Google is asking the Supreme Court to make the final call in its infamous dispute with Oracle. "Today, the company announced it has filed a petition with the Court, asking the justices to determine the boundaries of copyright law in code," reports The Verge. From the report: The case dates back to 2010, when Oracle first accused Google of improperly using elements of Oracle's Java programming language to build Android. Oracle said that Google's use of Java application programing interfaces was a violation of copyright law. Google has responded that APIs are too fundamental to programming to be copyrighted. The case has led to two jury trials, and several rulings have doled out wins and losses to both companies over the course of eight years. Last year, a favorable Oracle decision set Google up to potentially lose billions of dollars.

Google asked for a Supreme Court hearing on the case in 2014, but the Court rejected the request at the time. The company says new issues are now at play, and is asking the Court to decide whether software interfaces can be copyrighted, and whether using them to build something new constitutes fair use under the law. In its new petition to the Supreme Court, Google says the case is not only important to copyright law, but has "sheer practical importance," as it centers around two touchstones of computing: Google's Android and Oracle's Java. The Court's intervention could alter the future of software, the company argues.

Thousands of women were systematically underpaid at Oracle, one of Silicon Valley's largest corporations, according to a new motion in a class-action complaint that details claims of pervasive wage discrimination. From a report: A motion filed in California on Friday said attorneys seek to represent more than 4,200 women and alleged that female employees were paid on average $13,000 less per year than men doing similar work. An analysis of payroll data found disparities with an "extraordinarily high degree of statistical significance," the complaint said. Women made 3.8% less in base salaries on average than men in the same job categories, 13.2% less in bonuses, and 33.1% less in stock value, it alleges.

The civil rights suit comes as the tech industries faces increased scrutiny of gender and racial discrimination, including sexual misconduct, unequal pay and biased workplaces. The case against Oracle, which is headquartered in Redwood Shores and provides cloud computing services to companies across the globe, resembles high-profile litigation against Google, which has also faced repeated claims of systematic wage discrimination.

The Model 3 will be entered into Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest. The prize for the winning security researchers: a Model 3. TechCrunch reports: Pwn2Own, which is in its 12th year and run by Trend Micro's Zero Day Initiative, is known as one of the industry's toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program. Pwn2Own's spring vulnerability research competition, Pwn2Own Vancouver, will be held March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. And, of course, Tesla . Pwn2Own is run in conjunction with the CanSec West conference. There will be "more than $900,000 worth of prizes available for attacks that subvert a variety of [the Model 3's] onboard systems," reports Ars Technica. "The biggest prize will be $250,000 for hacks that execute code on the car's getaway, autopilot, or VCSEC."

"A gateway is the central hub that interconnects the car's powertrain, chassis, and other components and processes the data they send. The autopilot is a driver assistant feature that helps control lane changing, parking, and other driving functions. Short for Vehicle Controller Secondary, VCSEC is responsible for security functions, including the alarm."

The catch is shifting northward as water temperatures rise, forcing crews to retool their boats and rework their businesses. From a report: Aboard the Stanley K and the Oracle, two 58-foot vessels, Buck Laukitis and his crews chase halibut across the Bering Sea worth $5 a pound at the docks. As sea temperatures rise, and Arctic ice retreats the fish appear to be avoiding warming waters, migrating northward where they cost more to reach, federal fisheries biologists say. Twice this past fall, the Oracle sailed 800 miles north from the seaport of Dutch Harbor in the Aleutian Islands, before finding the halibut that a decade ago lived several hundred miles closer to home. Each voyage took twice as long and yielded half as many fish. "It keeps me up at night," he says. "I woke up at three in the morning. I couldn't sleep thinking about where the fish are going."

Across the continent from Mr. Laukitis in Rhode Island, black sea bass have moved in with the warming waters. The bulk once lived roughly 700 miles south off North Carolina. Now they are a staple catch in Point Judith, R.I., along with the summer flounder that also have begun appearing. [...] The impact of climate change has a price, and for fishing-boat owners in sea ports, that means following the catch. The northward movement of fish around the world is disrupting some fishing grounds and revitalizing others -- and fishing businesses are trying to adapt their operations.

The impact of temperature on oceans is varied. As the atmosphere warmed in recent decades, oceans absorbed heat unevenly, causing marine hot spots that can last months, scientists say. Spikes of warmer water affect fisheries differently depending on ocean currents, ocean depth and seafloor topography. Higher temperatures mean less dissolved oxygen in the water while increasing a fish's demand for oxygen by speeding up its metabolism. Warming water may also favor predators or drive off species on which commercial fish feed. All told, warming ocean temperatures are pushing hundreds of marine species outside of their traditional ranges, ocean scientists say.

What's new with Oracle's free and open-source hosted hypervisor? Long-time Slashdot reader Freshly Exhumed writes: Oracle has released major version 6.0 of VirtualBox with a variety of new features, including support for exporting a virtual machine to the Oracle Cloud; improved HiDPI and scaling (with better detection and per-machine configuration); a UI rework with simpler application and virtual machine set-up; a new file manager that allows control of the guest file system; a 3D graphics support update for Windows guests; VMSVGA 3D graphics device emulation on Linux and Solaris guests; surround speaker setups used by Windows 10 Build 1809; a new 'vboximg-mount' utility on Apple hosts to access the content of guest disks on the host; Hyper-V as the fallback execution core on Windows hosts to avoid inability to run VMs at reduced performance; and support for Linux Kernel 4.20 .

A previously unknown hacker group is behind a mounting number of breaches that have been reported by local governments across the US. From a report: In a report published today, US cyber-security vendor FireEye has revealed that this yet-to-be-identified hacker group has been breaking into Click2Gov servers and planting malware that stole payment card details. Click2Gov is a popular self-hosted payments solution, a product of US software supplier Superion. It is sold primarily to US local governments, and you can find a Click2Gov server installed anywhere from small towns to large metropolitan areas, where it's used to handle payments for utility bills, permits, fines, and more.

FireEye says this new hacker group has been attacking Click2Gov portals for almost a year. The company's investigators believe hackers are using one or more vulnerabilities in one of Click2Gov's components --the Oracle WebLogic Java EE application server-- to gain a foothold and install a web shell named SJavaWebManage on hacked portals. Forensic evidence suggests the hackers are using this web shell to turn on Click2Gov's debug mode, which, in turn, starts logging payment transactions, card details included.

Amazon may have turned off its Oracle data warehouse in favor of Amazon Web Services database technology, but no one else in their right mind would, Oracle's outspoken co-founder and CTO Larry Ellison says. From a report: "We have a huge technology leadership in database over Amazon," Ellison said on a conference call following the release of Oracle's second quarter financial results. "In terms of technology, there is no way that... any normal person would move from an Oracle database to an Amazon database." During last month's AWS re:Invent conference, AWS CTO Werner Vogels gave an in-the-weeds talk explaining why Amazon turned off its Oracle data warehouse. In a clear jab at Oracle, Vogels wrote off the "90's technology" behind most relational databases. Cloud native databases, he said, are the basis of innovation.

The remarks may have gotten under Ellison's skin. Moving from Oracle databases to AWS "is just incredibly expensive and complicated," he said Monday. "And you've got to be willing to give up tons of reliability, tons of security, tons of performance... Nobody, save maybe Jeff Bezos, gave the command, 'I want to get off the Oracle database." Ellison said that Oracle will not only hold onto its 50 percent relational database market share but will expand it, thanks to the combination of Oracle's new Generation 2 Cloud infrastructure and its autonomoius database technology. "You will see rapid migration of Oracle from on-premise to the Oracle public cloud," he said. "Nobody else is going to go through that forced march to go on to the Amazon database."

Amazon Web Services CEO Andy Jassy said in an interview on Wednesday that almost all of Amazon's databases that ran on Oracle will be on an Amazon database instead. "We're virtually done moving away from Oracle on the database side," Jassy said. "And I think by the end of 2019 or mid-2019 we'll be done." CNBC reports: Amazon is reducing its reliance on Oracle for its data needs and is instead using its own services. Jassy said 88 percent of Amazon databases that were running on Oracle will be on Amazon DynamoDB or Amazon Aurora by January. He added that 97 percent of "mission critical databases" will run on DynamoDB or Aurora by the end of the year. On Nov. 1, Amazon moved its data warehouse from Oracle to its own service, Redshift, Jassy said.

An anonymous reader quotes SD Times: Amazon wants to make sure Java is available for free to its users in the long term with the introduction of Amazon Corretto. The solution is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). "Java is one of the most popular languages in use by AWS customers, and we are committed to supporting Java and keeping it free," Arun Gupta, principal open-source technologist at Amazon, wrote in a blog post. "Many of our customers have become concerned that they would have to pay for a long-term supported version of Java to run their workloads. As a first step, we recently re-affirmed long-term support for Java in Amazon Linux. However, our customers and the broader Java community run Java on a variety of platforms, both on and off of AWS."

Amazon Corretto will be available with long-term support and Amazon will continue to make performance enhancements and security fixes to it, the company explained. Amazon plans on making quarterly updates with bug fixes and patches, as well as any urgent fixes necessary outside of its schedule... Corretto 8 is available as a preview with features corresponding to those in OpenJDK 8. General availability for the solution is planned for Q1 2019... "Corretto is designed as a drop-in replacement for all Java SE distributions unless you're using features not available in OpenJDK (e.g., Java Flight Recorder)," Gupta wrote....

According to Gupta, Corretto 8 will be available at no cost until at least June of 2023. The company is working on Corretto 11, which will be available until at least August of 2024. "Amazon has already made several contributions to OpenJDK 8 and we look forward to working closely with the OpenJDK community on future enhancements to OpenJDK 8 and 11," Gupta wrote. "We downstream fixes made in OpenJDK, add enhancements based on our own experience and needs, and then produce Corretto builds. In case any upstreaming efforts for such patches is not successful, delayed, or not appropriate for OpenJDK project, we will provide them to our customers for as long as they add value. If an issue is solved a different way in OpenJDK, we will move to that solution as soon as it is safe to do so."

Diane Greene, whose pursuit of Pentagon contracts for artificial intelligence technology sparked a worker uprising at Google, is stepping down as chief executive of the company's cloud computing business (Warning: source may be paywalled; alternative source). "Ms. Greene said she would stay on as chief executive until January. She will be replaced by Thomas Kurian, who oversaw product development at Oracle until his resignation in October. Ms. Greene will remain a board director at Google's parent company, Alphabet," reports The New York Times. From the report: The change in leadership caps a turbulent three years for Ms. Greene, who was brought on to expand Google's cloud computing business. Google Cloud has struggled to make major inroads in persuading corporate customers to use its computing infrastructure over alternatives like Amazon's A.W.S. and Microsoft's Azure. In a blog post published by the company, Ms. Greene said she had initially told friends and family that she was planning to run Google Cloud for only two years but stayed for three. Ms. Greene, a widely respected technologist and entrepreneur, said that after leaving Google Cloud, she planned to help female founders of companies by investing in and mentoring them. Ms. Greene joined Google in 2015 when it acquired Bebop, a start-up she had founded, for $380 million. Ms. Greene defended Google's pursuit of a Defense Department contract for the Maven program, which uses AI to interpret video images and could be used to improve the targeting of drone strikes. In March, she said it was a small contract worth "only" $9 million and that the technology would be used for nonlethal purposes.

Google suffered a brief outage and slowdown Monday, with some of its traffic getting rerouted through networks in Russia, China and Nigeria. From a report: Incorrect routing instructions sent some of the search giant's traffic to Russian network operator TransTelekom, China Telecom (which, as you may recall, has been found of misdirecting internet traffic in recent months) and Nigerian provider MainOne between 1:00 p.m. and 2:23 p.m. PT, according to internet research group ThousandEyes. "This incident at a minimum caused a massive denial of service to G Suite and Google Search," wrote Ameet Naik, ThousandEyes' technical marketing manager, in a blog post. "However, this also put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance. Applications like Gmail and Google Drive don't appear to have been affected, but YouTube users experienced some slowdown. Google noted that the issue was resolved and said it would conduct an internal investigation. Update: Nigeria's Main One Cable Co has taken responsibility for the glitch.

An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

An anonymous reader quotes a report from Bloomberg: Amazon.com Inc. has taken another step toward eliminating software from Oracle Corp. that has long helped the e-commerce giant run its retail business. An executive with Amazon's cloud-computing unit hit back at Oracle Executive Chairman Larry Ellison, who ridiculed the internet giant as recently as last month for relying on Oracle databases to track transactions and store information, even though Amazon sells competing software, including Redshift, Aurora and DynamoDB. Amazon's effort to end its use of Oracle's products has made new progress, Andy Jassy, the chief executive officer of Amazon Web Services, tweeted Friday. "In latest episode of 'uh huh, keep talkin' Larry,' Amazon's Consumer business turned off its Oracle data warehouse Nov. 1 and moved to Redshift," Jassy wrote. By the end of 2018, Amazon will stop using 88 percent of its Oracle databases, including 97 percent of its mission-critical databases, he added.

Oracle's Internet Intelligence division has confirmed today the findings of a recently published academic paper that accused China of "hijacking the vital internet backbone of western countries." From a report: The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published. Researchers accused China Telecom, one of China's biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure. Some security experts contested the research paper's findings because it didn't come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China's cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015. But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years."

Microsoft said Friday it will not pull out of the competition for a $10 billion cloud contract for the Department of Defense, despite growing concerns about private companies selling new technologies to the federal government. From a report: The Redmond, Wash., company defended its position in a blog post Friday, claiming that technologists should be involved in government adoption of new innovations to ensure they are not misused. Microsoft President Brad Smith wrote in the post that "to withdraw from this market is to reduce our opportunity to engage in the public debate about how new technologies can best be used in a responsible way." He decided to share publicly sentiments that he and Microsoft CEO Satya Nadella discussed at a monthly Q&A with employees Thursday. "We want the people of this country and especially the people who serve this country to know that we at Microsoft have their back," Smith wrote. "They will have access to the best technology that we create." Smith's defense comes days after an unspecified number of Microsoft employees urged the company to not bid on the Project JEDI.

Further reading: Oracle Trying Hard To Make Sure Pentagon Knows Amazon Isn't the Only Cloud Around; Google Drops Out of Pentagon's $10 Billion Cloud Competition; Jeff Bezos Defends Big Tech Working with Department of Defense.

Amazon is learning how hard it can be to move off of Oracle's database software. From a report: On Prime Day, while the e-retailer was dealing with a major website glitch that slowed sales, the company was also dealing with a technical problem in Ohio at one of its biggest warehouses, leading to thousands of delayed package deliveries, according to an internal report obtained by CNBC. The problem was in large part due to Amazon's migration from Oracle's database to its own technology, the documents show. The outage underscores the challenge Amazon faces as it looks to move completely off Oracle's database by 2020, and how difficult it is to re-create that level of reliability. It also shows that Oracle's database is more efficient in some aspects than Amazon's rival software, a point that Oracle will likely emphasize during this week's annual OpenWorld conference in San Francisco.

Microsoft is including Google's mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1. ZDNet reports: Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack. Google's testing found its fix had a negligible effect on performance. Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7. And now, as MSPoweruser spotted, Microsoft's kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year. Google's Retpoline plus Microsoft's own kernel modifications have reduced the performance impact to "noise level", according to Mehmet Iyigun of Microsoft's Windows and Azure kernel team. "Yes, we have enabled Retpoline by default in our 19H1 flights along with what we call 'import optimization' to further reduce perf impact due to indirect calls in kernel-mode. Combined, these reduce the perf impact of Spectre v2 mitigations to noise-level for most scenarios," wrote Iyigun.

"The bad news is that Microsoft didn't include the Retpoline fix in the latest Windows 10 October 2018 Update Redstone 5, or RS5, release, even though, according to CrowdStrike researcher Alex Ionescu, it could have," reports ZDNet.

British IT news outlet The Register looks at the myriad of challenges Apache OpenOffice faces today. From the report: Last year Brett Porter, then chairman of the Apache Software Foundation, contemplated whether a proposed official blog post on the state of Apache OpenOffice (AOO) might discourage people from downloading the software due to lack of activity in the project. No such post from the software's developers surfaced. The languid pace of development at AOO, though, has been an issue since 2011 after Oracle (then patron of the project) got into a fork-fight with The Document Foundation, which created LibreOffice from the OpenOffice codebase, and asked developers backing the split to resign.

Back in 2015, Red Hat developer Christian Schaller called OpenOffice "all but dead." Assertions to that effect have continued since, alongside claims to the contrary. Almost a year ago, Jim Jagielski, a member of the Apache OpenOffice Project Management Committee, insisted things were going well and claimed there was renewed interest in the project. For all the concern about AOO, no issues have been raised recently before the Apache Foundation board to suggest ongoing difficulties. The project is due to provide an update this month, according to a spokesperson for the foundation.

This week in Vancouver, Linux kernel developer Greg Kroah-Hartman criticized Intel's slow initial response to the Spectre and Meltdown bugs in a talk at the Open Source Summit North America. An anonymous reader quotes eWeek: Kroah-Hartman said that when Intel finally decided to tell Linux developers, the disclosure was siloed.... "Intel siloed SUSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn't let us talk to each other." For an initial set of vulnerabilities, Kroah-Hartman said the different Linux vendors typically work together. However, in this case they ended up working on their own, and each came up with different solutions. "It really wasn't working, and a number of us kernel developers yelled at [Intel] and pleaded, and we finally got them to allow us to talk to each other the last week of December [2017]," he said. "All of our Christmas vacations were ruined. This was not good. Intel really messed up on this," Kroah-Hartman said...

"The majority of the world runs Debian or they run their own kernel," Kroah-Hartman said. "Debian was not allowed to be part of the disclosure, so the majority of the world was caught with their pants down, and that's not good." To Intel's credit, Kroah-Hartman said that after Linux kernel developers complained loudly to the company in December 2017 and into January 2018, it fixed its disclosure process for future Meltdown- and Spectre-related vulnerabilities... "Intel has gotten better at this," he said.

An interesting side effect of the Meltdown and Spectre vulnerabilities is that Linux and Windows developers are now working together, since both operating systems face similar risks from the CPU vulnerabilities. "Windows and Linux kernel developers now have this wonderful back channel. We're talking to each other and we're fixing bugs for each other," Kroah-Hartman said. "We are working well together. We have always wanted that."