Yhcrana writes: Considering the video in the story makes it pretty simple, this is not something I would like to have happen. Apparently it is a flaw in the libraries that are being used by Oracle, Apache, and others. The Register reports: "Booby-trapped archive files can exploit vulnerabilities in a swath of software to overwrite documents and data elsewhere on a computer's file system -- and potentially execute malicious code. Specifically, the flaws, dubbed "Zip Slip" by its discoverers at security outfit Snyk, is a path traversal flaw that can potentially be exploited to perform arbitrary code execution attacks. It affects .zip, .bz2, .tar, .xz, .war, .cpio, and .7z archives.

The bugs, according to Snyk, lie in code that unpacks compressed archives, hence the "Zip Slip" title. When software does not properly check and sanitize file names within the archive, attackers can set the destination path for an unpacked file to an existing folder or file elsewhere on a system. When that file is extracted, it will overwrite the existing data in that same path."

An anonymous reader shares a report: Oracle's aggressive sales tactics are turning off customers, setting a roadblock in the company's race to catch up with Amazon Web Services in the cloud, according to a report on The Information. [Editor's note: the link may be paywalled; alternative source]. Oracle is threatening customers of its on-premises software with potentially expensive usage audits and strongly suggesting those customers could solve their problems by moving to the cloud, The Information says. But the tactic is backfiring. "Several big Oracle customers, including oil and gas exploration company Halliburton, toy maker Mattel and electricity provider Edison Southern California, have recently rejected big cloud services deals proposed by Oracle, according to an Oracle employee with knowledge of the situation," the publication reported. "Oracle representatives had suggested the customers strike the deals to avoid expensive audits of how they were using Oracle software, according to the employee. Instead, that approach to selling cloud is irritating customers," it added.

An anonymous reader quotes InfoWorld: Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes... Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability. Serialization was a "horrible mistake" made in 1997, Reinhold says. He estimates that at least a third -- maybe even half -- of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.

wyattstorch516 shared this story from the AP: Microsoft Corp. said it's secured a lucrative cloud deal with the intelligence community that marks a rapid expansion by the software giant into a market led by Amazon.com Inc. The deal, which the company said Wednesday is worth hundreds of millions of dollars, allows 17 intelligence agencies and offices to use Microsoft's Azure Government, a cloud service tailored for federal and local governments, in addition to other products Microsoft already offers, such as its Windows 10 operating system and word processing programs.

The cloud agreement gives Microsoft more power to make its case to the Pentagon as it goes up against competitors like International Business Machines Corp., Oracle Corp. and Amazon for the agency's winner-take-all cloud computing contract for up to 10 years.
That contract is expected to be worth billions of dollars, according to the article, adding that "the Defense Department has said it intends to move the department's technology needs -- 3.4 million users and 4 million devices -- to the cloud to give it a tactical edge on the battlefield and strengthen its use of emerging technologies."

One Microsoft executive said this week's deal reinforces "the fact that we are a solid cloud platform that the federal government can put their trust in."

An anonymous reader quotes InfoWorld: Further clarifying its ongoing support plans for Java SE 8, Oracle will require businesses to have a commercial license to get updates after January 2019. In an undated bulletin about the revision, Oracle said public updates for Java SE 8 released after January 2019 will not be available for business, commercial, or production use without a commercial license. However, public updates for Java SE 8 will be available for individual, personal use through at least the end of 2020.

Oracle advises enterprises to review the Oracle Java SE Support Roadmap to assess support requirements to migrate to a later release or obtain a commercial license... Oracle advises developers to review roadmaps for Java SE 8 and beyond and take appropriate action based on their application and its distribution model.

Amazon lost control of some of its widely used cloud services for two hours on Tuesday morning when hackers exploited a known Internet-protocol weakness that allowed them to redirect traffic to rogue destinations, according to media reports. ArsTechnica: The attackers appeared to use one server masquerading as cryptocurrency website MyEtherWallet.com to steal digital coins from unwitting end users. They may have targeted other customers of Amazon's Route 53 service as well. The incident, which started around 6am California time, hijacked roughly 1,300 IP addresses, Oracle-owned Internet Intelligence said on Twitter. The malicious redirection was caused by fraudulent routes that were announced by Columbus, Ohio-based eNet, a large Internet service provider that is referred to as autonomous system 10297. Once in place, the eNet announcement caused some of its peers to send traffic over the same unauthorized routes. [...] Tuesday's event may also have ties to Russia, because MyEtherWallet traffic was redirected to a server in that country, security researcher Kevin Beaumont said in a blog post. The redirection came by rerouting domain name system traffic and using a server hosted by Chicago-based Equinix to perform a man-in-the-middle attack. MyEtherWallet officials said the hijacking was used to send end users to a phishing site. Participants in this cryptocurrency forum appear to discuss the scam site. Further reading: Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000 (BleepingComputer).

Over 30 major technology companies, led by Microsoft and Facebook, on Tuesday announced what they are calling the Cybersecurity Tech Accord, a set of principles that include a declaration that they will not help any government -- including that of the United States -- mount cyberattacks against "innocent civilians and enterprises from anywhere."

The companies that are participating in the initiative are: ABB, Arm, Avast, Bitdefender, BT, CA Technologies, Cisco, Cloudflare, DataStax, Dell, DocuSign, Facebook, Fastly, FireEye, F-Secure, GitHub, Guardtime, HP Inc., HPE, Intuit, Juniper Networks, LinkedIn, Microsoft, Nielsen, Nokia, Oracle, RSA, SAP, Stripe, Symantec, Telefonica, Tenable, Trend Micro, and VMware.

The announcement comes at the backdrop of a growing momentum in political and industry circles to create a sort of Digital Geneva Convention that commits the entire tech industry and governments to supporting a free and secure internet. The effort comes after attacks such as WannaCry and NotPetya hobbled businesses around the world last year, and just a day after the U.S. and U.K. issued an unprecedented joint alert citing the threat of cyberattacks from Russian state-sponsored actors. The Pentagon has said Russian "trolling" activity increased 2,000 percent after missile strikes in Syria.

Interestingly, Amazon, Apple, Google, and Twitter are not participating in the program, though the Tech Accord says it "remains open to consideration of new private sector signatories, large or small and regardless of sector."

The West African nation of Mauritania lost all internet access for 48 hours due to an undersea cable break, according to infrastructure analysts. From a report: The break, which took place a couple weeks ago, provides a reminder of how much internet users rely on the cables that connect their countries. According to Dyn, the Oracle-owned internet performance firm, the African Coast to Europe (ACE) cable was cut near Noukachott in Mauritania on March 30. It's not clear what caused the break, but six countries entirely rely on that one cable for their connectivity, and all -- Sierra Leone, Mauritania, Liberia, Guinea-Bissau, Guinea and the Gambia -- saw a big impact. The impact in Mauritania was the worst, with its two-day outage, while Sierra Leone also had big problems. The latter country also had a big outage on April 1, but that may well have been down to government action -- African governments are notorious for interfering with citizens' internet access, particularly around election time or during periods of unrest.

An anonymous reader writes: Three of four TERiX executives were sentenced to prison yesterday for a scheme through which they created three fake companies to pirate Oracle firmware patches and Solaris OS updates. By doing this, the execs avoided paying a per-server fee for every Oracle product their company serviced, instead paying for one patch/update alone.

Court documents show that Oracle was aware of the scheme and eventually connected the dots between the fake companies and TERiX when one of the execs downloaded files from Oracle's servers via one of the fake company's accounts from a TERiX IP address. Oracle filed a complaint with the FBI, but also a civil suit. A judge awarded Oracle damages last year totaling $57.423 million. The judge also barred TERiX from servicing Oracle products.

Google could owe Oracle billions of dollars after an appeals court said it didn't have the right to use the Oracle-owned Java programming code in its Android operating system on mobile devices. From a report: Google's use of Java shortcuts to develop Android went too far and was a violation of Oracle's copyrights, the U.S. Court of Appeals for the Federal Circuit ruled. The case was remanded to a federal court in California to determine how much the Alphabet unit should pay.

The dispute is over pre-written directions known as application program interfaces, or APIs, which can work across different types of devices and provide the instructions for things like connecting to the internet or accessing certain types of files. By using the APIs, programmers don't have to write new code from scratch to implement every function in their software or change it for every type of device. The case has divided Silicon Valley for years, testing the boundaries between the rights of those who develop interface code and those who rely on it to develop software programs.

An anonymous reader quotes Application Development Trends: Oracle announced the general availability of Java SE 10 (JDK 10) this week. This release, which comes barely six months after the release of Java SE 9, is the first in the new rapid release cadence Oracle announced late last year. The new release schedule, which the company is calling an "innovation cycle," calls for a feature release every six months, update releases every quarter, and a long-term support (LTS) release every three years. Java 10 is a feature release that obsoletes Java 9. The next LTS release will be Java 11, expected in September. The next LTS version after that will be Java 17, scheduled for release in September 2021...

The six-month feature release cadence is meant to reduce the latency between major releases, explained is Sharat Chander, director of Oracle's Java SE Product Management group, said in a blog post. "This release model takes inspiration from the release models used by other platforms and by various operating-system distributions addressing the modern application development landscape," Chander wrote. "The pace of innovation is happening at an ever-increasing rate and this new release model will allow developers to leverage new features in production as soon as possible. Modern application development expects simple open licensing and a predictable time-based cadence, and the new release model delivers on both."
This release finally adds var to the Java language (though its use is limited to local variables with initializers or declared in a for-loop). It's being added "to improve the developer experience by reducing the ceremony associated with writing Java code, while maintaining Java's commitment to static type safety, by allowing developers to elide the often-unnecessary manifest declaration of local variable type."

An anonymous reader quotes i-Programmer: The results are in for the vote on the new name for Java Enterprise Edition, and unsurprisingly the voters have chosen Jakarta EE. The renaming has to happen because Oracle refused to let the name Java be used. The vote was to choose between two options - 'Jakarta EE' and 'Enterprise Profile'. According to Mike Milinkovich, executive director at the Eclipse Foundation, almost 7,000 people voted, and over 64% voted in favour of Jakarta EE. The other finalist, "Enterprise Profile," came in at just 35.6% of the votes when voted ended last Friday.
"Other Java projects have also been renamed in Eclipse," notes SD Times. "Glassfish is now Eclipse Glassfish. The Java Community Process is now the Eclipse EE.next Working Group, and Oracle development management is now Eclipse Enterprise for Java Project Management Committee."

Linux kernel developer (and LWN.net co-founder) Jonathan Corbet recently posted an essay with a tantalizing title: "Is it time for open processors?" He cited several "serious initiatives", including the OpenPOWER effort, OpenSPARC, and OpenRISC, adding that "much of the momentum" appears to be with the RISC-V architecture. An anonymous reader quotes LWN.net: The [RISC-V] project is primarily focused on the instruction-set architecture, rather than on specific implementations, but free hardware designs do exist. Western Digital recently announced that it will be using RISC-V processors in its storage products, a decision that could lead to the shipment of RISC-V by the billion. There is a development kit available for those who would like to play with this processor and a number of designs for cores are available... RISC-V seems to have quite a bit of commercial support behind it -- the RISC-V Foundation has a long list of members. It seems likely that this architecture will continue to progress for some time.
Here's some of the reasons that Corbet argues open souce hardware "would certainly offer some benefits, but it would be no panacea."

An anonymous reader quotes a report from the Electronic Frontier Foundation: Good news out of the Ninth Circuit: the federal court of appeals heeded EFF's advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle's website in a manner it didn't like. The court ruled back in 2012 that merely violating a website's terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes -- in this case, California and Nevada -- to enforce their computer use preferences. This decision shores up the good precedent from 2012 and makes clear -- if it wasn't clear already -- that violating a corporate computer use policy is not a crime.

What's happening to Google's 1,100 Gbikes? The Mercury News reports: Last summer, it emerged that some of the company's bikes -- intended to help Googlers move quickly and in environmentally friendly fashion around the company's sprawling campus and surrounding areas -- were sleeping with the fishes in Stevens Creek. And now, a new report has revealed that 100 to 250 Google bikes go missing every week, on average. "The disappearances often aren't the work of ordinary thieves, however. Many residents of Mountain View, a city of 80,000 that has effectively become Google's company town, see the employee perk as a community service," the Wall Street Journal reported.

And for the company, here's one Google bike use case that's got to burn a little: 68-year-old Sharon Veach told the newspaper that she sometimes uses one of the bicycles as part of her commute: to the offices of Google's arch foe, Oracle... Mountain View Mayor Ken Rosenberg even admitted to helping himself to a Google bike to go to a movie after a meeting at the company's campus, according to the WSJ.
One Silicon Valley resident reportedly told a neighbor that "I've got a whole garage full of them," while Veach describes the bikes as "a reward for having to deal with the buses" that carry Google employees. Google has already hired 30 contractors to prowl the city in five vans looking for lost or stolen bikes -- only a third of which have GPS trackers -- and they eventually recover about two-thirds of the missing bikes.

They've discovered them as far away as Mexico, Alaska, and the Burning Man festival in Nevada.

Though Docker has 400 corporate customers -- and plans to double its sales staff -- "here's what happens to a startup when Google gets all up in its business," reads a recent headline at Bloomberg: Docker Inc. helped establish a type of software tool known as containers...and they've made the company rich. Venture capitalists have poured about $240 million into the startup, according to research firm CB Insights. Then along came Google, with its own free container system called Kubernetes. Google has successfully inserted Kubernetes into the coder toolbox. While Docker and Kubernetes serve slightly different purposes, customers who choose Google's tool can avoid paying Docker.

The startup gives away its most popular product while trying to convince developers to pay for extras, notably a program that does the same thing as Google's. "Kubernetes basically has ruled the industry, and it is the de facto standard," said Gary Chen, an analyst at IDC. "Docker has to figure out how do they differentiate themselves." It's up to [Docker CEO] Steve Singh to escape a situation that's trapped many startups battling cash-rich tech giants like Google, dangling free alternatives... "They invented this great tech, but they are not the ones profiting from it," said Gary Chen, an analyst at IDC.
Though Docker's CEO is hoping to take the company public someday, Slashdot reader oaf357 predicts a different future: To say that Docker had a very rough 2017 is an understatement. Aside from Uber, I can't think of a more utilized, hyped, and well funded Silicon Valley startup (still in operation) fumbling as bad as Docker did in 2017. People will look back on 2017 as the year Docker, a great piece of software, was completely ruined by bad business practices leading to its end in 2018.
His article criticizes things like the new Moby upstream for the Docker project, along with "Docker's late and awkward embrace of Kubernetes... It's almost as if Docker is conceding itself to being a marginal consulting firm in the container space." And he suggests that ultimately Docker could be acquired by "a large organization like Oracle or Microsoft."

An anonymous reader writes: Newsweek's National Politics Correspondent reports on "a horny nest of prostitution 'hobbyists' at tech giants Microsoft, Amazon and other firms in Seattle," citing "hundreds" of emails "fired off by employees at major tech companies hoping to hook up with trafficked Asian women" between 2014 and 2016, "67 sent from Microsoft, 63 sent from Amazon email accounts and dozens more sent from some of Seattle's premier tech companies and others based elsewhere but with offices in Seattle, including T-Mobile and Oracle, as well as many local, smaller tech firms." Many of the emails came from a sting operation against online prostitution review boards, and were obtained through a public records request to the King County Prosecutor's Office.

"They were on their work accounts because Seattle pimps routinely asked first-time sex-buyers to prove they were not cops by sending an employee email or badge," reports Newsweek, criticizing "the widespread and often nonchalant attitude toward buying sex from trafficked women, a process made shockingly more efficient by internet technology... A study commissioned by the Department of Justice found that Seattle has the fastest-growing sex industry in the United States, more than doubling in size between 2005 and 2012. That boom correlates neatly with the boom of the tech sector there... Some of these men spent $30,000 to $50,000 a year, according to authorities." A lawyer for some of the men argues that Seattle's tech giants aren't conducting any training to increase employees' compassion for trafficked women in brothels. The director of research for a national anti-trafficking group cites the time Uber analyzed ride-sharing data and reported a correlation between high-crime neighborhoods and frequent Uber trips -- including people paying for prostitutes. "They made a map using their ride-share data, like it was a funny thing they could do with their data. It was done so flippantly."

InfoWorld writes that 2017 "presented a mixed bag of improvements to both long-established and newer programming languages." An anonymous reader quotes their report: Developers followed a soap opera over Java, with major disagreements over a modularization plan for standard Java and, in a surprising twist, Oracle washing its hands of the Java EE enterprise variant. Microsoft's TypeScript, meanwhile, has increased in popularity by making life easier for developers looking for an alternative to JavaScript. Microsoft also launched Q#, a language for quantum computing...

In web development, developers received a lot of help building with JavaScript itself or with JavaScript alternatives. Among the tools released in 2017 were: Google's Angular 5 JavaScript framework, released in November, featuring a build optimizer and supports progressive web apps and use of Material Design components... And React, the JavaScript UI library from Facebook, went to Version 16 in September, featuring a rewriting of the React core to boost responsiveness for complex applications...

TypeScript was not the only JavaScript alternative making waves this year. For web developers who would rather use Google's Go (Golang) language instead of JavaScript, the beta Joy compiler introduced in December promises to allow cross-compilation. Another language that offers compilation to JavaScript -- although it began on the JVM -- is Kotlin, which has experienced rising fortunes this year. It was boosted considerably by Google endorsing it in May for building Android applications, which has been chiefly the domain of Java...
2017 also saw the release of the long-awaited C++ 17.

Another 2017 memory: Eric Raymond admitting that he hates C++, and predicting that Go (but not Rust) will eventually replace C -- if not a new language like Cx.

An anonymous reader quotes Fortune's new report on blockchain: Demand for the technology, best known for supporting bitcoin, is growing so much that it will be one of the largest users of capacity next year at about 60 data centers that IBM rents out to other companies around the globe. IBM was one of the first big companies to see blockchain's promise, contributing code to an open-source effort and encouraging startups to try the technology on its cloud for free. That a 106-year-old company like IBM is going all in on blockchain shows just how far the digital ledger has come since its early days underpinning bitcoin drug deals on the dark web. The market for blockchain-related products and services will reach $7.7 billion in 2022, up from $242 million last year, according to researcher Markets & Markets.

That's creating new opportunities for some of the old warships of the technology world, companies like IBM and Microsoft Corp. that are making the transition to cloud services. And products that had gone out of vogue, such as databases sold by Oracle Corp., are becoming sexy again... In October, Oracle announced the formation of Oracle Blockchain Cloud Service, which helps customers extend existing applications like enterprise-resource management systems. A month earlier, rival SAP SE said clients in industries like manufacturing and supply chain were testing its cloud service. And on Nov. 20, Microsoft expanded its partnership with consortium R3 to make it easier for financial institutions to deploy blockchains in its Azure cloud. Big Blue, meanwhile, has been one of key companies behind the Hyperledger consortium, a nonprofit open-source project that aims to create efficient standards for commercial use of blockchain technology.
A Juniper Research survey found six in 10 larger corporations are considering blockchain, according to the article, which adds that blockchain "is increasingly being tested or used by companies such as Wal-Mart Stores Inc. and Visa Inc. to streamline supply chain, speed up payments and store records."

And because of blockchain's popularity, the CEO of WinterGreen Research predicts that 55% of large companies with over 1,000 employees will use the cloud rather than their own data centers within five years -- up from 17% today.

wiredmikey writes: A team of researchers has revived an old crypto vulnerability and determined that it affects the products of several major vendors and a significant number of the world's top websites. The attack/exploit method against a Transport Layer Security (TLS) vulnerability now has a name, a logo and a website. It has been dubbed ROBOT (Return Of Bleichenbacher's Oracle Threat) and, as the name suggests, it's related to an attack method discovered by Daniel Bleichenbacher back in 1998. ROBOT allows an attacker to obtain the RSA key necessary to decrypt TLS traffic under certain conditions. While proof-of-concept (PoC) code will only be made available after affected organizations have had a chance to patch their systems, the researchers have published some additional details. Researchers have made available an online tool that can be used to test public HTTPS servers. An analysis showed that at least 27 of the top 100 Alexa websites, including Facebook and PayPal, were affected.