×
Open Source

GitHub Warns Java Developers of New Malware Poisoning NetBeans Projects (zdnet.com) 45

GitHub issued a security alert Thursday warning about new malware spreading on its site via boobytrapped Java projects, ZDNet reports: The malware, which GitHub's security team has named Octopus Scanner, has been found in projects managed using the Apache NetBeans IDE (integrated development environment), a tool used to write and compile Java applications. GitHub said it found 26 repositories uploaded on its site that contained the Octopus Scanner malware, following a tip it received from a security researcher on March 9.
But the article adds GitHub "believes that many more projects have been infected during the past two years." GitHub says that when other users would download any of the 26 projects, the malware would behave like a self-spreading virus and infect their local computers. It would scan the victim's workstation for a local NetBeans IDE installation, and proceed to burrow into the developer's other Java projects. The malware, which can run on Windows, macOS, and Linux, would then download a remote access trojan (RAT) as the final step of its infection, allowing the Octopus Scanner operator to rummage through an infected victim's computer, looking for sensitive information.

GitHub says the Octopus Scanner campaign has been going on for years, with the oldest sample of the malware being uploaded on the VirusTotal web scanner in August 2018, time during which the malware operated unimpeded.

Security

Ghostcat Bug Impacts All Apache Tomcat Versions Released in the Last 13 Years (zdnet.com) 45

Apache Tomcat servers released in the last 13 years are vulnerable to a bug named Ghostcat that can allow hackers to take over unpatched systems. From a report: Discovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol. AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on the server's port 8009. Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server.
Cloud

Ask Slashdot: Is Dockerization a Fad? 252

Long-time Slashdot reader Qbertino is your typical Linux/Apache/MySQL/PHP (LAMP) developer, and writes that "in recent years Docker has been the hottest thing since sliced bread." You are expected to "dockerize" your setups and be able to launch a whole string of processes to boot up various containers with databases and your primary PHP monolith with the launch of a single script. All fine and dandy this far.

However, I can't shake the notion that much of this -- especially in the context of LAMP -- seems overkill. If Apache, MariaDB/MySQL and PHP are running, getting your project or multiple projects to run is trivial. The benefits of having Docker seem negilible, especially having each project lug its own setup along. Yes, you can have your entire compiler and Continuous Integration stack with SASS, Gulp, Babel, Webpack and whatnot in one neat bundle, but that doesn't seem to dimish the usual problems with the recent bloat in frontend tooling, to the contrary....

But shouldn't tooling be standardised anyway? And shouldn't Docker then just be an option, who couldn't be bothered to have (L)AMP on their bare metal? I'm still skeptical of this Dockerization fad. I get it makes sense if you need to scale microsevices easy and fast in production, but for 'traditional' development and traditional setups, it just doesn't seem to fit all that well.

What are your experiences with using Docker in a development environment? Is Dockerization a fad or something really useful? And should I put up with the effort to make Docker a standard for my development and deployment setups?

The original submission ends with "Educated Slashdot opinions requested." So leave your best answers in the comments.

Is Dockerization a fad?
Open Source

Databricks Open-Sources Delta Lake To Make Delta Lakes More Reliable (techcrunch.com) 15

Databricks, the company founded by the original developers of the Apache Spark big data analytics engine, today announced that it has open-sourced Delta Lake, a storage layer that makes it easier to ensure data integrity as new data flows into an enterprise's data lake by bringing ACID transactions to these vast data repositories. TechCrunch reports: Delta Lake, which has long been a proprietary part of Databrick's offering, is already in production use by companies like Viacom, Edmunds, Riot Games and McGraw Hill. The tool provides the ability to enforce specific schemas (which can be changed as necessary), to create snapshots and to ingest streaming data or backfill the lake as a batch job. Delta Lake also uses the Spark engine to handle the metadata of the data lake (which by itself is often a big data problem). Over time, Databricks also plans to add an audit trail, among other things.

What's important to note here is that Delta lake runs on top of existing data lakes and is compatible with the Apache spark APIs. The company is still looking at how the project will be governed in the future. "We are still exploring different models of open source project governance, but the GitHub model is well understood and presents a good trade-off between the ability to accept contributions and governance overhead," said Ali Ghodsi, co-founder and CEO at Databricks. "One thing we know for sure is we want to foster a vibrant community, as we see this as a critical piece of technology for increasing data reliability on data lakes. This is why we chose to go with a permissive open source license model: Apache License v2, same license that Apache Spark uses." To invite this community, Databricks plans to take outside contributions, just like the Spark project.

Security

Apache Web Server Bug Grants Root Access On Shared Hosting Environments (zdnet.com) 85

An anonymous reader quotes a report from ZDNet: This week, the Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that could --under certain circumstances-- allow rogue server scripts to execute code with root privileges and take over the underlying server. The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39. According to the Apache team, less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process. Because on most Unix systems Apache httpd runs under the root user, any threat actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and inherently control the entire machine.

"First of all, it is a LOCAL vulnerability, which means you need to have some kind of access to the server," Charles Fol, the security researcher who discovered this vulnerability told ZDNet in an interview yesterday. This means that attackers either have to register accounts with shared hosting providers or compromise existing accounts. Once this happens, the attacker only needs to upload a malicious CGI script through their rented/compromised server's control panel to take control of the hosting provider's server to plant malware or steal data from other customers who have data stored on the same machine. "The web hoster has total access to the server through the 'root' account. If one of the users successfully exploits the vulnerability I reported, he/she will get full access to the server, just like the web hoster," Fol said. "This implies read/write/delete any file/database of the other clients."

Open Source

Apache OpenOffice, the Schrodinger's Application: No One Knows If It's Dead or Alive, No One Really Wants To Look Inside (theregister.co.uk) 98

British IT news outlet The Register looks at the myriad of challenges Apache OpenOffice faces today. From the report: Last year Brett Porter, then chairman of the Apache Software Foundation, contemplated whether a proposed official blog post on the state of Apache OpenOffice (AOO) might discourage people from downloading the software due to lack of activity in the project. No such post from the software's developers surfaced. The languid pace of development at AOO, though, has been an issue since 2011 after Oracle (then patron of the project) got into a fork-fight with The Document Foundation, which created LibreOffice from the OpenOffice codebase, and asked developers backing the split to resign.

Back in 2015, Red Hat developer Christian Schaller called OpenOffice "all but dead." Assertions to that effect have continued since, alongside claims to the contrary. Almost a year ago, Jim Jagielski, a member of the Apache OpenOffice Project Management Committee, insisted things were going well and claimed there was renewed interest in the project. For all the concern about AOO, no issues have been raised recently before the Apache Foundation board to suggest ongoing difficulties. The project is due to provide an update this month, according to a spokesperson for the foundation.

Open Source

What Happens to Open Source Code After Its Developer Dies? (wired.com) 78

An anonymous reader writes: The late Jim Weirich "was a seminal member of the western world's Ruby community," according to Ruby developer Justin Searls, who at the age of 30 took over Weirich's tools (which are used by huge sites like Hulu, Kickstarter, and Twitter). Soon Searls made a will and a succession plan for his own open-source projects. Wired calls succession "a growing concern in the open-source software community," noting developers have another option: transferring their copyrights to an open source group (for example, the Apache Foundation).

Most package-management systems have "at least an ad-hoc process for transferring control over a library," according to Wired, but they also note that "that usually depends on someone noticing that a project has been orphaned and then volunteering to adopt it." Evan Phoenix of the Ruby Gems project acknowledges that "We don't have an official policy mostly because it hasn't come up all that often. We do have an adviser council that is used to decide these types of things case by case." Searls suggests GitHub and package managers like Ruby Gems add a "dead man's switch" to their platform, which would allow programmers to automatically transfer ownership of a project or an account to someone else if the creator doesn't log in or make changes after a set period of time.

Wired also spoke to Michael Droettboom, who took over the Python library Matplotlib after John Hunter died in 2012. He points out that "Sometimes there are parts of the code that only one person understands," stressing the need for developers to also understand the code they're inheriting.
Security

Former Equifax CEO Blames Breach On One Individual Who Failed To Deploy Patch (techcrunch.com) 255

Equifax's recently departed CEO is blaming the largest data breach in history on a single person who failed to deploy a patch. TechCrunch reports: Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred. Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.

Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team. However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice -- one person didn't do their job. "The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.

Open Source

Best Open Source Software Identified By InfoWorld Listicles (infoworld.com) 63

An anonymous reader writes: InfoWorld announced the winners of this year's "Best of Open Source Software Awards" -- honoring 68 different projects, spread across five categories. Besides the 15 best software development tools, they also recognized the best cloud computing software, machine learning tools, and networking and security software (as well as the best databases and analytics tools).

"Open source software isn't what it used to be," writes Doug Dineley, the site's executive editor. "The term used to conjure images of the lone developer, working into the night and through weekends, banging out line after line of code to scratch a personal itch or realize a personal vision... But as you wend your way through our Bossie winners, you're bound to be struck by the number of projects with heavyweight engineering resources behind them... Elsewhere in the open source landscape, valuable engineering resources come together in a different way -- through the shared interest of commercial software vendors."

More than 10% of the awards went to the Apache Software Foundation -- 7 of the 68 -- though I was surprised to see that five of the best software development tools are languages -- specifically Kotlin, Go, Rust, Clojure, and Typescript. Two more of the best open source software development tools were Microsoft products -- .Net Core and Visual Studio Code. And in the same category was OpenRemote a home automation platform, as well as Ethereum, which "smells and tastes like an open source project that is solving problems and serving developers."

Bug

Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months (marketwatch.com) 196

phalse phace quotes MarketWatch: Following on the heels of a story that revealed that Equifax hired a music major with no education related to technology or security as its Chief Security Officer, Equifax announced on Friday afternoon that Chief Security Officer Susan Mauldin has quit the company along with Chief Information Officer David Webb.

Chief Information Officer David Webb and Chief Security Officer Susan Mauldin retired immediately, Equifax said in a news release that did not mention either of those executives by name. Mark Rohrwasser, who had been leading Equifax's international information-technology operations since 2016, will replace Webb and Russ Ayres, a member of Equifax's IT operation, will replace Mauldin.

The company revealed Thursday that the attackers exploited Apache Struts bug CVE-2017-5638 -- "identified and disclosed by U.S. CERT in early March 2017" -- and that they believed the unauthorized access happened from May 13 through July 30, 2017.

Thus, MarketWatch reports, Equifax "admitted that the security hole that attackers used was known in March, about two months before the company believes the breach began." And even then, Equifax didn't notice (and remove the affected web applications) until July 30.
Open Source

Equifax Blames Open-Source Software For Its Record-Breaking Security Breach (zdnet.com) 283

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to an unsubstantiated report by equity research firm Baird. The firm's source, per one report, is believed to be Equifax. ZDNet reports: Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java. It is not, as some headlines have had it, a vendor software program. It's also not proven that Struts was the source of the hole the hackers drove through. In fact, several headlines -- some of which have since been retracted -- all source a single quote by a non-technical analyst from an Equifax source. Not only is that troubling journalistically, it's problematic from a technical point of view. In case you haven't noticed, Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless: it's untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "equifaxsecurity2017.com." That domain name screams fake. And what does it ask for if you go there? The last six figures of your social security number and last name. In other words, exactly the kind of information a hacker might ask for. Equifax's technical expertise, it has been shown, is less than acceptable. Could the root cause of the hack be a Struts security hole? Two days before the Equifax breach was reported, ZDNet reported a new and significant Struts security problem. While many jumped on this as the security hole, Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed. "It's possible that the hackers found the hole on their own, but zero-day exploits aren't that common," reports ZDNet. "It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March." The question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management? "The people who ran the code with a known 'total compromise of system integrity' should get the blame," reports ZDNet.
Bug

A Critical Apache Struts Security Flaw Makes It 'Easy' To Hack Fortune 100 Firms (zdnet.com) 42

An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability. The report notes that "a source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability." It's now a waiting game for companies to patch their systems.
Facebook

Facebook Petitioned To Change License For ReactJS (github.com) 43

mpol writes: The Apache Software Foundation issued a notice last weekend indicating that it has added Facebook's BSD+Patents [ROCKSDB] license to its Category X list of disallowed licenses for Apache Project Management Committee members. This is the license that Facebook uses for most of its open source projects. The RocksDB software project from Facebook already changed its license to a dual Apache 2 and GPL 2. Users are now petitioning on GitHub to have Facebook change the license of React.JS as well.

React.JS is a well-known and often used JavaScript Framework for frontend development. It is licensed as BSD + Patents. If you use React.JS and agreed to its license, and you decide to sue Facebook for patent issues, you are no longer allowed to use React.JS or any Facebook software released under this license.

Cloud

Apache Hadoop Has Failed Us, Tech Experts Say (datanami.com) 150

It was the first widely-adopted open source distributed computing platform. But some geeks running it are telling Datanami that Hadoop "is great if you're a data scientist who knows how to code in MapReduce or Pig...but as you go higher up the stack, the abstraction layers have mostly failed to deliver on the promise of enabling business analysts to get at the data." Slashdot reader atcclears shares their report: "I can't find a happy Hadoop customer. It's sort of as simple as that," says Bob Muglia, CEO of Snowflake Computing, which develops and runs a cloud-based relational data warehouse offering. "It's very clear to me, technologically, that it's not the technology base the world will be built on going forward"... [T]hanks to better mousetraps like S3 (for storage) and Spark (for processing), Hadoop will be relegated to niche and legacy statuses going forward, Muglia says. "The number of customers who have actually successfully tamed Hadoop is probably less than 20 and it might be less than 10..."

One of the companies that supposedly tamed Hadoop is Facebook...but according to Bobby Johnson, who helped run Facebook's Hadoop cluster before co-founding behavioral analytics company Interana, the fact that Hadoop is still around is a "historical glitch. That may be a little strong," Johnson says. "But there's a bunch of things that people have been trying to do with it for a long time that it's just not well suited for." Hadoop's strengths lie in serving as a cheap storage repository and for processing ETL batch workloads, Johnson says. But it's ill-suited for running interactive, user-facing applications... "After years of banging our heads against it at Facebook, it was never great at it," he says. "It's really hard to dig into and actually get real answers from... You really have to understand how this thing works to get what you want."

Johnson recommends Apache Kafka instead for big data applications, arguing "there's a pipe of data and anything that wants to do something useful with it can tap into that thing. That feels like a better unifying principal..." And the creator of Kafka -- who ran Hadoop clusters at LinkedIn -- calls Hadoop "just a very complicated stack to build on."
Security

Apache Servers Under Attack Through Easily Exploitable Struts 2 Flaw (helpnetsecurity.com) 63

Orome1 quotes a report from Help Net Security: A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday. The vulnerability (CVE-2017-5638) affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the "Content-Type" header of an HTTP request, so that it is executed by the web server. Almost concurrently with the release of the security update that plugs the hole, a Metasploit module for targeting it has been made available. Unfortunately, the vulnerability can be easily exploited as it requires no authentication, and two very reliable exploits have already been published online. Also, vulnerable servers are easy to discover through simple web scanning. "Struts 2 is a Java framework that is commonly used by Java-based web applications," reports SANS ISC in their blog. "It is also known as 'Jakarta Struts' and 'Apache Struts.' The Apache project currently maintains Struts." Cisco Talos also has a blog detailing the attack.
Security

Apache Subversion Fails SHA-1 Collision Test, Exploit Moves Into The Wild (arstechnica.com) 167

WebKit's bug-tracker now includes a comment from Friday noting "the bots all are red" on their git-svn mirror site, reporting an error message about a checksum mismatch for shattered-2.pdf. "In some cases, due to the corruption, further commits are blocked," reports the official "Shattered" web site. Slashdot reader Artem Tashkinov explains its significance: A WebKit developer who tried to upload "bad" PDF files generated from the first successful SHA-1 attack broke WebKit's SVN repository because Subversion uses SHA-1 hash to differentiate commits. The reason to upload the files was to create a test for checking cache poisoning in WebKit.

Another news story is that based on the theoretical incomplete description of the SHA-1 collision attack published by Google just two days ago, people have managed to recreate the attack in practice and now you can download a Python script which can create a new PDF file with the same SHA-1 hashsum using your input PDF. The attack is also implemented as a website which can prepare two PDF files with different JPEG images which will result in the same hash sum.

Open Source

How Open Sourcing Made Apache Kafka A Dominant Streaming Platform (techrepublic.com) 48

Open sourced in 2010, the Apache Kafka distributed streaming platform is now used at more than a third of Fortune 500 companies (as well as seven of the world's top 10 banks). An anonymous reader writes: Co-creator Neha Narkhede says "We saw the need for a distributed architecture with microservices that we could scale quickly and robustly. The legacy systems couldn't help us anymore." In a new interview with TechRepublic, Narkhede explains that while working at LinkedIn, "We had the vision of building the entire company's business logic as stream processors that express transformations on streams of data... [T]hough Kafka started off as a very scalable messaging system, it grew to complete our vision of being a distributed streaming platform."

Narkhede became the CTO and co-founder of Confluent, which supports enterprise installations of Kafka, and now says that being open source "helps you build a pipeline for your product and reduce the cost of sales... [T]he developer is the new decision maker. If the product experience is tailored to ensure that the developers are successful and the technology plays a critical role in your business, you have the foundational pieces of building a growing and profitable business around an open-source technology... Kafka is used as the source-of-truth pipeline carrying critical data that businesses rely on for real-time decision-making."

Security

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com) 56

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

Oracle

Will Oracle Surrender NetBeans to Apache? (infoworld.com) 69

An anonymous Slashdot reader quotes InfoWorld: Venerable open source Java IDE NetBeans would move from Oracle's jurisdiction to the Apache Software Foundation under a proposal... endorsed by Java founder James Gosling, a longtime fan of the IDE. Moving NetBeans to a neutral venue like Apache, with its strong governance model, would help the project attract more contributions from various organizations, according to the proposal posted in the Apache wiki.

"Large companies are using NetBeans as an application framework to build internal or commercial applications and are much more likely to contribute to it once it moves to neutral Apache ground," the proposal says. While Oracle will relinquish its control over NetBeans under the proposal, individual contributors from Oracle are expected to continue contributing to the project.

On Facebook, Gosling posted the proposal meant "folks like me can more easily contribute to our favorite IDE. The finest IDE in existence will be getting even better, faster!" InfoWorld reports that when aked if Oracle had neglected NetBeans, Gosling said, "Oracle didn't single out NetBeans for neglect, they neglect everything... I'm thrilled that the NetBeans community will now be able to chart its own course."
Open Source

Is Apache OpenOffice Finally On the Way Out? (apache.org) 137

Reader JImbob0i0 writes: After almost another year without a release and another major CVE leaving users vulnerable for that year the Chairman of the Project Management Committee has started public discussions on what it will entail to retire the project, following the Apache Board showing concern at the poor showing.
It's been a long battle which would have been avoided if Oracle had not been so petty. Did this behaviour actually help get momentum in the community underway though? What ifs are always hard to properly answer. Hopefully this long drawn out death rattle will finally come to a close and the wounds with LibreOffice can heal with the last few contributors to AOO joining the rest of the community.

EU

EU To Give Free Security Audits To Apache HTTP Server and Keepass (softpedia.com) 67

An anonymous reader writes: The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects. The two projects were selected following a public survey that included several open-source projects deemed important for both the EU agencies and the wide public.

The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament. This is only a test pilot program that's funded until the end of the year, but the EU said it would be looking for funding to continue it past its expiration date in December 2016.

Open Source

Data Center Management Darling Mesosphere Embraces Open Source (fiercecio.com) 19

An anonymous reader writes: Cloud computing startup Mesosphere has opted to open-source its data center management platform. This move is backed by Microsoft, Hewlett-Packard Enterprise, Cisco Systems and roughly 60 other tech partners. The three-year-old San Francisco company's datacenter operating system (DCOS) was built as an operating system for all services in a data center to function as one pool of resources. Capabilities include the quick, app store-like installation of more than 20 complex distributed systems, including HDFS, Apache Spark, Apache Kafka and Apache Cassandra, Mesosphere said in an announcement. Although some of the company's technologies were already available as open source, others were propriety until now. Mesosphere said it welcomes additional enterprises interested in partnering on this open source project.Wired has more details on this in its slightly enthusiastic report titled You want to build an empire like Google's? This is your OS.
Java

Apache PDFBox Hits 2.0 (sdtimes.com) 34

mmoorebz writes: After three years of development and with over 150 contributors to the code, Apache PDFBox 2.0 has been released. With this release comes enhancements and improvements. The Apache PDFBox library is an open-source Java tool for working with PDF documents. The project allows creation and manipulation of PDF documents, and the ability to extract content from them. Support for forms in open-source PDF viewers is currently disappointing, and I hope this heralds improvement on that front.
Bug

Sensitive Information Can Be Revealed From Tor Hidden Services On Apache (dailydot.com) 37

Patrick O'Neill writes: A common configuration mistake in Apache, the most popular Web server software in the world, can allow anyone to look behind the curtains on a hidden server to see everything from total traffic to active HTTP requests. When an hidden service reveals the HTTP requests, it's revealing every file—a Web page, picture, movie, .zip, anything at all—that's fetched by the server. Tor's developers were aware of the issue as early as last year but decided against sending out an advisory. The problem is common enough that even Tor's own developers have made the exact same mistake. Until October 2015, the machine that welcomed new users to the Tor network and checked if they were running up-to-date software allowed anyone to look at total traffic and watch all the requests.
GNU is Not Unix

Remix OS in Violation of GPL and Apache Licenses (tlhp.cf) 180

An anonymous reader writes: You may have heard recently of the Remix OS, a fork of Android that targets desktop computing. The operating system, which was created by former Google employees and features a traditional desktop layout in addition to the ability to run Android apps, was previewed on Ars Technica a few weeks ago, but it was not actually released for end-users to download until earlier this week. Now that Remix OS has been released, The Linux Homefront Project is reporting that the Android-based operating system, for which source code is not readily available, violates both the GPL and the Apache License. The RemixOS installer includes a "Remix OS USB Tool" that is really a re-branded copy of popular disk imaging tool UNetbootin, which falls under the GPL. Additionally, browsing through the install image files reveals that the operating system is based on the Apache Licensed Android-x86 project. From the article: "Output is absolutely clear – no differences! No authors, no changed files, no trademarks, just copy-paste development." Is this a blatant disregard for the GPL and Apache licenses by an optimistic startup, or were the authors too eager to release that they forgot to provide access to the repo?
Businesses

Is Big Data Leaving Hadoop Behind? 100

knightsirius writes: Big Data was seen as one the next big drivers of computing economy, and Hadoop was seen as a key component of the plans. However, Hadoop has had a less than stellar six months, beginning with the lackluster Hortonworks IPO last December and the security concerns raised by some analysts.. Another survey records only a quarter of big data decision makers actively considering Hadoop. With rival Apache Spark on the rise, is Hadoop being bypassed in big data solutions?
Programming

Ask Slashdot: Is There a Web Development Linux Distro? 136

Qbertino writes I've been a linux user for more than 15 years now and in the last ten I've done basically all my non-trivial web development on Linux. SuSE in the early days, after that either Debian or, more recently, Ubuntu, if I want something to click on. What really bugs me is, that every time I make a new setup, either as a virtual machine, on concrete hardware or a remote host, I go through 1-2 hours of getting the basics of a web-centric system up and running. That includes setting PHP config options to usable things, setting up vhosts on Apache (always an adventure), configging mod_rewrite, installing extra CLI stuff like Emacs (yeah, I'm from that camp) walking through the basic 10-15 steps of setting up MySQL or some other DB, etc. ... You get the picture.

What has me wondering is this: Since Linux is deeply entrenched in the field of server-side web, with LAMP being it's powerhouse, I was wondering if there aren't any distros that cover exactly this sort of thing. You know, automatic allocation of memory in the runtime settings, ready-made Apache http/https/sftp/ftp setup, PHP all ready to go, etc. What are your experiences and is there something that covers this? Would you think there's a need for this sort of thing and would you base it of Debian or something else? If you do web-dev, how do you do it? Prepareted scripts for setup? Anything else? ... Ideas, unkown LAMP distros and opinions please."
Programming

Meet Flink, the Apache Software Foundation's Newest Top-Level Project 34

Open source data-processing language Flink, after just nine months' incubation with the Apache Software Foundation, has been elevated to top-level status, joining other ASF projects like OpenOffice and CloudStack. An anonymous reader writes The data-processing engine, which offers APIs in Java and Scala as well as specialized APIs for graph processing, is presented as an alternative to Hadoop's MapReduce component with its own runtime. Yet the system still provides access to Hadoop's distributed file system and YARN resource manager. The open-source community around Flink has steadily grown since the project's inception at the Technical University of Berlin in 2009. Now at version 0.7.0, Flink lists more than 70 contributors and sponsors, including representatives from Hortonworks, Spotify and Data Artisans (a German startup devoted primarily to the development of Flink). (For more about ASF incubation, and what the Foundation's stewardship means, see our interview from last summer with ASF executive VP Rich Bowen.)
Books

Book Review: Scaling Apache Solr 42

First time accepted submitter sobczakt writes We live in a world flooded by data and information and all realize that if we can't find what we're looking for (e.g. a specific document), there's no benefit from all these data stores. When your data sets become enormous or your systems need to process thousands of messages a second, you need to an environment that is efficient, tunable and ready for scaling. We all need well-designed search technology. A few days ago, a book called Scaling Apache Solr landed on my desk. The author, Hrishikesh Vijay Karambelkar, has written an extremely useful guide to one of the most popular open-source search platforms, Apache Solr. Solr is a full-text, standalone, Java search engine based on Lucene, another successful Apache project. For people working with Solr, like myself, this book should be on their Christmas shopping list. It's one of the best on this subject. Read below for the rest of sobczakt's review.
Open Source

Video Meet Apache Software Foundation VP Rich Bowen (Video) 14

Apache is behind a huge percentage of the world's websites, and the Apache Software Foundation is the umbrella organization that provides licensing and stucture for open source projects ranging from the Apache Web server to Apache OpenOffice to small utilities that aren't household names but are often important to a surprising number of people and companies. Most of us never get to meet the people behind groups like the Apache Software Foundation -- except today we tag along with Tim Lord at OSCON and chat with Apache Software Foundation Executive Vice President Rich Bowen -- who is also Red Hat's OpenStack Community Liason. (Alternate Video Link) Update: 07/30 22:23 GMT by T : Note that Bowen formerly served as Slashdot sister site SourceForge's Community Manager, too.
Android

Old Apache Code At Root of Android FakeID Mess 127

chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."

The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
The Internet

Netcraft: Microsoft Closing In On Apache Web Server Lead 102

angry tapir sends this IDG report: "After almost two decades of trailing the market leader, Microsoft's Web server software is coming close to rivaling the dominance of the Apache Web server, according to the latest Netcraft survey of Internet infrastructure. May saw an additional 9 million sites using Microsoft Web server software, increasing the company's share of the Web by 0.37 percent. In the same period, Apache's market share fell by 0.18 percent, despite gaining an additional 4.3 million sites. Microsoft is now just 4.1 percentage points behind Apache, which, as the most popular Web server software on the Internet, now powers about 37.6 percent of all sites."
Security

Apache Struts Zero Day Not Fixed By Patch 15

Trailrunner7 (1100399) writes "The Apache Software Foundation released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts did not fully patch the bug in question. Officials said a new patch is in development and will be released likely within the next 72 hours, said Rene Gielen of the Apache Struts team. On March 2, a patch was made available for a ClassLoader vulnerability in Struts up to version 2.3.16.1. An attacker would be able to manipulate the ClassLoader via request parameters. Apache said the fix was insufficient to repair the vulnerability."
Open Source

Apache OpenOffice Reaches 100 Million Downloads. Now What? 285

We're thankfully long past the days when an emailed Word document was useless without a copy of Microsoft Word, and that's in large part thanks to the success of the OpenOffice family of word processors. "Family," because the OpenOffice name has been attached to several branches of a codebase that's gone through some serious evolution over the years, starting from its roots in closed-source StarOffice, acquired and open-sourced by Sun to become OpenOffice.org. The same software has led (via some hamfisted moves by Oracle after its acquisition of Sun) to the also-excellent LibreOffice. OpenOffice.org's direct descendant is Apache OpenOffice, and an anonymous reader writes with this excellent news from that project: "The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 170 Open Source projects and initiatives, announced today that Apache OpenOffice has been downloaded 100 million times. Over 100 million downloads, over 750 extensions, over 2,800 templates. But what does the community at Apache need to do to get the next 100 million?" If you want to play along, you can get the latest version of OpenOffice from SourceForge (Slashdot's corporate cousin). I wonder how many government offices -- the U.S. Federal government has long been Microsoft's biggest customer -- couldn't get along just fine with an open source word processor, even considering all the proprietary-format documents they're stuck with for now.
Programming

Subversion Project Migrates To Git 162

New submitter gitficionado (3600283) writes "The Apache Subversion project has begun migrating its source code from the ASF Subversion repo to git. Last week, the Subversion PMC (project management committee) voted to migrate, and the migration has already begun. Although there was strong opposition to the move from the older and more conservative SVN devs, and reportedly a lot of grumbling and ranting when the vote was tallied, a member of the PMC (who asked to remain anonymous) told the author that 'this [migration] will finally let us get rid of the current broken design to a decentralized source control model [and we'll get] merge and rename done right after all this time.'" Source for the new git backend.
Open Source

Spark Advances From Apache Incubator To Top-Level Project 24

rjmarvin writes "The Apache Software Foundation announced that Spark, the open-source cluster-computing framework for Big Data analysis has graduated from the Apache Incubator to a top-level project. A project management committee will guide the project's day-to-day operations, and Databricks cofounder Matei Zaharia will be appointed VP of Apache Spark. Spark runs programs 100x faster than Apache Hadoop MapReduce in memory, and it provides APIs that enable developers to rapidly develop applications in Java, Python or Scala, according to the ASF."
Stats

Will Microsoft IIS Overtake Apache? 303

First time accepted submitter jcdr writes "February's 2014 Web Server Survey by Netcraft shows a massive increase [in the share of] Microsoft's web server since 2013. Microsoft's market share is now only 5.4 percentage points lower than Apache's, which is the closest it has ever been. If recent trends continue, Microsoft could overtake Apache within the next few months, ending Apache's 17+ year reign as the most common web server."
Businesses

Has the Apache Software Foundation Lost Its Way? 126

snydeq writes "Complaints of stricture over structure, signs of technical prowess on the wane — the best days of the Apache Software Foundation may be behind, writes InfoWorld's Serdar Yegalulp. 'Since its inception, the Apache Software Foundation has had a profound impact in shaping the open source movement and the tech industry at large. ... But tensions within the ASF and grumbling throughout the open source community have called into question whether the Apache Way is well suited to sponsoring the development of open source projects in today's software world. Changing attitudes toward open source licensing, conflicts with the GPL, concerns about technical innovation under the Way, fallout from the foundation's handling of specific projects in recent years — the ASF may soon find itself passed over by the kinds of projects that have helped make it such a central fixture in open source, thanks in some measure to the way the new wave of bootstrapped, decentralized projects on GitHub don't require a foundation-like atmosphere to keep them vibrant or relevant.' Meanwhile, Andrew C. Oliver offers a personal perspective on his work with Apache, why he left, and how the foundation can revamp itself in the coming years: 'I could never regret my time at Apache. I owe it my career to some degree. It isn't how I would choose to develop software again, because my interests and my role in the world have changed. That said, I think the long-term health of the organization requires it get back to its ideals, open up its private lists, and let sunshine disinfect the interests. My poorly articulated reasons for leaving a long time ago stemmed from my inability to effect that change.'"
The Internet

Apache Web Server Share Falls Below 50 Percent For First Time Since 2009 303

darthcamaro writes "Apache has always dominated the web server landscape. But in August, its share has slipped below 50 percent for the first time in years. The winner isn't nginx either — it's Microsoft IIS that has picked up share. But don't worry, this isn't likely a repeat of the Netscape/IE battle of the late 90's, Apache is here to stay (right?)" The dip is mostly the result of GoDaddy switching to IIS from Apache. Which is to say GoDaddy hosts a whole lot of sites.
Open Source

Apache OpenOffice 4.0 Released With Major New Features 238

An anonymous reader writes "Still the most popular open source office suite, Apache OpenOffice 4 has been released, with many new enhancements and a new sidebar, based on IBM Symphony's implementation but with many improvements. The code still has comments in German but as long as real new features keep coming and can be shared with other office suites no one is complaining." The sidebar mentioned brings frequently used controls down and beside the actual area of a word-processing doc, say, which makes some sense given how wide many displays have become. This release comes with some major improvements to graphics handling, too; anti-aliasing makes for smoother bitmaps. In conjunction with this release, SourceForge (also under the Slashdot Media umbrella) has announced the launch of an extensions collection for OO. Extensions mean that Open Office can gain capabilities from outside contributors, rather than being wrapped up in large, all-or-nothing updates. You can download the latest version of Apache OpenOffice here.
Software

Subversion 1.8 Released But Will You Still Use Git? 378

darthcamaro writes "Remember back in the day when we all used CVS? Then we moved to SVN (subversion) but in the last three yrs or so everyone and their brother seems to have moved to Git, right? Well truth is Subversion is still going strong and just released version 1.8. While Git is still faster for some things, Greg Stein, the former chair of the Apache Software Foundation, figures SVN is better than Git at lots of things. From the article: '"With Subversion, you can have a 1T repository and check out just a small portion of it, The developers don't need full copies," Stein explained. "Git shops typically have many, smaller repositories, while svn shops typically have a single repository, which eases administration, backup, etc."'" Major new features of 1.8 include switching to a new metadata storage engine by default instead of using Berkeley DB, first-class renames (instead of the CVS-era holdover of deleting and recreating with a new name) which will make merges involving renamed files saner, and a slightly simplified branch merging interface.
Open Source

Why the 'Star Trek Computer' Will Be Open Source and Apache Licensed 129

psykocrime writes "The crazy kids at Fogbeam Labs have a new blog post positing that there is a trend towards advanced projects in NLP, Information Retrieval, Big Data and the Semantic Web moving to the Apache Software Foundation. Considering that Apache UIMA is a key component of IBM Watson, is it wrong to believe that the organization behind Hadoop, OpenNLP, Jena, Stanbol, Mahout and Lucene will ultimately be the home of a real 'Star Trek Computer'? Quoting: 'When we talk about how the Star Trek computer had “access to all the data in the known Universe”, what we really mean is that it had access to something like the Semantic Web and the Linked Data cloud. Jena provides a programmatic environment for RDF, RDFS and OWL, SPARQL and includes a rule-based inference engine. ... In addition to supporting the natural language interface with the system, OpenNLP is a powerful library for extracting meaning (semantics) from unstructured data - specifically textual data in an unstructured (or semi structured) format. An example of unstructured data would be the blog post, an article in the New York Times, or a Wikipedia article. OpenNLP combined with Jena and other technologies, allows “The computer” to “read” the Web, extracting meaningful data and saving valid assertions for later use.'" Speaking of the Star Trek computer, I'm continually disappointed that neither Siri nor Google Now can talk to me in Majel Barrett's voice.
Open Source

Apache OpenOffice Downloaded 50 Million Times In a Year 155

An anonymous reader writes with this quick bite from the H: "Just a few days after the one year anniversary of the release of the first version of OpenOffice from the Apache Foundation (Apache OpenOffice 3.4) on 8 May 2012, the project can now boast 50 million downloads of the Open Source office suite. 10 million of those downloads happened since the beginning of March. In contrast, LibreOffice claimed it had 15 million unique downloads of its office suite in all of 2012."
Security

Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd 136

An anonymous reader writes "Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning — ESET's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers. Researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites." Here's the researchers' original report.
Security

Sophisticated Apache Backdoor In the Wild 108

An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."
Software

Apache Terminates Struts 1 61

twofishy writes "Struts 1, the venerable Java MVC Web framework, has reached End Of Life status, the Apache foundation has announced. In a sense, the move simply formalises what has already happened, as the Struts team have focused their efforts on version 2; the last release of Struts 1 was version 1.3.10 in December 2008. The change of status does mean however that, whilst the code and documentation will still be available, no further security patches or bug fixes will be issued."
Cloud

Apache CloudStack Becomes a Top-level Project 43

ke4qqq writes with an excerpt from an ASF press release: "The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of nearly 150 Open Source projects and initiatives, today announced that Apache CloudStack has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the Project's community and products have been well-governed under the ASF's meritocratic process and principles."
Open Source

OpenOffice: Worth $21 Million Per Day, If It Were Microsoft Office 361

rbowen of SourceForge writes with an interesting way to look at the value of certain free software options: "Apache OpenOffice 3.4.1 has averaged 138,928 downloads per day. That is an average value to the public of $21 million per day, as calculated by savings over buying the competing product. Or $7.61 billion (7.61 thousand million) per year." (That works out to about $150 per copy of MS Office. There are some holes in the argument, but it holds true for everyone who but for a free office suite would have paid that much for Microsoft's. The numbers are even bigger if you toss in LibreOffice, too.)
Perl

Linux, Apache, Perl, X10, Webcams... and Christmas Lights 30

An anonymous reader writes "Clement Moore writes

'Twas the night before Christmas,
and while not a creature was stirring (not even an optical mouse),
/.'ers were posting & moderating with squeals of delight.
When out on the Internet there arose such a clatter,
I sprang from my keyboard to see what was the matter.
I knew in a moment it must be Alek's Controllable Christmas Lights Webcam.
But remembered in previous years it was a hoax - /. said damn.
And then, in a twinkling, I realize Alek has done it for real — W'OH!
With 20,000 lights plus giant inflatable Elmo, Frosty, Santa, SpongeBob, and Homer Simpson — D'OH!
The X10 controls and 3 live webcams provide such clarity,
that it has raised over $70,000 for Celiac charity.
'Merry Christmas to all, and to all a good night!'"
Android

Popular Android ROM Accused of GPL Violation 197

An anonymous reader writes "A petition has recently been started to get the developer of the popular Android 'MIUI' ROM, Chinese based Xiaomi, to comply with the GPL. While Android itself is licensed under the Apache 2.0 License, and therefore does not actually require derivative works to be FOSS, the Linux kernel itself is GPL-licensed and needs to remain open. Unless Xiaomi intends to develop a replacement for the Linux kernel, they need to make their modifications public."

Slashdot Top Deals