Tuesday June 28, 2016

Slashdot: Facebook Is Using Your Phone's Location To Suggest New Friends

(posted on Tuesday June 28, 2016 at 04:05 AWST)

Fusion's Kashmir Hill is reporting that Facebook is using your phone's location to suggest new friends. It's unclear exactly when the social juggernaut began doing this, but a number of instances suggest it only started recently. From the report:Last week, I met a man who suspected Facebook had tracked his location to figure out who he was meeting with. He was a dad who had recently attended a gathering for suicidal teens. The next morning, he told me, he opened Facebook to find that one of the anonymous parents at the gathering popped up as a "person you may know." [...] "People You May Know are people on Facebook that you might know," a Facebook spokesperson said. "We show you people based on mutual friends, work and education information, networks you're part of, contacts you've imported and many other factors." One of those factors is smartphone location. A Facebook spokesperson said though that shared location alone would not result in a friend suggestion, saying that the two parents must have had something else in common, such as overlapping networks.While this feature could be useful in some cases, it could also be seen as a big invasion to users' privacy. Hill has succinctly explained a number of them.

Read more of this story at Slashdot.

Slashdot: New and Improved CryptXXX Ransomware Rakes In $45,000 In 3 Weeks

(posted on Tuesday June 28, 2016 at 03:21 AWST)

An anonymous reader writes:Whoever said crime doesn't pay didn't know about the booming ransomware market. A case in point, the latest version of the scourge known as CryptXXX, which raked in more than $45,000 in less than three weeks. Over the past few months, CryptXXX developers have gone back and forth with security researchers. The whitehats from Kaspersky Lab provided a free tool that allowed victims to decrypt their precious data without paying the ransom, which typically reaches $500 or more. Then, CryptXXX developers would tweak their code to defeat the get-out-of-jail decryptor. The researchers would regain the upper hand by exploiting another weakness and so on. Earlier this month, the developers released a new CryptXXX variant that to date still has no decryptor available. Between June 4 and June 21, according to a blog post published Monday by security firm SentinelOne, the Bitcoin address associated with the new version had received 70 bitcoins, which at current prices is valued at around $45,228. The figure doesn't include revenue generated from previous campaigns.

Read more of this story at Slashdot.

Slashdot: HP Adds a Touchscreen To Its 11-inch Chromebook Lineup

(posted on Tuesday June 28, 2016 at 02:45 AWST)

An anonymous reader shares a report by The Verge:HP today announced the Chromebook 11 G5, the first of the company's Chrome OS laptops in the 11-inch range to include a touchscreen display. The new Chromebook starts at $189 and will go on sale through HP's channel partners in July. It will be more widely available in stores this October. The base model of the Chromebook 11 G5 has a 11.6-inch screen with a sub-HD display (there will be an option for an HD IPS touchscreen panel with Gorilla Glass), weighs 2.51 pounds, and comes with a 1.6gHz Intel Celeron N3060 -- a somewhat common processor for low- to mid-range Chromebooks. HP claims it will be powerful enough to handle video calls and playback, and that it "speeds through spreadsheets," which is the most amazingly modest goal I can imagine for a Chromebook. Of course that limited performance, coupled with Chrome OS's limited feature set, gives the Chromebook 11 G5 up to 11 solid hours of battery life, according to HP.

Read more of this story at Slashdot.

Slashdot: You Are Still Watching a Staggering Amount Of TV Every Day

(posted on Tuesday June 28, 2016 at 02:00 AWST)

Peter Kafka, reporting for Recode:TV! It's cooked! Toast! Doneso. Ready for the fork. Except not yet, because Americans are still watching a ton of TV, every day. For some of them, it's the equivalent of a full-time job. The average American watches an astonishing 4.5 hours of TV a day, according to a new report from Nielsen. Add in DVR time, and that number gets up to 5 hours a day. That usage is shrinking over time -- a couple of years ago, Americans were averaging five hours and twenty-three minutes a day.Nielsen's data also shows that people are now consuming more content on their smartphone devices than ever. Compared to just 47 minutes usage in 2014, it is now up to one hour and 39 minutes.

Read more of this story at Slashdot.

Slashdot: .NET Core 1.0 Released, Now Officially Supported By Red Hat

(posted on Tuesday June 28, 2016 at 01:20 AWST)

Microsoft on Monday announced the release of .NET Core, the open source .NET runtime platform. Finally! (It was first announced in 2014). The company also released ASP.NET Core 1.0, the open-source version of Microsoft's Web development stack. ArsTechnica reports:Microsoft picked an unusual venue to announce the release: the Red Hat Summit. One of the purposes of .NET Core was to make Linux and OS X into first-class supported platforms, with .NET developers able to reach Windows, OS X, Linux, and (with Xamarin) iOS and Android, too. At the summit today, Red Hat announced that this release would be actively supported by the company on Red Hat Enterprise Linux.

Read more of this story at Slashdot.

Slashdot: Google CEO Sundar Pichai's Quora Account Hacked

(posted on Tuesday June 28, 2016 at 00:40 AWST)

Google CEO Sundar Pichai is the latest high-profile victim of a hacking group called OurMine. Earlier today, the group managed to get hold of Pichai's Quota account, which in turn, gave them access to his Twitter feed as well. In a statement to The Next Web, the group said that their intention is to just test people's security, and that they never change the victim's passwords. Looking at the comments they left after hacking Pichai's account, it is also clear that OurMine is promoting its security services. The same group recently also hacked Facebook CEO Mark Zuckerberg's Twitter and Pinterest accounts.

Read more of this story at Slashdot.

Slashdot: Sergey Brin: Don't Come To Silicon Valley To Start a Business

(posted on Tuesday June 28, 2016 at 00:00 AWST)

An anonymous reader shares a Business Insider report:If you're itching to start a company out of a garage, then you shouldn't pick up and move to Silicon Valley, according to Google cofounder Sergey Brin. It's easier to start a company outside the Valley than in it, he said onstage at the Global Entrepreneurship Summit. "I know that sort of contradicts what everyone here has been saying," he said with a laugh. "During the boom cycles, the expectations around the costs -- real estate, salaries -- the expectations people and employees have ... it can be hard to make a scrappy initial business that's self-sustaining," he said. "Whereas in other parts of the world you might have an easier time for that."But he adds that Silicon Valley is good for scaling that opportunity.

Read more of this story at Slashdot.

Monday June 27, 2016

Slashdot: Google To Step Up Smartphone Wars With Release Of Own Handset

(posted on Monday June 27, 2016 at 23:23 AWST)

According to a report by The Telegraph, Google is working on its first Google-branded smartphone, and plans to release it by the end of 2016. Unlike the Nexus program, in which Google mandates the design and specifications of the phone, but leaves the manufacturing aspect to its handpicked OEM, the new supposed phone will be built from the scratch by Google. From the report:The technology giant is in discussions with mobile operators about releasing a Google-branded phone that will extend the company's move into hardware, sources familiar with the discussions told The Telegraph. [...] The new device, which will be released by the end of the year according to a senior source, will see Google take more control over design, manufacturing and software.NYMag questions company's reported move:It's an unsurprising rumor to hear: Google CEO Sundar Pichai has publicly commented on the company's emphasis on phones, and Motorola's Rick Osterloh was hired earlier this year to head up a new hardware division. And there's also the much discussed Google Ara, a modular phone which lets you swap out pieces like a camera or speakers and is slated for release in 2017. But Google is already working with hardware companies like LG and Huawei on the Nexus line of phones, which are made to the company's exact design specifications but are manufactured by third parties. It's hard to see how Google could take more control over design or software than it already does with Nexus, and while the company is likely eager to move into the manufacturing space, the timeline for Ara hasn't changed, and it seems unlikely that this new mystery Google phone is going to jump in front and actually become available to the public by year's end.

Read more of this story at Slashdot.

Slashdot: Amazon Unveils Inspire Online Education Service For Teachers and Schools

(posted on Monday June 27, 2016 at 22:40 AWST)

Amazon on Monday launched a new site called Amazon Inspire where K-12 teachers and schools can upload and access unlimited education and classroom resources such as videos, tests, projects, games, lesson plans with their peers across the country for free of charge. In a statement, the company said, "Our ultimate goal is for every teacher in every single subject to benefit from Amazon Inspire. When they walk into a classroom, we want every teacher to benefit from the collective knowledge, the collective insights and the experience of every single one of their peers." GeekWire reports:It's the latest in a series of moves by Amazon in the education technology market. The company acquired the TenMarks online math startup in 2014, and separately markets e-books and tablets for teachers and school districts. The company describes the project as an outgrowth of its involvement in the U.S. Department of Education's GoOpen initiative. Amazon also provides technical resources and support for the department's Learning Registry open database.

Read more of this story at Slashdot.

Slashdot: Google Ponders About a Chromebook Pro

(posted on Monday June 27, 2016 at 22:00 AWST)

Google is currently surveying people about what a Chromebook Pro should be like. VentureBeat's report cites two people who recently shared the development on a forum. One user was asked the question, "How would you think a Chromebook Pro is different than a Chromebook?" whereas the other user was asked, "what a Chromebook Pro should be like in [his/her] opinion and what type of people would want to use it." From the report:The word "Pro" would imply a high-end laptop running Chrome OS, just like, say, the MacBook Pro or the Surface Pro 4. But there are many other companies -- Asus, Dell, HP, and Samsung, among others -- that make Chromebooks, along with Google. It isn't clear from these survey questions if Google is thinking about making a Chromebook Pro itself, just as it has made high-end Chromebook Pixel laptops, or if Google is just wondering how consumers would perceive a Chromebook Pro made by a third party. Meanwhile, Google last month published a job posting entitled "Quality Engineer, Chromebook Pixel," suggesting that a third generation of that device could be on the way.Chromebooks are becoming increasingly popular. They outsold Mac for the first time in the United States earlier this year. The majority of the Chromebooks available today, however, pack in entry-level specifications, giving users very limited choice. Though we have seen devices like Chromebook Pixel, a range of high-end Chromebooks could entice even more customers.

Read more of this story at Slashdot.

EEV Blog: EEVblog #893 – Mailbag

EEV Blog (posted on Monday June 27, 2016 at 21:57 AWST)

More Mailbag Monday
Forum HERE

Infinity PV organic printed solar cells:
Panasonic 840 JE-840U calculator teardown
LED controller car computer thingo teardown
Old school parallel port software protection dongle teardown
World’s first logic IC! The Fairchild µL900 series, as used in the Apollo guidance computer.
Dave is taken to task about his religious rant in a previous video. Can he destroy Dave with a logical argument?
Expert witness court case letter.
Cheap ebay soldering iron of death teardown
Cheap BEC brand voltage regulator for model airplanes, is it any good? Will it meet it’s claims?
Silego GreenPAK Dual-Supply Programmable Mixed Signal Matrix


Slashdot: Woman Wins $10,000 Lawsuit Against Microsoft Over Windows 10 Upgrades

(posted on Monday June 27, 2016 at 19:30 AWST)

An anonymous reader shares this story from the Seattle Times: A few days after Microsoft released Windows 10 to the public last year, Teri Goldstein's computer started trying to download and install the new operating system. The update, which she says she didn't authorize, failed. Instead, the computer she uses to run her Sausalito, California, travel-agency business slowed to a crawl. It would crash, she says, and be unusable for days at a time. "I had never heard of Windows 10," Goldstein said. "Nobody ever asked me if I wanted to update." When outreach to Microsoft's customer support didn't fix the issue, Goldstein took the software giant to court, seeking compensation for lost wages and the cost of a new computer. She won. Last month, Microsoft dropped an appeal and Goldstein collected a $10,000 judgment from the company. Microsoft denies any wrongdoing, and says they only halted their appeal to avoid the cost of further litigation.

Read more of this story at Slashdot.

Slashdot: New 'Civilization' Game Will Be Sold To Schools As An Educational Tool

(posted on Monday June 27, 2016 at 15:33 AWST)

An anonymous reader writes: In the fall of 2017, a special version of Civilization V will be made available for schools to use as an educational tool. "CivilizationEDU will provide students with the opportunity to think critically and create historical events, consider and evaluate the geographical ramifications of their economic and technological decisions, and to engage in systems thinking and experiment with the causal/correlative relationships between military, technology, political and socioeconomic development," announced Take-Two Interactive Software. "We are incredibly proud to lend one of our industry's most beloved series to educators to use as a resource to inspire and engage students further..." said the company's CEO. "I can't think of a better interactive experience to help challenge and shape the minds of tomorrow's leaders." Special lesson plans will be created around the game, and as an alternative to standardized tests teachers will have access to a dashboard showing each student's progress. Of course, this begs an important question: Are educational videogames a good idea?

Read more of this story at Slashdot.

SC Magazine: SA govt promises Adelaide businesses up to 10Gbps

(posted on Monday June 27, 2016 at 13:46 AWST)

Fibre research network to be expanded.

SC Magazine: Google boss suffers social media hack

(posted on Monday June 27, 2016 at 12:10 AWST)

OurMine hackers target tech chief executives.

Slashdot: Wisconsin's Prison-Sentencing Algorithm Challenged in Court

(posted on Monday June 27, 2016 at 11:33 AWST)

"Do you want a computer to help decide a convict's fate?" asks Engadget, telling the story of a Wisconsin convict who "claims that the justice system relied too heavily on its COMPAS algorithm to determine the likelihood of repeat offenses and sentenced him to six years in prison." Sentencing algorithms have apparently been in use for 10 years. His attorneys claim that the code is "full of holes," including secret criteria and generic decisions that aren't as individually tailored as they have to be. For instance, they'll skew predictions based on your gender or age -- how does that reflect the actual offender...? [T]he court challenge could force Wisconsin and other states to think about the weight they give to algorithms. While they do hold the promise of both preventing repeat offenses and avoiding excessive sentences for low-threat criminals, the American Civil Liberties Union is worried that they can amplify biases or make mistakes based on imperfect law enforcement data. The biggest issue seems to be a lack of transparency, which makes it impossible to determine whether convicts actually are receiving fair sentences.

Read more of this story at Slashdot.

SC Magazine: US charges Filipino man with hacking celebrity accounts

(posted on Monday June 27, 2016 at 10:13 AWST)

Stole personal details.

SC Magazine: Perth public transport users promised free wi-fi

(posted on Monday June 27, 2016 at 10:09 AWST)

Will any vendors agree to roll it out?

Slashdot: Drivers Prefer Autonomous Cars That Don't Kill Them

(posted on Monday June 27, 2016 at 09:34 AWST)

"A new study shows that most people prefer that self-driving cars be programmed to save the most people in the event of an accident, even if it kills the driver," reports Information Week. "Unless they are the drivers." Slashdot reader MojoKid quotes an article from Hot Hardware about the new study, which was published by Science magazine. So if there is just one passenger aboard a car, and the lives of 10 pedestrians are at stake, the survey participants were perfectly fine with a self-driving car "killing" its passenger to save many more lives in return. But on the flip side, these same participants said that if they were shopping for a car to purchase or were a passenger, they would prefer to be within a vehicle that would protect their lives by any means necessary. Participants also balked at the notion of the government stepping in to regulate the "morality brain" of self-driving cars. The article warns about a future where "a harsh AI reality may whittle the worth of our very existence down to simple, unemotional percentages in a computer's brain." MIT's Media Lab is now letting users judge for themselves, in a free online game called "Moral Machine" simulating the difficult decisions that might someday have to be made by an autonomous self-driving car.

Read more of this story at Slashdot.

Latest Kernel Versions: 4.7-rc5: mainline

(posted on Monday June 27, 2016 at 08:52 AWST)

Version:4.7-rc5 (mainline)
PGP Signature:linux-4.7-rc5.tar.sign

SC Magazine: Synergy hones agile delivery with BI, digital projects

(posted on Monday June 27, 2016 at 08:03 AWST)

Utility embarks on self-service drive.

SC Magazine: IT consultancies lag on ATO SuperStream adoption

(posted on Monday June 27, 2016 at 07:40 AWST)

Tax agency pushes back SMB deadline.

Slashdot: Religious Hacker Defaces 111 Escort Sites

(posted on Monday June 27, 2016 at 07:32 AWST)

An anonymous reader shares this article from Softpedia: A religiously-motivated Moroccan hacker has defaced 111 different web sites promoting escort services since last summer as part of an ongoing protest against the industry. "In January, the hacker defaced 79 escort websites," writes Softpedia. "His actions didn't go unnoticed, and on some online forums where escorts and webmasters of these websites met, his name was brought up in discussions and used to drive each other in implementing better Web security. While some webmasters did their job, some didn't. During the past days, the hacker has been busy defacing a new set of escort websites... Most of these websites bare ElSurveillance's defacement message even today... Most of the websites are from the UK." His newest round of attacks replace the sites with a pro-Palestine message and a quote from the quran, though in January Softpedia reported the attacker was also stealing data from some of the sites about their users' accounts.

Read more of this story at Slashdot.

SC Magazine: Defence restructures $500m next-gen desktop project

(posted on Monday June 27, 2016 at 04:30 AWST)

Appoints itself as systems integrator.

SC Magazine: iiNet starts NBN HFC cable trials

(posted on Monday June 27, 2016 at 04:00 AWST)

Small sites in Qld and WA selected.

SC Magazine: United States wants travellers' social media details

(posted on Monday June 27, 2016 at 04:00 AWST)

Facebook, Twitter activity could be vetted by homeland security.

Saturday June 25, 2016

Ubuntu Security Notices: HOWTO: Host your own SNAP store!

(posted on Saturday June 25, 2016 at 03:58 AWST)

SNAPs are the cross-distro, cross-cloud, cross-device Linux packaging format of the future.  And we’re already hosting a fantastic catalog of SNAPs in the SNAP store provided by Canonical.  Developers are welcome to publish their software for distribution across hundreds millions of Ubuntu servers, desktops, and devices.

Several people have asked the inevitable open source software question, “SNAPs are awesome, but how can I stand up my own SNAP store?!?”

The answer is really quite simple…  SNAP stores are really just HTTP web servers!  Of course, you can get fancy with branding, and authentication, and certificates.  But if you just want to host SNAPs and enable downstream users to fetch and install software, well, it’s pretty trivial.

In fact, Bret Barker has published an open source (Apache License) SNAP store on GitHub.  We’re already looking at how to flesh out his proof-of-concept and bring it into snapcore itself.

Here’s a little HOWTO install and use it.

First, I launched an instance in AWS.  Of course I could have launched an Ubuntu 16.04 LTS instance, but actually, I launched a Fedora 24 instance!  In fact, you could run your SNAP store on any OS that currently supports SNAPs, really, or even just fork this GitHub repo and install it stand alone..  See snapcraft.io.

Now, let’s find and install a snapstore SNAP.  (Note that in this AWS instance of Fedora 24, I also had to ‘sudo yum install squashfs-tools kernel-modules’.

At this point, you’re running a SNAP store (webserver) on port 5000.

Now, let’s reconfigure snapd to talk to our own SNAP store, and search for a SNAP.

Finally, let’s install and inspect that SNAP.<

How about that?  Easy enough!

Original article

Latest Kernel Versions: 4.6.3: stable

(posted on Saturday June 25, 2016 at 01:22 AWST)

Version:4.6.3 (stable)
PGP Signature:linux-4.6.3.tar.sign
Patch:patch-4.6.3.xz (Incremental)

Friday June 24, 2016

SC Magazine: La Trobe moves student management to the cloud

(posted on Friday June 24, 2016 at 15:30 AWST)

Picks TechOne SaaS solution.

SC Magazine: Aussie ISPs fight against rolling piracy site blocking

(posted on Friday June 24, 2016 at 10:27 AWST)

Foxtel, Roadshow want power to tell telcos to block mirror sites.

SC Magazine: Turnbull pledges $12m to mobile coverage for Central Coast trains

(posted on Friday June 24, 2016 at 10:26 AWST)

Wi-fi at stations and non-stop phone use for commuters.

SC Magazine: Vic govt to overhaul e-services register

(posted on Friday June 24, 2016 at 10:25 AWST)

IT services panel gets too big for tech platfom.

SC Magazine: Qld Health CIO quits

(posted on Friday June 24, 2016 at 09:01 AWST)

Updated: McCririck picks up overseas IBM gig

SC Magazine: DTO takes over MyGov

(posted on Friday June 24, 2016 at 04:45 AWST)

PM's pet agency seizes control of infamous portal.

SC Magazine: Database with 154 million US voter records left wide open

(posted on Friday June 24, 2016 at 04:32 AWST)

Contained sensitive, personally identifiable data.

Thursday June 23, 2016

SC Magazine: ASD invests $12m in ANU cyber security innovation hub

(posted on Thursday June 23, 2016 at 14:35 AWST)

Students and cyber spies to share new building.

SC Magazine: What defines an 'online location' in Australian piracy site blocking?

(posted on Thursday June 23, 2016 at 12:24 AWST)

Rights holders argue definition is broader than URL, IP address.

SC Magazine: US SEC busts suspected stock exchange hacking scheme

(posted on Thursday June 23, 2016 at 10:25 AWST)

Claims UK man hijacked investor accounts.

SC Magazine: Telstra to boost its business in Aussie mining sector

(posted on Thursday June 23, 2016 at 10:16 AWST)

Buys wireless and mesh expertise.

Wednesday June 22, 2016

EEV Blog: EEVblog #892 – Siglent SSA3021X Spectrum Analyser Teardown

EEV Blog (posted on Wednesday June 22, 2016 at 20:40 AWST)

A very detailed look inside the new Siglent SSA3021X 3.2GHz Spectrum Analyser.
The entire RF section is broken down and analysed in depth with a block diagram overlay.

Forum HERE

Keysight AN150 App Note

Siglent SSA3021X Spectrum Analyser



DFES Media Releases: Dedicated fire and emergency service careers honoured

DFES Media Releases (posted on Wednesday June 22, 2016 at 16:03 AWST)


More than 280 emergency services personnel have been acknowledged for their long-standing and diligent service to the people of Western Australia. 

Fire and Emergency Services Commissioner Wayne Gregson recognised the award recipients’ dedication to helping the community at a medal ceremony held at Government House today.  

"These awards highlight a significant milestone in the careers of firefighters and emergency services personnel who work tirelessly to protect the community, often under challenging circumstances,” Commissioner Gregson said.  

"Today provides an opportunity to say thank you to these emergency services personnel, who do not seek recognition for their exceptional work.”  

The recipients included Assistant Commissioner Brad Stringer, Aboriginal firefighter Shane Klunder and long serving volunteer and career personnel Don Fazio, Will Blackshaw and Terry Wegwermer. 

More than 4,300 years of service were recognised, with 288 career personnel qualifying for long and diligent service medals in the latest round of awards. 

"It is remarkable that the beneficiary of this long and diligent service is the Western Australian community,” Commissioner Gregson said. 

The medals were presented by Emergency Services Minister Joe Francis at the Department of Fire and Emergency Services annual National Medal and Emergency Services Diligent Services Medal ceremony. 


Media Contact: DFES Media and Corporate Communications 9225 5955 

Publication Time: 22/06/2016 4:00 PM

Netcraft: June 2016 Web Server Survey

(posted on Wednesday June 22, 2016 at 16:02 AWST)

In the June 2016 survey we received responses from 1,045,534,808 sites and 5,951,685 web-facing computers. This reflects an increase of 12 million sites, along with a modest gain of 4,700 computers.

Apache regained the lead from Microsoft this month, with a large increase of 60 million sites taking its total up to 360 million, while Microsoft lost 24 million. Microsoft enjoyed a brief foray at the top in April and May, thanks to a proliferation of link farming sites, but now stands 18 million sites behind Apache.

Apache's net growth included only 14 million new websites – the remainder consisted of existing websites that switched to Apache after previously using other web server software. Most notably, 52 million sites switched from Tengine to Apache, while 12 million switched from Microsoft. The number of websites using Tengine fell by more than 60%, largely as a result of the migration to Apache. Most of the sites involved in this switch were hosted by OVH in Canada, and not only changed server vendor, but also moved to a different hosting company—Data Foundry—in the United States.

Although the number of Tengine websites fell to 29 million, the number of active sites using Tengine actually increased slightly to 1.8 million. In a similar vein, the number of active sites running Apache fell by 630,000, even though the total number of sites grew by more than 60 million.

Out of the largest vendors, Microsoft has the lowest proportion of active sites, with only 4.8% of its 340 million sites being active, while Tengine's proportion has crept up to 6.3%. Both are significantly lower than Apache's proportion of 22.3% and nginx's 21.6%.

Newer versions of web server software generally attract a much higher proportion of active sites. For example, 56% of sites running on Microsoft IIS 10 (which will be included with Windows Server 2016, but is already available for Windows 10) are classified as active, while 23% of sites running IIS 8.5 are active, along with 14% of IIS 8.0 sites. This proportion dwindles to only 2.8% by the time we consider IIS 6.0, which remains a very popular choice of server in China despite no longer being supported by Microsoft.

nginx also demonstrates this trend, with the largest number of its active sites running on the latest 1.10.x stable branch. More than half of all sites using this version are active.

Across all versions, nginx continues to muscle its way into the market with confidence. This month it gained almost a million active sites, along with an additional 31,000 web-facing computers, giving it the largest growth in these important metrics. Conversely, Apache lost 26,000 computers, while Microsoft lost 4,500.

nginx has also continued to grow its presence amongst the top million websites, where it is now used by 27.6% of sites. Apache continues to lead with a 43.7% share of this market, although its share has generally been on the decline since 2011. If current trends continue, nginx could possibly take the lead from Apache within the next couple of years.

Total number of websites

Web server market share

DeveloperMay 2016PercentJune 2016PercentChange
Web server market share for active sites

DeveloperMay 2016PercentJune 2016PercentChange

For more information see Active Sites

Web server market share for top million busiest sites

DeveloperMay 2016PercentJune 2016PercentChange
Web server market share for computers

DeveloperMay 2016PercentJune 2016PercentChange

Tuesday June 21, 2016

Ubuntu Security Notices: HOWTO: Classic, apt-based Ubuntu 16.04 LTS Server on the rpi2!

(posted on Tuesday June 21, 2016 at 03:35 AWST)

Classic Ubuntu 16.04 LTS, on an rpi2

Hopefully by now you’re well aware of Ubuntu Core — the snappiest way to run Ubuntu on a Raspberry Pi…

But have you ever wanted to run classic (apt/deb) Ubuntu Server on a RaspberryPi2?

Well, you’re in luck!  Follow these instructions, and you’ll be up in running in minutes!

First, download the released image (214MB):

$ wget http://cdimage.ubuntu.com/releases/16.04/release/ubuntu-16.04-preinstalled-server-armhf+raspi2.img.xz

Next, uncompress it:

$ unxz *xz

Now, write it to a microSD card using dd.  I’m using the card reader built into my Thinkpad, but you might use a USB adapter.  You’ll need to figure out the block device of your card, and perhaps unmount it, if necessary.  Then, you can write the image to disk:

$ sudo dd if=ubuntu-16.04-preinstalled-server-armhf+raspi2.img of=/dev/mmcblk0 bs=32M
$ sync

Now, pop it into your rpi2, and power it on.

If it’s connected to a USB mouse and an HDMI monitor, then you’ll land in a console where you can login with the username ‘ubuntu‘ and password ‘ubuntu‘, and then you’ll be forced to choose a new password.

Assuming it has an Ethernet connection, it should DHCP.  You might need to check your router to determine what IP address it got, or it sets it’s hostname to ‘ubuntu’.  In my case, I could automatically resolve it on my network, at ubuntu.canyonedge, with IP address, and ssh to it:

$ ssh ubuntu@ubuntu.canyonedge

Again, you can login on first boot with password ‘ubuntu‘ and you’re required to choose a new password.

On first boot, it will automatically resize the filesystem to use all of the available space on the MicroSD card — much nicer than having to resize2fs yourself in some offline mode!

Now, you’re off and running.  Have fun with sudo, apt, byobu, lxd, docker, and everything else you’d expect to find on a classic Ubuntu server 😉

Heck, you’ll even find the snap command, where you’ll be able to install snap packages, right on top of your classic Ubuntu Server!  And if that doesn’t just bake your noodle…

Original article

Monday June 20, 2016

Ubuntu Security Notices: A New Research Cloud on Ubuntu OpenStack

(posted on Monday June 20, 2016 at 23:34 AWST)

If you’re starting from almost scratch, and – where many people are – you don’t have any skill, you don’t have any training, you don’t have much of an idea of what you want to do, Then [BootStack] is a very good place to start.

The University of Cape Town (UCT), in South Africa, recently switched on their first Ubuntu OpenStack-based research cloud. It’s no surprise, since a recent OpenStack user’s group survey showed that over 41% of OpenStack operators plan to run scientific or engineering workloads. Not uniquely, but also not the norm, UCT’s OpenStack is a cloud built only for scientific and research workloads.

UCT wanted to focus on the workloads they’d be hosting, and the potential users of the system, not the system itself. As many have found out, if you don’t have the operational expertise, or the right toolset, OpenStack is often not easily tamed as a useful cloud. So, UCT partnered with Canonical to leverage both our expertise and our toolset to begin offering this research cloud as a service. They opted for BootStack.

BootStack is a service and a product. Canonical’s OpenStack engineering team (the same ones that run our own OpenStack infrastructure) install and manage a private OpenStack cloud at your location. BootStack reduces a process that could take weeks, or even months, for the uninitiated, down to a matter of days.

UCT is starting small. They’re offering up the use of their new research cloud for training programs across the university. Their belief is that as these users become familiar with the environment they will naturally begin building solutions on top of it.

The ICTS team even see the possibility of offering the research cloud to stakeholders beyond the UCT campus. They believe that offering compute capabilities to smaller universities in the region could be tremendously beneficial to the research community as a whole.

Starting small doesn’t mean staying small. BootStack is designed for scalability, to thousands of nodes. Since BootStack uses Canonical’s application modeling tool, Juju, to model and deploy the OpenStack environment, scaling, and even upgrading, is easy.

If you want to learn more about BootStack, and how you can have a dynamic OpenStack cloud in production in just a few days, visit ubuntu.com/bootstack


EEV Blog: EEVblog #891 – Siglent SSA3021X vs Rigol DSA815 Spectrum Analyser

EEV Blog (posted on Monday June 20, 2016 at 18:12 AWST)

Dave compares the new Siglent SSA3021A 2.1GHz spectrum analyser with similar priced Rigol DSA815.
Noise floor, clock and PLL phase noise and other performance aspects are measured and compared between the two models.
Bugs?, yup, got those too!
Forum: http://www.eevblog.com/forum/blog/eevblog-891-siglent-ssa3021x-vs-rigol-dsa815-spectrum-analyser/


Friday June 17, 2016

OpenBSD Journal: BSDCan 2016 Presentations Online

OpenBSD Journal (posted on Friday June 17, 2016 at 21:57 AWST)

The BSDCan 2016 conference in Ottawa has just concluded, with a number of OpenBSD-themed talks. These are the talks by OpenBSD developers:

Reyk Flöter: An OpenFlow implementation for OpenBSD - Introducing switchd(8) and more about SDN (slides)

Henning Brauer: Running an ISP on OpenBSD - Why OpenBSD and several uncommon uses of it (slides)

Peter Hessler: Bidirectional Forwarding Detection (BFD) implementation and support in OpenBSD. Or: A new protocol actually did improve our routing. (slides)

Mike Belopuhov: Implementation of Xen PVHVM drivers in OpenBSD (slides)

Antoine Jacoutot: OpenBSD rc.d(8) (slides)

Sebastian Benoit: Opensource Routing - Running an enterprise network on OpenBSD (slides)

In addition, two OpenBSD-centric tutorials were offered by people who are not themselves OpenBSD developers:

Peter Hansteen: Building The Network You Need With PF, The OpenBSD Packet Filter (slides)

Aaron Poffenberger: OpenSMTPD for the Real World (slides)

OpenBSD Journal: Understanding the modernization of the OpenBSD network stack, part 1: ART single thread performances

OpenBSD Journal (posted on Friday June 17, 2016 at 21:53 AWST)

Martin Pieuchot (mpi@) wrote in, saying

OpenBSD network developers are doing some great work at modernizing and improving the network stack. But even if you're following tech@, it might be tricky to understand what's going on.

pfSense: pfSense 2.3.1 Update 5 Available

(posted on Friday June 17, 2016 at 03:20 AWST)

2.3.1 Update 5 (2.3.1_5) is now available. Note that updates 2 through 4 were internal-only. This includes two security fixes to the web GUI, and 7 other bug fixes. The 2.3.1-RELEASE change list has been updated with an Update 5 section specifying the changes.

This update will reboot the system after installing.


Thursday June 16, 2016

Ubuntu Security Notices: Leveling up snapd integration tests

(posted on Thursday June 16, 2016 at 21:57 AWST)


Over the last several months there has been noticeable and growing pain associated with the evolving integration tests around snapd, and given the project goal of being a cross-distribution platform, we are very keen on solving this problem appropriately so that stability is guaranteed everywhere.

With that mindset a more focused effort was made over the last few weeks to produce a tool that can get the project out of those problems, and onto a runway of more pleasant stability. Despite the short amount of time, I’m very happy about the Spread project which resulted from this effort.

Spread is not Jenkins or Travis, and is not a language or library either. Spread is a tool that will very conveniently ship your code to one or more systems, in parallel, and then offer the right set of options so you can run whatever you need to run to make sure the logic is working, and drive it all from the local system. That implies you can run Spread inside Travis, Jenkins, or your terminal, in a similar way to how your unit tests work.

Here is a short list of interesting facts about Spread:

  • Full-system tests with on demand machine allocation.
  • Multi-backend with Linode and LXD (for local runs) out of the box for now.
  • Multi-language since it can run arbitrary remote code.
  • Agent-less and driven via embedded ssh (kudos to Go team).
  • Convenient harness with project+backend+suite+test prepare and restore scripts.
  • Variants feature for test duplication without copy & paste.
  • Great debugging support – add -debug and stop with a shell inside every failure.
  • Reuse of servers – server allocation is fast, but not allocating is faster.
  • Reasonable test outputs with the shell’s +x mode on failures.
  • … and so forth.

This is all well documented, so I’ll just provide one example here to offer a real taste of how the system feels like.

This is spread.yaml, put in the project root to define the basics:

project: spread

            - ubuntu-16.04
            - ubuntu-14.04

path: /home/test

prepare: |
    echo Entering project...
restore: |
    echo Leaving project...

        summary: Integration tests
        prepare: |
            echo Entering suite...
        restore: |
            echo Leaving suite...

The suite name is also the path under which the tests are found.

Then, this is tests/hello/task.yaml:

summary: Greet the world
prepare: |
    echo "Entering task..."
restore: |
    echo "Leaving task..."
    FOO/a: one
    FOO/b: two
execute: |
    echo "Hello world!"
    [ $FOO = one ] || exit 1

The outcome should be almost obvious (intended feature :-). The one curious detail here is the FOO/a and FOO/b environment variables. This is how to introduce variants, which means this one test will in fact become two: first with FOO=one, and then with FOO=two. Now consider that such environment variables can be defined at any level – project, backend, suite, and task – and imagine how easy it is to test small variations without any copy & paste. After cascading takes place (project→backend→suite→task) all environment variables using a given variant key will be present at once on the same execution.

Now let’s try to run this configuration, including the -debug flag so we get a shell on the failures. Note how with a single test we get four different jobs, two variants over two systems, with the variant b failing as instructed:

$ spread -debug

2016/06/11 19:09:27 Allocating lxd:ubuntu-14.04...
2016/06/11 19:09:27 Allocating lxd:ubuntu-16.04...
2016/06/11 19:09:41 Waiting for LXD container to have an address...
2016/06/11 19:09:43 Waiting for LXD container to have an address...
2016/06/11 19:09:44 Allocated lxd:ubuntu-14.04.
2016/06/11 19:09:44 Connecting to lxd:ubuntu-14.04...
2016/06/11 19:09:48 Allocated lxd:ubuntu-16.04.
2016/06/11 19:09:48 Connecting to lxd:ubuntu-16.04...
2016/06/11 19:09:52 Connected to lxd:ubuntu-14.04.
2016/06/11 19:09:52 Sending project data to lxd:ubuntu-14.04...
2016/06/11 19:09:53 Connected to lxd:ubuntu-16.04.
2016/06/11 19:09:53 Sending project data to lxd:ubuntu-16.04...

2016/06/11 19:09:54 Error executing lxd:ubuntu-14.04:tests/hello:b :
+ echo Hello world!
Hello world!
+ [ two = one ]
+ exit 1

2016/06/11 19:09:54 Starting shell to debug...

lxd:ubuntu-14.04 ~/tests/hello# echo $FOO
lxd:ubuntu-14.04 ~/tests/hello# cat /etc/os-release | grep ^PRETTY
PRETTY_NAME="Ubuntu 14.04.4 LTS"
lxd:ubuntu-14.04 ~/tests/hello# exit

2016/06/11 19:09:55 Error executing lxd:ubuntu-16.04:tests/hello:b :
+ echo Hello world!
Hello world!
+ [ two = one ]
+ exit 1

2016/06/11 19:09:55 Starting shell to debug...

lxd:ubuntu-16.04 ~/tests/hello# echo $FOO
lxd:ubuntu-16.04 ~/tests/hello# cat /etc/os-release | grep ^PRETTY
PRETTY_NAME="Ubuntu 16.04 LTS"
lxd:ubuntu-16.04 ~/tests/hello# exit

2016/06/11 19:10:33 Discarding lxd:ubuntu-14.04 (spread-129)...
2016/06/11 19:11:04 Discarding lxd:ubuntu-16.04 (spread-130)...
2016/06/11 19:11:05 Successful tasks
2016/06/11 19:11:05 Aborted tasks: 0
2016/06/11 19:11:05 Failed tasks: 2
    - lxd:ubuntu-14.04:tests/hello:b
    - lxd:ubuntu-16.04:tests/hello:b
error: unsuccessful run

This demonstrates many of the stated goals (parallelism, clarity, convenience, debugging, …) while running on a local system. Running on a remote system is just as easy by using an appropriate backend. The snapd project on GitHub, for example, is hooked up on Travis to run Spread and then ship its tests over to Linode. Here is a real run output with the initial tests being ported, and a basic smoke test.

If you like what you see, by all means please go ahead and make good use of it.

We’re all for more stability and sanity everywhere.

Original article

Drupal Security: Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002

(posted on Thursday June 16, 2016 at 02:45 AWST)


Saving user accounts can sometimes grant the user all roles (User module - Drupal 7 - Moderately Critical)

A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access.

This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form.

Views can allow unauthorized users to see Statistics information (Views module - Drupal 8 - Less Critical)

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

The same vulnerability exists in the Drupal 7 Views module (see SA-CONTRIB-2016-036).

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Drupal core 7.x versions prior to 7.44
  • Drupal core 8.x versions prior to 8.1.3


Install the latest version:

Also see the Drupal core project page.

Reported by

Saving user accounts can sometimes grant the user all roles:

Views can allow unauthorized users to see Statistics information:

Fixed by

Saving user accounts can sometimes grant the user all roles:

Views can allow unauthorized users to see Statistics information:

Coordinated by

The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: