Amazon Web Services CEO Andy Jassy said in an interview on Wednesday that almost all of Amazon's databases that ran on Oracle will be on an Amazon database instead. "We're virtually done moving away from Oracle on the database side," Jassy said. "And I think by the end of 2019 or mid-2019 we'll be done." CNBC reports: Amazon is reducing its reliance on Oracle for its data needs and is instead using its own services. Jassy said 88 percent of Amazon databases that were running on Oracle will be on Amazon DynamoDB or Amazon Aurora by January. He added that 97 percent of "mission critical databases" will run on DynamoDB or Aurora by the end of the year. On Nov. 1, Amazon moved its data warehouse from Oracle to its own service, Redshift, Jassy said.

An anonymous reader quotes SD Times: Amazon wants to make sure Java is available for free to its users in the long term with the introduction of Amazon Corretto. The solution is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). "Java is one of the most popular languages in use by AWS customers, and we are committed to supporting Java and keeping it free," Arun Gupta, principal open-source technologist at Amazon, wrote in a blog post. "Many of our customers have become concerned that they would have to pay for a long-term supported version of Java to run their workloads. As a first step, we recently re-affirmed long-term support for Java in Amazon Linux. However, our customers and the broader Java community run Java on a variety of platforms, both on and off of AWS."

Amazon Corretto will be available with long-term support and Amazon will continue to make performance enhancements and security fixes to it, the company explained. Amazon plans on making quarterly updates with bug fixes and patches, as well as any urgent fixes necessary outside of its schedule... Corretto 8 is available as a preview with features corresponding to those in OpenJDK 8. General availability for the solution is planned for Q1 2019... "Corretto is designed as a drop-in replacement for all Java SE distributions unless you're using features not available in OpenJDK (e.g., Java Flight Recorder)," Gupta wrote....

According to Gupta, Corretto 8 will be available at no cost until at least June of 2023. The company is working on Corretto 11, which will be available until at least August of 2024. "Amazon has already made several contributions to OpenJDK 8 and we look forward to working closely with the OpenJDK community on future enhancements to OpenJDK 8 and 11," Gupta wrote. "We downstream fixes made in OpenJDK, add enhancements based on our own experience and needs, and then produce Corretto builds. In case any upstreaming efforts for such patches is not successful, delayed, or not appropriate for OpenJDK project, we will provide them to our customers for as long as they add value. If an issue is solved a different way in OpenJDK, we will move to that solution as soon as it is safe to do so."

Diane Greene, whose pursuit of Pentagon contracts for artificial intelligence technology sparked a worker uprising at Google, is stepping down as chief executive of the company's cloud computing business (Warning: source may be paywalled; alternative source). "Ms. Greene said she would stay on as chief executive until January. She will be replaced by Thomas Kurian, who oversaw product development at Oracle until his resignation in October. Ms. Greene will remain a board director at Google's parent company, Alphabet," reports The New York Times. From the report: The change in leadership caps a turbulent three years for Ms. Greene, who was brought on to expand Google's cloud computing business. Google Cloud has struggled to make major inroads in persuading corporate customers to use its computing infrastructure over alternatives like Amazon's A.W.S. and Microsoft's Azure. In a blog post published by the company, Ms. Greene said she had initially told friends and family that she was planning to run Google Cloud for only two years but stayed for three. Ms. Greene, a widely respected technologist and entrepreneur, said that after leaving Google Cloud, she planned to help female founders of companies by investing in and mentoring them. Ms. Greene joined Google in 2015 when it acquired Bebop, a start-up she had founded, for $380 million. Ms. Greene defended Google's pursuit of a Defense Department contract for the Maven program, which uses AI to interpret video images and could be used to improve the targeting of drone strikes. In March, she said it was a small contract worth "only" $9 million and that the technology would be used for nonlethal purposes.

Google suffered a brief outage and slowdown Monday, with some of its traffic getting rerouted through networks in Russia, China and Nigeria. From a report: Incorrect routing instructions sent some of the search giant's traffic to Russian network operator TransTelekom, China Telecom (which, as you may recall, has been found of misdirecting internet traffic in recent months) and Nigerian provider MainOne between 1:00 p.m. and 2:23 p.m. PT, according to internet research group ThousandEyes. "This incident at a minimum caused a massive denial of service to G Suite and Google Search," wrote Ameet Naik, ThousandEyes' technical marketing manager, in a blog post. "However, this also put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance. Applications like Gmail and Google Drive don't appear to have been affected, but YouTube users experienced some slowdown. Google noted that the issue was resolved and said it would conduct an internal investigation. Update: Nigeria's Main One Cable Co has taken responsibility for the glitch.

An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

An anonymous reader quotes a report from Bloomberg: Amazon.com Inc. has taken another step toward eliminating software from Oracle Corp. that has long helped the e-commerce giant run its retail business. An executive with Amazon's cloud-computing unit hit back at Oracle Executive Chairman Larry Ellison, who ridiculed the internet giant as recently as last month for relying on Oracle databases to track transactions and store information, even though Amazon sells competing software, including Redshift, Aurora and DynamoDB. Amazon's effort to end its use of Oracle's products has made new progress, Andy Jassy, the chief executive officer of Amazon Web Services, tweeted Friday. "In latest episode of 'uh huh, keep talkin' Larry,' Amazon's Consumer business turned off its Oracle data warehouse Nov. 1 and moved to Redshift," Jassy wrote. By the end of 2018, Amazon will stop using 88 percent of its Oracle databases, including 97 percent of its mission-critical databases, he added.

Oracle's Internet Intelligence division has confirmed today the findings of a recently published academic paper that accused China of "hijacking the vital internet backbone of western countries." From a report: The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published. Researchers accused China Telecom, one of China's biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure. Some security experts contested the research paper's findings because it didn't come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China's cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015. But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years."

Microsoft said Friday it will not pull out of the competition for a $10 billion cloud contract for the Department of Defense, despite growing concerns about private companies selling new technologies to the federal government. From a report: The Redmond, Wash., company defended its position in a blog post Friday, claiming that technologists should be involved in government adoption of new innovations to ensure they are not misused. Microsoft President Brad Smith wrote in the post that "to withdraw from this market is to reduce our opportunity to engage in the public debate about how new technologies can best be used in a responsible way." He decided to share publicly sentiments that he and Microsoft CEO Satya Nadella discussed at a monthly Q&A with employees Thursday. "We want the people of this country and especially the people who serve this country to know that we at Microsoft have their back," Smith wrote. "They will have access to the best technology that we create." Smith's defense comes days after an unspecified number of Microsoft employees urged the company to not bid on the Project JEDI.

Further reading: Oracle Trying Hard To Make Sure Pentagon Knows Amazon Isn't the Only Cloud Around; Google Drops Out of Pentagon's $10 Billion Cloud Competition; Jeff Bezos Defends Big Tech Working with Department of Defense.

Amazon is learning how hard it can be to move off of Oracle's database software. From a report: On Prime Day, while the e-retailer was dealing with a major website glitch that slowed sales, the company was also dealing with a technical problem in Ohio at one of its biggest warehouses, leading to thousands of delayed package deliveries, according to an internal report obtained by CNBC. The problem was in large part due to Amazon's migration from Oracle's database to its own technology, the documents show. The outage underscores the challenge Amazon faces as it looks to move completely off Oracle's database by 2020, and how difficult it is to re-create that level of reliability. It also shows that Oracle's database is more efficient in some aspects than Amazon's rival software, a point that Oracle will likely emphasize during this week's annual OpenWorld conference in San Francisco.

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

British IT news outlet The Register looks at the myriad of challenges Apache OpenOffice faces today. From the report: Last year Brett Porter, then chairman of the Apache Software Foundation, contemplated whether a proposed official blog post on the state of Apache OpenOffice (AOO) might discourage people from downloading the software due to lack of activity in the project. No such post from the software's developers surfaced. The languid pace of development at AOO, though, has been an issue since 2011 after Oracle (then patron of the project) got into a fork-fight with The Document Foundation, which created LibreOffice from the OpenOffice codebase, and asked developers backing the split to resign.

Back in 2015, Red Hat developer Christian Schaller called OpenOffice "all but dead." Assertions to that effect have continued since, alongside claims to the contrary. Almost a year ago, Jim Jagielski, a member of the Apache OpenOffice Project Management Committee, insisted things were going well and claimed there was renewed interest in the project. For all the concern about AOO, no issues have been raised recently before the Apache Foundation board to suggest ongoing difficulties. The project is due to provide an update this month, according to a spokesperson for the foundation.

This week in Vancouver, Linux kernel developer Greg Kroah-Hartman criticized Intel's slow initial response to the Spectre and Meltdown bugs in a talk at the Open Source Summit North America. An anonymous reader quotes eWeek: Kroah-Hartman said that when Intel finally decided to tell Linux developers, the disclosure was siloed.... "Intel siloed SUSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn't let us talk to each other." For an initial set of vulnerabilities, Kroah-Hartman said the different Linux vendors typically work together. However, in this case they ended up working on their own, and each came up with different solutions. "It really wasn't working, and a number of us kernel developers yelled at [Intel] and pleaded, and we finally got them to allow us to talk to each other the last week of December [2017]," he said. "All of our Christmas vacations were ruined. This was not good. Intel really messed up on this," Kroah-Hartman said...

"The majority of the world runs Debian or they run their own kernel," Kroah-Hartman said. "Debian was not allowed to be part of the disclosure, so the majority of the world was caught with their pants down, and that's not good." To Intel's credit, Kroah-Hartman said that after Linux kernel developers complained loudly to the company in December 2017 and into January 2018, it fixed its disclosure process for future Meltdown- and Spectre-related vulnerabilities... "Intel has gotten better at this," he said.

An interesting side effect of the Meltdown and Spectre vulnerabilities is that Linux and Windows developers are now working together, since both operating systems face similar risks from the CPU vulnerabilities. "Windows and Linux kernel developers now have this wonderful back channel. We're talking to each other and we're fixing bugs for each other," Kroah-Hartman said. "We are working well together. We have always wanted that."

The Pentagon is no longer taking questions on its controversial cloud contract after making last-minute amendments to the deal -- and has received another complaint from disgruntled prospective bidder Oracle. The Register adds: The Joint Enterprise Defense Infrastructure (JEDI) contract has a massive scope, covering different levels of secrecy and classification across all branches of the US military, and a massive budget, being worth a potential $10bn for a maximum of 10 years. Unsurprisingly, it has garnered similar levels of interest and complaint. Most criticism focused on the decision to hand the deal to a single vendor amid speculation that AWS would be a shoo-in. Would-be bidder -- and longtime AWS rival -- Oracle filed an official complaint with US government at the start of the month, arguing a single vendor would lock the Department of Defense into "legacy cloud" and went against its purported commitment to innovation and competition. It has now filed a supplementary protest with the Government Accountability Office (GAO), which is not yet public but is likely to be an exchange of information and documents. The filing coincided with the Pentagon updating the terms of the JEDI deal, which it said came after engagement with industry after the previous request for proposals (RFP) was published.

Citing a report [PDF] published on Tuesday by Digital Content Next and Vanderbilt University, CNN writes that "short of chucking your phone into the river, shunning the internet, and learning to read paper maps again, there's not much you can do to keep Google from collecting data about you." From the report: So says a Vanderbilt University computer scientist who led an analysis of Google's data collection practices. His report, released Tuesday, outlines a myriad ways the company amasses information about the billions of people who use the world's leading search engine, web browser, and mobile operating system, not to mention products like Gmail, platforms like YouTube, and products like Nest. Although the report doesn't contain any bombshells, it presents an overview of Google's efforts to learn as much as possible about people.

[...] Google collects far more data than Facebook, according to the report, and it is the world's largest digital advertising company. Its vast portfolio of services, from Android to Google Search to Chrome to Google Pay, create a firehose of data. Professor Douglas Schmidt and his team intercepted data as it was transmitted from Android smartphones to Google servers. They also examined the information Google provides users in its My Activity and Google Takeout tools, as well as the company's privacy polices and previous research on the topic. The researchers claims that almost every move you make online is collected and collated, from your morning routine (such as music tastes, route to work, and news preferences) to errands (including calendar appointments, webpages visited, and purchases made). "At the end of the day, Google identified user interests with remarkable accuracy," the report states. In a statement, Google said, "This report is commissioned by a professional DC lobbyist group, and written by a witness for Oracle in their ongoing copyright litigation with Google. So, it's no surprise that it contains wildly misleading information."

An anonymous reader quotes a report from Bloomberg: Oracle is named in a lawsuit alleging the company's executives lied to shareholders when they explained why cloud sales were growing. The investor leading the case, the City of Sunrise Firefighters' Pension Fund, claimed Oracle engaged in coercion and threats to sell its cloud-computing products, creating an unsustainable model that fell apart, according to the suit seeking class-action status and filed Friday in San Jose, California. The Florida-based firefighter pension fund and other investors lost money when Oracle's stock plummeted in March after reporting a disappointing earnings report and outlook, according to the lawsuit.

The suit claimed that Oracle's executives lied in forward-looking statements, which are never guaranteed, during earnings calls and at investor conferences in 2017 when they said customers were rapidly adopting their cloud-based products and cloud sales would accelerate. The firefighter pension, which manages about $143 million for 235 participants, alleged that Oracle used software license audits and weakened existing maintenance programs to compel customers to buy the cloud products.

Oracle has filed an official complaint with the U.S. government over plans to award the Pentagon's lucrative cloud contract to a single vendor. Rebecca Hill writes via The Register: The Joint Enterprise Defense Infrastructure (JEDI) contract, which has a massive scope, covering different levels of secrecy and classification across all branches of the military, will run for a maximum of 10 years and is worth a potential $10 billion. In spite of this pressure from vendors and the tech lobby -- as well as concerns from Congress -- the US Department of Defense (DoD) refused to budge, and launched a request for proposals (RFP) at the end of last month. Oracle is less than impressed with the Pentagon's failure to back down, and this week filed a bid protest to congressional watchdog the Government Accountability Office asking for the RFP to be amended.

In the protest, the database goliath sets out its arguments against a single vendor award -- broadly that it could damage innovation, competition, and security. Reading between the lines, it doesn't want either of Amazon or Microsoft or Google to get the whole pie to itself, and thus endanger Oracle's cosiness with Uncle Sam. Summing up its position in a statement to The Register, Oracle said that JEDI "virtually assures DoD will be locked into legacy cloud for a decade or more" at a time when cloud technology is changing at an unprecedented pace.

Let's Encrypt has announced that it is now directly trusted by all major root certificates including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems. From a report: While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well. With Let's Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let's Encrypt users will still be able to function properly.

Amazon plans to be completely off Oracle's proprietary database software by the first quarter of 2020, reports CNBC. The plans come after the company moved most of its infrastructure internally to Amazon Web Services. From the report: Amazon began moving off Oracle about four or five years ago, said one of the people, who asked not to be named because the project is confidential. Some parts of Amazon's core shopping business still rely on Oracle, the person said, and the full migration should wrap up in about 14 to 20 months. Another person said that Amazon had been considering a departure from Oracle for years before the transition began but decided at the time that it would require too much engineering work with perhaps too little payoff. The primary issue Amazon has faced on Oracle is the inability for the database technology to scale to meet Amazon's performance needs, a person familiar with the matter said. Another person, who said the move could be completed by mid-2019, added that there hasn't been any development of new technology relying on Oracle databases for quite a while.

A reminder for commenters: non-commercial use of Java remains free. An anonymous reader quotes InfoWorld: Oracle has revamped its commercial support program for Java SE (Standard Edition), opting for a subscription model instead of one that has had businesses paying for a one-time perpetual license plus an annual support fee... It is required for Java SE 8, and includes support for Java SE 7. (As of January 2019, Oracle will require a subscription for businesses to continue getting updates to Java SE 8.)

The price is $25 per month per processor for servers and cloud instances, with volume discounts available. For PCs, the price starts at $2.50 per month per user, again with volume discounts. One-, two-, and three-year subscriptions are available... The previous pricing for the Java SE Advanced program cost $5,000 for a license for each server processor plus a $1,100 annual support fee per server processor, as well as $110 one-time license fee per named user and a $22 annual support fee per named user (each processor has a ten-user minimum)...

If users do not renew a subscription, they lose rights to any commercial software downloaded during the subscription. Access to Oracle Premier Support also ends. Oracle recommends that those choosing not to renew transition to OpenJDK binaries from the company, offered under the GPL, before their subscription ends. Doing so will let users keep running applications uninterrupted.
Oracle's senior director of product management stresses that the company is "working to make the Oracle JDK and OpenJDK builds from Oracle interchangeable -- targeting developers and organisations that do not want commercial support or enterprise management tools."