel, the most privileged part of the OS. Andrey Konovalov, the Google researcher who found the vulnerability, plans to publish an exploit for it a few days.

While it cannot be exploited remotely, this sort of bug can be combined with other flaws that give remote hackers access to a lower privileged account on a system.

For the flaw to be exploitable, the kernel needs to be built with the CONFIG_IP_DCCP option. Many distributions use kernels built with this option, but some don’t.

Red Hat announced that Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2 kernels are affected. The company has released patches for Red Hat Enterprise Linux 6 and 7 and for the Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt).

The Debian project released fixed kernel packages for Debian 7 Wheezy and Debian 8 Jessie, the “old stable” and “stable” versions of the distribution. Debian Stretch (testing) and Sid (unstable) have not been patched yet.

Patches are also available for Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. As far as SUSE goes, only SUSE Linux Enterprise Server 10 is affected and patches for it are only available to customers with long term service pack support. The kernels in SUSE Linux Enterprise Server 11 SP 1 to 4 and SUSE Linux Enterprise Server 12 SP 1 and 2 are not built with support for the DCCP protocol.

Online job sites block older workers

Illinois Attorney General Lisa Madigan has opened an investigation into allegations that online software tools that millions of Americans use to job hunt is discriminating against older workers.

The San Francisco Federal Reserve Bank found that in a widespread test using fabricated resumes, fictional older workers were 30 percent less likely to be contacted after applying for jobs.

Fictional older women had it even worse, being 47 percent less likely to get a “callback”.  Several forces are conspiring to ensure that many Americans must work well past the traditional retirement age of 65.

Because people are living longer, their retirement savings are inadequate, and Social Security reforms are almost certainly going to require it.

The San Francisco Fed says that the share of the older 65 working population is projected to rise sharply — from about 19 percent now to 29 percent in the year 2060.

But while online job-hunting tools should be making things easier for older employment seekers, online job sites seem to be cutting older workers out with age bias is built right into their software.

In a statement, Madigan said that Job seekers who try to build a profile or resume can find that it’s impossible to complete some forms because drop-down menus needed to complete tasks don’t go back far enough to let older applicants fill them out.

For example, one site’s menu options for “years attended college” stops abruptly at 1956. That could prevent someone in their late 70s from filling out the form.

Madigan’s office said it found one example that only accommodated those who had attended school after 1980, “barring anyone who is older than 52.”

Other sites used dates ranging from 1950 to 1970 as cutoffs, her office said. The Illinois’ Civil Rights Bureau has opened a probe into potential violations of the Illinois Human Rights Act and the federal Age Discrimination in Employment Act. Madigan’s office has written letters to six top jobs sites including Beyond.com, CareerBuilder, Indeed, Ladders, Monster Worldwide and Vault to ask them about their policies.

Cyberfox is officially dead

The web browser Cyberfox appears to have been torn apart by hounds while rich toffs on horses stand by applauding and another makes loud farting noises on a bugle.

In a blog entitled Cyberfox and its future direction, the browser’s lead developer of Cyberfox proclaimed the death of their web browser.

Toady, said that the project was taking too much of his personal time, and the changes required by Mozilla were requiring more and more time to maintain.

He said: “This project has been amazing no one could ask for a better project or community sadly as much as i love this project my heart is no longer fully in it, dreams of pursuing game development were pushed aside and lifestyle steadily declined ultimately slowly coming to this point where changes and choices have to be made ones that will affect this project and the future of what i have spent all these years building.”

The issue appears to be that Mozilla announced major changes to Firefox, some of which landed already, some are in process, and others are announced for 2017. These include multi-process Firefox, the removal of plugins and WebExtensions will replace all other add-on systems of the browser.

That’s too much change, for projects that are maintained by a small but dedicated group of developers such as Cyberfox.

The author of Cyberfox made the decision to switch the browser’s release channel to Firefox 52.0 ESR. This means that Cyberfox will be supported with security updates for the next eight release cycles, but new features that Mozilla introduces in Firefox Stable won’t find their way into the browser anymore.

ZTE pays $900 million fine

 

Chinese telecom equipment maker ZTE has agreed to plead guilty and pay up in a US sanctions case, drawing a line under a damaging scandal that had threatened its cut off its supply chain.

While the fine was larger than expected, ZTE, also a major smartphone maker, reported robust underlying earnings for 2016 and was upbeat in estimates for the first quarter.

A five-year investigation found ZTE conspired to evade US embargoes by buying US components, incorporating them into ZTE equipment and illegally shipping them to Iran.

It also made 283 shipments of telecommunications equipment to North Korea.

US Attorney General Jeff Sessions said in a statement that ZTE Corporation not only violated export controls that keep sensitive American technology out of the hands of hostile regimes like Iran’s, they lied … about their illegal acts,”

But ZTE relies on US suppliers for 25 percent to 30 percent of its components, many of which are key to its goods. It buys about $2.6 billion worth of components a year from US firms. This includes  Qualcomm, Microsoft and Intel.

ZTE Chief Executive Zhao Xianming said in a statement that his outfit acknowledges the mistakes it made, takes responsibility for them, and remains committed to positive change in the company.

The company agreed to a seven-year suspended denial of export privileges, which could be activated if there are further violations, as well as three years of probation, a compliance and ethics program, and a corporate monitor.

It also agreed to an additional penalty of $300 million that will be suspended during the seven-year term on the condition the company complies with requirements in the agreement.

ZTE has replaced executives allegedly involved, including naming a new president.

The company said it slid to a preliminary net loss of $342 million in 2016, its first loss in four years, due to the settlement.

Italians see off Facebook in court

Facebook has suspended its location-sharing feature in Italy after a Milan court ruled last year that the social networking giant had violated competition and copyright laws by effectively copying a similar app from a local startup.

Italian software developer Business Competence filed a lawsuit in 2013, accusing Facebook’s Nearby feature of having copied its Faround application, which helps users locate Facebook friends in the vicinity.

Facebook launched its Nearby feature only months after Faround was included in the social network’s app store in 2012.

The complaint alleged that the two applications were “extremely similar” in their functions and general set-up.

Facebook said it has discontinued offering what it now calls Nearby Places in Italy while it appeals against the court’s ruling.

The court ordered Facebook to suspend Nearby Places in Italy or daily pay a fine of 5,000 euros for copyright infringement and unfair competition. It said that Facebook may have to pay further damages to be determined at a later stage.

Facebook wanted the order put on hold while it awaited a ruling on the merits of the case, but its request was rejected by the court in December. It said on Monday that it is complying with the decision pending its appeal.

Facebook insists that the claims were without merit and the order was wrongly decided, but we have respectfully complied with the order in the interim.

Business Competence’s Faround app was launched in September 2012 and quickly gained popularity among Italian users.

Faround was the most downloaded new social networking app in the country but downloads plunged the month after Facebook launched its own Nearby feature on December 17 of that year.

“It was a big blow to us to see that we were losing everything we had invested (into Faround),” Business Competence Chief Executive Sara Colnago said. It had cost the outfit half a million euros to build the app.

Munich might still stick to Linux agreement

The poster child for the use of Linux by government authorities, the City of Munich, might stick to its commitment to the operating system after all.

There had been ructions in Munich over whether its move to Linux had been such a good idea and if it had saved as much as it thought it had.

Most media have reported that a final call was made to halt the LiMux and switch back to Microsoft software, but the Free Software Foundation Europe says this is fake news.

What happened was that the opposing parties were overruled, but the decision was amended such that a strategy document must specify which LiMux-applications will no longer be needed. This was not killing off the project but postponing it until more facts were known such as the extent in which prior investments must be written off, and a rough calculation of the overall costs of the desired unification.

The FSFE said that so far mayor Dieter Reiter was forced to postpone the final decision, and this was possible through the unwavering pressure created by joint efforts between The Document Foundation, KDE, OSBA, and the FSFE together with all the individuals who wrote to city council members and took the issue to the media.

Although the mandate hints that the existing vendor-neutral approach is to be replaced with a proprietary solution, it leaves the door open.

Some politicians said they’d never received this much input from the public before, and the Free Software Foundation Europe says the city’s issues were caused “from organisational problems, including lack of clear structures and responsibilities,” which should not be attributed to the Linux operating system.

“LiMux as such is still one of the best examples of how to create a vendor-neutral administration based on Free Software,” the FSFE said.

Jim Mackey leaves Blackberry

Blackberry head of corporate development and strategy,Jim Mackey has quietly cleaned out his desk and snuck out of the building without anyone noticing.

Mackey left the company in the middle of February and it appears that no-one has thought to alert the media. The move does dump Blackberry in it somewhat as it lacks leadership as it tried to move from smartphone hardware to software.

Mackey, who was executive vice president, executive operations, made his own announcement on social notworking site Linkedin. He did not give a reason and became unavailable for comment.

Blackberry, which in late 2013 issued a press release on the hiring of Mackey, did not announce his exit. Chief Operating Officer Marty Beard refused to answer any questions either.

Mackey worked directly with Blackberry Chief Executive John Chen, navigating the purchase and integration of a string of acquisitions and the signing of major partnership agreements.

Beard said in the interview that the company had largely completed its software portfolio and needed to push hard to win more customers, including by adding partners.

“The biggest issue we have is not getting invited to the table because the customer doesn’t know that BlackBerry is doing that. That’s the challenge.”

Appeals court backs Apple against Texas troll

US court in deep in the heart of Texas

The US Court of Appeals for the Federal Circuit decided to save the fruity tax-dodging cargo cult from the clutches of a patent troll.

The court decided to throw out the verdict of a two-year old legal case against Apple based on data storage patents.

The original verdict reached by a Texas jury stuck Apple with $533 million in damages.  It had been hoping for a hanging but settled for the next best thing.

Smartflash mostly targeted game developers who largely all settled out of court in 2014, but Apple defended its use of data storage management and payment processing technology in court.

The trial judge vacated the large damages award a few months after a Texas federal jury imposed it in February 2015, but the U.S. Court of Appeals for the Federal Circuit said on Wednesday the judge should have ruled Smartflash’s patents invalid and set aside the verdict entirely.

A unanimous three-judge appeals panel said Smartflash’s patents were too “abstract” and did not go far enough in describing an actual invention to warrant protection.

It is unlikely that Smartflash will rise again to hit other companies.

 

IBM owns out of hours emails

The Electronic Frontier Foundation (EFF) is furious that IBM has managed to score a patent on out of hours emails.

The EFF said it is bringing light to what it calls a “stupefyingly mundane” patent on e-mail technology which turns Biggish Blue into a spectacular troll.

For years IBM lawyers has argued with the US Patent and Trademark Office over a bizarre and alarming alternative history, in which IBM invented out of office e-mail—in 2010.

US Patent No. 9,547,842, “Out-of-office electronic mail messaging system” was filed in 2010 and granted about six weeks ago.

EFF lawyer Daniel Nazer described the case as the “Stupid Patent of the Month” blog post and cites a Microsoft publicity page that talks about quirky out of office e-mail culture dating back to the 1980s, when Microsoft marketed its Xenix e-mail system.

To be fair an IBM spokesperson said that “IBM has decided to dedicate the patent to the public”. The company notified USPTO today that it will forego its rights to the patent.

But the patent should never have been awarded.

IBM offers one feature that’s even arguably not decades old –  the ability to notify those writing to the out of office user some days before the set vacation dates begin.

It is a  feature, similar to “sending a postcard, not from a vacation, but to let someone know you will go on a vacation,” is a “trivial change to existing systems,” Nazer points out.

Nazer said that here were some major mistakes made during the examination process. The examiner never considered whether the software claims were eligible after the Supreme Court’s Alice v. CLS Bank decision, which came in 2014, and in Nazer’s view, the office “did an abysmal job” of looking at the prior art.

Nazer said the office “never considered any of the many, many, existing real-world systems that pre-dated IBM’s application”.

Needless to say, IBM is not one of those companies who likes the Alice judgement much.  It is lobbying Congress to roll back Alice and allow more types of software patents.

Rather than making trolls go away, it will mean that even more bizarre ones could get the nod by the Patent Office. After all IBM once applied to patent shorter meetings, it did not get anywhere with it, but it is the sort of thing it wants to be paid for.

Blockchain gains as software giants form alliance

PMorgan Chase, Microsoft,  Intel and more than two dozen other companies have teamed up to develop standards and technology to make it easier for enterprises to use blockchain code Ethereum.

The move is seen as the latest push by large firms to move toward distributed ledger systems and a considerable move forward for the bitcoin based tech.

The Enterprise Ethereum Alliance (EEA) will work to enhance the privacy, security and scalability of the Ethereum blockchain, making it better suited to business applications, according to the founding companies.

Members of the 30-strong group also include Accenture, Banco Santander, Credit Suisse Group  and shedloads of other bankers and financial groups. The EEA joins a growing list of joint initiatives by large companies aiming to take advantage of blockchain, a shared digital record of transactions that is maintained by a network of computers rather than a centralised authority.

Companies in a wide range of industries are hoping that it can help them streamline some of their processes, such as the clearing and settling of financial securities.

Ethereum, a type of blockchain that can be used to develop decentralised applications, was invented by 23-year-old programer Vitalik Buterin. Several banks have already adapted Ethereum to develop and test blockchain trading applications.

Alex Batlin, global blockchain lead at BNY Mellon, one of the companies on the EEA board, said over the past few years banks and other enterprises have increased collaboration with the Ethereum development community, facilitating the creation of the EEA.

SThe EEA will collaborate with the non-profit foundation that promotes the development of Ethereum, the companies said.