Amazon is learning how hard it can be to move off of Oracle's database software. From a report: On Prime Day, while the e-retailer was dealing with a major website glitch that slowed sales, the company was also dealing with a technical problem in Ohio at one of its biggest warehouses, leading to thousands of delayed package deliveries, according to an internal report obtained by CNBC. The problem was in large part due to Amazon's migration from Oracle's database to its own technology, the documents show. The outage underscores the challenge Amazon faces as it looks to move completely off Oracle's database by 2020, and how difficult it is to re-create that level of reliability. It also shows that Oracle's database is more efficient in some aspects than Amazon's rival software, a point that Oracle will likely emphasize during this week's annual OpenWorld conference in San Francisco.

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

British IT news outlet The Register looks at the myriad of challenges Apache OpenOffice faces today. From the report: Last year Brett Porter, then chairman of the Apache Software Foundation, contemplated whether a proposed official blog post on the state of Apache OpenOffice (AOO) might discourage people from downloading the software due to lack of activity in the project. No such post from the software's developers surfaced. The languid pace of development at AOO, though, has been an issue since 2011 after Oracle (then patron of the project) got into a fork-fight with The Document Foundation, which created LibreOffice from the OpenOffice codebase, and asked developers backing the split to resign.

Back in 2015, Red Hat developer Christian Schaller called OpenOffice "all but dead." Assertions to that effect have continued since, alongside claims to the contrary. Almost a year ago, Jim Jagielski, a member of the Apache OpenOffice Project Management Committee, insisted things were going well and claimed there was renewed interest in the project. For all the concern about AOO, no issues have been raised recently before the Apache Foundation board to suggest ongoing difficulties. The project is due to provide an update this month, according to a spokesperson for the foundation.

This week in Vancouver, Linux kernel developer Greg Kroah-Hartman criticized Intel's slow initial response to the Spectre and Meltdown bugs in a talk at the Open Source Summit North America. An anonymous reader quotes eWeek: Kroah-Hartman said that when Intel finally decided to tell Linux developers, the disclosure was siloed.... "Intel siloed SUSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn't let us talk to each other." For an initial set of vulnerabilities, Kroah-Hartman said the different Linux vendors typically work together. However, in this case they ended up working on their own, and each came up with different solutions. "It really wasn't working, and a number of us kernel developers yelled at [Intel] and pleaded, and we finally got them to allow us to talk to each other the last week of December [2017]," he said. "All of our Christmas vacations were ruined. This was not good. Intel really messed up on this," Kroah-Hartman said...

"The majority of the world runs Debian or they run their own kernel," Kroah-Hartman said. "Debian was not allowed to be part of the disclosure, so the majority of the world was caught with their pants down, and that's not good." To Intel's credit, Kroah-Hartman said that after Linux kernel developers complained loudly to the company in December 2017 and into January 2018, it fixed its disclosure process for future Meltdown- and Spectre-related vulnerabilities... "Intel has gotten better at this," he said.

An interesting side effect of the Meltdown and Spectre vulnerabilities is that Linux and Windows developers are now working together, since both operating systems face similar risks from the CPU vulnerabilities. "Windows and Linux kernel developers now have this wonderful back channel. We're talking to each other and we're fixing bugs for each other," Kroah-Hartman said. "We are working well together. We have always wanted that."

The Pentagon is no longer taking questions on its controversial cloud contract after making last-minute amendments to the deal -- and has received another complaint from disgruntled prospective bidder Oracle. The Register adds: The Joint Enterprise Defense Infrastructure (JEDI) contract has a massive scope, covering different levels of secrecy and classification across all branches of the US military, and a massive budget, being worth a potential $10bn for a maximum of 10 years. Unsurprisingly, it has garnered similar levels of interest and complaint. Most criticism focused on the decision to hand the deal to a single vendor amid speculation that AWS would be a shoo-in. Would-be bidder -- and longtime AWS rival -- Oracle filed an official complaint with US government at the start of the month, arguing a single vendor would lock the Department of Defense into "legacy cloud" and went against its purported commitment to innovation and competition. It has now filed a supplementary protest with the Government Accountability Office (GAO), which is not yet public but is likely to be an exchange of information and documents. The filing coincided with the Pentagon updating the terms of the JEDI deal, which it said came after engagement with industry after the previous request for proposals (RFP) was published.

Citing a report [PDF] published on Tuesday by Digital Content Next and Vanderbilt University, CNN writes that "short of chucking your phone into the river, shunning the internet, and learning to read paper maps again, there's not much you can do to keep Google from collecting data about you." From the report: So says a Vanderbilt University computer scientist who led an analysis of Google's data collection practices. His report, released Tuesday, outlines a myriad ways the company amasses information about the billions of people who use the world's leading search engine, web browser, and mobile operating system, not to mention products like Gmail, platforms like YouTube, and products like Nest. Although the report doesn't contain any bombshells, it presents an overview of Google's efforts to learn as much as possible about people.

[...] Google collects far more data than Facebook, according to the report, and it is the world's largest digital advertising company. Its vast portfolio of services, from Android to Google Search to Chrome to Google Pay, create a firehose of data. Professor Douglas Schmidt and his team intercepted data as it was transmitted from Android smartphones to Google servers. They also examined the information Google provides users in its My Activity and Google Takeout tools, as well as the company's privacy polices and previous research on the topic. The researchers claims that almost every move you make online is collected and collated, from your morning routine (such as music tastes, route to work, and news preferences) to errands (including calendar appointments, webpages visited, and purchases made). "At the end of the day, Google identified user interests with remarkable accuracy," the report states. In a statement, Google said, "This report is commissioned by a professional DC lobbyist group, and written by a witness for Oracle in their ongoing copyright litigation with Google. So, it's no surprise that it contains wildly misleading information."

An anonymous reader quotes a report from Bloomberg: Oracle is named in a lawsuit alleging the company's executives lied to shareholders when they explained why cloud sales were growing. The investor leading the case, the City of Sunrise Firefighters' Pension Fund, claimed Oracle engaged in coercion and threats to sell its cloud-computing products, creating an unsustainable model that fell apart, according to the suit seeking class-action status and filed Friday in San Jose, California. The Florida-based firefighter pension fund and other investors lost money when Oracle's stock plummeted in March after reporting a disappointing earnings report and outlook, according to the lawsuit.

The suit claimed that Oracle's executives lied in forward-looking statements, which are never guaranteed, during earnings calls and at investor conferences in 2017 when they said customers were rapidly adopting their cloud-based products and cloud sales would accelerate. The firefighter pension, which manages about $143 million for 235 participants, alleged that Oracle used software license audits and weakened existing maintenance programs to compel customers to buy the cloud products.

Oracle has filed an official complaint with the U.S. government over plans to award the Pentagon's lucrative cloud contract to a single vendor. Rebecca Hill writes via The Register: The Joint Enterprise Defense Infrastructure (JEDI) contract, which has a massive scope, covering different levels of secrecy and classification across all branches of the military, will run for a maximum of 10 years and is worth a potential $10 billion. In spite of this pressure from vendors and the tech lobby -- as well as concerns from Congress -- the US Department of Defense (DoD) refused to budge, and launched a request for proposals (RFP) at the end of last month. Oracle is less than impressed with the Pentagon's failure to back down, and this week filed a bid protest to congressional watchdog the Government Accountability Office asking for the RFP to be amended.

In the protest, the database goliath sets out its arguments against a single vendor award -- broadly that it could damage innovation, competition, and security. Reading between the lines, it doesn't want either of Amazon or Microsoft or Google to get the whole pie to itself, and thus endanger Oracle's cosiness with Uncle Sam. Summing up its position in a statement to The Register, Oracle said that JEDI "virtually assures DoD will be locked into legacy cloud for a decade or more" at a time when cloud technology is changing at an unprecedented pace.

Let's Encrypt has announced that it is now directly trusted by all major root certificates including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems. From a report: While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well. With Let's Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let's Encrypt users will still be able to function properly.

Amazon plans to be completely off Oracle's proprietary database software by the first quarter of 2020, reports CNBC. The plans come after the company moved most of its infrastructure internally to Amazon Web Services. From the report: Amazon began moving off Oracle about four or five years ago, said one of the people, who asked not to be named because the project is confidential. Some parts of Amazon's core shopping business still rely on Oracle, the person said, and the full migration should wrap up in about 14 to 20 months. Another person said that Amazon had been considering a departure from Oracle for years before the transition began but decided at the time that it would require too much engineering work with perhaps too little payoff. The primary issue Amazon has faced on Oracle is the inability for the database technology to scale to meet Amazon's performance needs, a person familiar with the matter said. Another person, who said the move could be completed by mid-2019, added that there hasn't been any development of new technology relying on Oracle databases for quite a while.

A reminder for commenters: non-commercial use of Java remains free. An anonymous reader quotes InfoWorld: Oracle has revamped its commercial support program for Java SE (Standard Edition), opting for a subscription model instead of one that has had businesses paying for a one-time perpetual license plus an annual support fee... It is required for Java SE 8, and includes support for Java SE 7. (As of January 2019, Oracle will require a subscription for businesses to continue getting updates to Java SE 8.)

The price is $25 per month per processor for servers and cloud instances, with volume discounts available. For PCs, the price starts at $2.50 per month per user, again with volume discounts. One-, two-, and three-year subscriptions are available... The previous pricing for the Java SE Advanced program cost $5,000 for a license for each server processor plus a $1,100 annual support fee per server processor, as well as $110 one-time license fee per named user and a $22 annual support fee per named user (each processor has a ten-user minimum)...

If users do not renew a subscription, they lose rights to any commercial software downloaded during the subscription. Access to Oracle Premier Support also ends. Oracle recommends that those choosing not to renew transition to OpenJDK binaries from the company, offered under the GPL, before their subscription ends. Doing so will let users keep running applications uninterrupted.
Oracle's senior director of product management stresses that the company is "working to make the Oracle JDK and OpenJDK builds from Oracle interchangeable -- targeting developers and organisations that do not want commercial support or enterprise management tools."

Kesha Williams, reporting for InfoQ (shared by numerous readers): The Java Mission Control suite of tools, also known as JMC, was open sourced by Oracle on May 3rd to much applause and excitement from the Java development community. The excitement was replaced with unease as sources reported that the entire JMC development team had been laid off. JMC is a well-known profiling and diagnostics tools suite for the Java Virtual Machine (JVM) primarily targeting systems running in production. It is used by developers to gather detailed low-level information about how the JVM and the Java application are behaving. The official open source announcement came on May 5th from Marcus Hirt, a member of the Java Platform Group at Oracle. "Just wanted to say thank you to everyone who helped open source Java Mission Control in the relatively short period of time it was done in." According to Hirt, the intent behind open sourcing JMC was to provide the community with the opportunity to add new features and capabilities to the tools suite.

Yhcrana writes: Considering the video in the story makes it pretty simple, this is not something I would like to have happen. Apparently it is a flaw in the libraries that are being used by Oracle, Apache, and others. The Register reports: "Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system -- and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, is a path traversal flaw that can potentially be exploited to perform arbitrary code execution attacks. It affects .zip, .bz2, .tar, .xz, .war, .cpio, and .7z archives.

The bugs, according to Snyk, lie in code that unpacks compressed archives, hence the "Zip Slip" title. When software does not properly check and sanitize file names within the archive, attackers can set the destination path for an unpacked file to an existing folder or file elsewhere on a system. When that file is extracted, it will overwrite the existing data in that same path."

An anonymous reader shares a report: Oracle's aggressive sales tactics are turning off customers, setting a roadblock in the company's race to catch up with Amazon Web Services in the cloud, according to a report on The Information. [Editor's note: the link may be paywalled; alternative source]. Oracle is threatening customers of its on-premises software with potentially expensive usage audits and strongly suggesting those customers could solve their problems by moving to the cloud, The Information says. But the tactic is backfiring. "Several big Oracle customers, including oil and gas exploration company Halliburton, toy maker Mattel and electricity provider Edison Southern California, have recently rejected big cloud services deals proposed by Oracle, according to an Oracle employee with knowledge of the situation," the publication reported. "Oracle representatives had suggested the customers strike the deals to avoid expensive audits of how they were using Oracle software, according to the employee. Instead, that approach to selling cloud is irritating customers," it added.

An anonymous reader quotes InfoWorld: Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes... Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability. Serialization was a "horrible mistake" made in 1997, Reinhold says. He estimates that at least a third -- maybe even half -- of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.

wyattstorch516 shared this story from the AP: Microsoft Corp. said it's secured a lucrative cloud deal with the intelligence community that marks a rapid expansion by the software giant into a market led by Amazon.com Inc. The deal, which the company said Wednesday is worth hundreds of millions of dollars, allows 17 intelligence agencies and offices to use Microsoft's Azure Government, a cloud service tailored for federal and local governments, in addition to other products Microsoft already offers, such as its Windows 10 operating system and word processing programs.

The cloud agreement gives Microsoft more power to make its case to the Pentagon as it goes up against competitors like International Business Machines Corp., Oracle Corp. and Amazon for the agency's winner-take-all cloud computing contract for up to 10 years.
That contract is expected to be worth billions of dollars, according to the article, adding that "the Defense Department has said it intends to move the department's technology needs -- 3.4 million users and 4 million devices -- to the cloud to give it a tactical edge on the battlefield and strengthen its use of emerging technologies."

One Microsoft executive said this week's deal reinforces "the fact that we are a solid cloud platform that the federal government can put their trust in."

An anonymous reader quotes InfoWorld: Further clarifying its ongoing support plans for Java SE 8, Oracle will require businesses to have a commercial license to get updates after January 2019. In an undated bulletin about the revision, Oracle said public updates for Java SE 8 released after January 2019 will not be available for business, commercial, or production use without a commercial license. However, public updates for Java SE 8 will be available for individual, personal use through at least the end of 2020.

Oracle advises enterprises to review the Oracle Java SE Support Roadmap to assess support requirements to migrate to a later release or obtain a commercial license... Oracle advises developers to review roadmaps for Java SE 8 and beyond and take appropriate action based on their application and its distribution model.

Amazon lost control of some of its widely used cloud services for two hours on Tuesday morning when hackers exploited a known Internet-protocol weakness that allowed them to redirect traffic to rogue destinations, according to media reports. ArsTechnica: The attackers appeared to use one server masquerading as cryptocurrency website MyEtherWallet.com to steal digital coins from unwitting end users. They may have targeted other customers of Amazon's Route 53 service as well. The incident, which started around 6am California time, hijacked roughly 1,300 IP addresses, Oracle-owned Internet Intelligence said on Twitter. The malicious redirection was caused by fraudulent routes that were announced by Columbus, Ohio-based eNet, a large Internet service provider that is referred to as autonomous system 10297. Once in place, the eNet announcement caused some of its peers to send traffic over the same unauthorized routes. [...] Tuesday's event may also have ties to Russia, because MyEtherWallet traffic was redirected to a server in that country, security researcher Kevin Beaumont said in a blog post. The redirection came by rerouting domain name system traffic and using a server hosted by Chicago-based Equinix to perform a man-in-the-middle attack. MyEtherWallet officials said the hijacking was used to send end users to a phishing site. Participants in this cryptocurrency forum appear to discuss the scam site. Further reading: Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000 (BleepingComputer).

Over 30 major technology companies, led by Microsoft and Facebook, on Tuesday announced what they are calling the Cybersecurity Tech Accord, a set of principles that include a declaration that they will not help any government -- including that of the United States -- mount cyberattacks against "innocent civilians and enterprises from anywhere."

The companies that are participating in the initiative are: ABB, Arm, Avast, Bitdefender, BT, CA Technologies, Cisco, Cloudflare, DataStax, Dell, DocuSign, Facebook, Fastly, FireEye, F-Secure, GitHub, Guardtime, HP Inc., HPE, Intuit, Juniper Networks, LinkedIn, Microsoft, Nielsen, Nokia, Oracle, RSA, SAP, Stripe, Symantec, Telefonica, Tenable, Trend Micro, and VMware.

The announcement comes at the backdrop of a growing momentum in political and industry circles to create a sort of Digital Geneva Convention that commits the entire tech industry and governments to supporting a free and secure internet. The effort comes after attacks such as WannaCry and NotPetya hobbled businesses around the world last year, and just a day after the U.S. and U.K. issued an unprecedented joint alert citing the threat of cyberattacks from Russian state-sponsored actors. The Pentagon has said Russian "trolling" activity increased 2,000 percent after missile strikes in Syria.

Interestingly, Amazon, Apple, Google, and Twitter are not participating in the program, though the Tech Accord says it "remains open to consideration of new private sector signatories, large or small and regardless of sector."

The West African nation of Mauritania lost all internet access for 48 hours due to an undersea cable break, according to infrastructure analysts. From a report: The break, which took place a couple weeks ago, provides a reminder of how much internet users rely on the cables that connect their countries. According to Dyn, the Oracle-owned internet performance firm, the African Coast to Europe (ACE) cable was cut near Noukachott in Mauritania on March 30. It's not clear what caused the break, but six countries entirely rely on that one cable for their connectivity, and all -- Sierra Leone, Mauritania, Liberia, Guinea-Bissau, Guinea and the Gambia -- saw a big impact. The impact in Mauritania was the worst, with its two-day outage, while Sierra Leone also had big problems. The latter country also had a big outage on April 1, but that may well have been down to government action -- African governments are notorious for interfering with citizens' internet access, particularly around election time or during periods of unrest.