Security

Old Crypto Vulnerability Hits Major Tech Firms (securityweek.com) 32

wiredmikey writes: A team of researchers has revived an old crypto vulnerability and determined that it affects the products of several major vendors and a significant number of the world's top websites. The attack/exploit method against a Transport Layer Security (TLS) vulnerability now has a name, a logo and a website. It has been dubbed ROBOT (Return Of Bleichenbacher's Oracle Threat) and, as the name suggests, it's related to an attack method discovered by Daniel Bleichenbacher back in 1998. ROBOT allows an attacker to obtain the RSA key necessary to decrypt TLS traffic under certain conditions. While proof-of-concept (PoC) code will only be made available after affected organizations have had a chance to patch their systems, the researchers have published some additional details. Researchers have made available an online tool that can be used to test public HTTPS servers. An analysis showed that at least 27 of the top 100 Alexa websites, including Facebook and PayPal, were affected.
Google

Inside Oracle's Cloak-and-dagger Political War With Google (recode.net) 86

schwit1 shares a Recode report: The story that appeared in Quartz this November seemed shocking enough on its own: Google had quietly tracked the location of its Android users, even those who had turned off such monitoring on their smartphones. But missing from the news site's report was another eyebrow-raising detail: Some of its evidence, while accurate, appears to have been furnished by one of Google's fiercest foes: Oracle. For the past year, the software and cloud computing giant has mounted a cloak-and-dagger, take-no-prisoners lobbying campaign against Google, perhaps hoping to cause the company intense political and financial pain at a time when the two tech giants are also warring in federal court over allegations of stolen computer code. Since 2010, Oracle has accused Google of copying Java and using key portions of it in the making of Android. Google, for its part, has fought those claims vigorously. More recently, though, their standoff has intensified. And as a sign of the worsening rift between them, this summer Oracle tried to sell reporters on a story about the privacy pitfalls of Android, two sources confirmed to Recode.
Facebook

This Time, Facebook Is Sharing Its Employees' Data (fastcompany.com) 45

tedlistens writes from a report via Fast Company: "Facebook routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions," reports Fast Company. "Every week, Facebook provides an electronic data feed of its employees' hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook's employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records."

Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."

Open Source

Oracle Engineer Talks of ZFS File System Possibly Still Being Upstreamed On Linux (phoronix.com) 131

New submitter fstack writes: Senior software architect Mark Maybee who has been working at Oracle/Sun since '98 says maybe we "could" still see ZFS be a first-class upstream Linux file-system. He spoke at the annual OpenZFS Developer Summit about how Oracle's focus has shifted to the cloud and how they have reduced investment in Solaris. He admits that Linux rules the cloud. Among the Oracle engineer's hopes is that ZFS needs to become a "first class citizen in Linux," and to do so Oracle should port their ZFS code to Oracle Linux and then upstream the file-system to the Linux kernel, which would involve relicensing the ZFS code.
Businesses

Oracle, Apple, Google, Amazon, Facebook Blow Even More Cash on Lobbying (theregister.co.uk) 73

An anonymous reader shares a report: American tech giants have ramped up the amount of cash they spend on lobbying US lawmakers to get their own way, yet again. As congressmen consider regulating organizations from Facebook to Google, and mull antitrust crackdowns against Amazon, said corporations have responded by flinging more dosh at the problem. The money is spent on, ahem, holding meetings between company execs and politicians so that businesses can push their agenda and swing decisions in their favor, which may not be in the interests of the people who elected said politicians. Facebook's $2.85m for the third quarter of the year -- disclosed this week as required by law -- is beaten only by the amount it spent in the first quarter: $3.21m. In its second quarter, it blew $2.38m. Overall, Facebook's lobbying bills for 2017 looks set to smash the $9.85m it spent in 2015 and the $8.7m in 2016. The social network is being investigated by both halves of Congress for its role in the Russian propaganda campaign during the US presidential election, and this month has been on a huge PR campaign in the capital. Likewise Amazon spent its highest ever amount on professional lobbyists -- both individuals and companies that book face time with lawmakers and their staff where they press the company's viewpoints. Amazon spent $3.41m in the third quarter, up from $3.21m for the second quarter -- which was also a record spend for the company. Apple has already blown past the $4.67m in spent in 2016 -- which was then its highest-ever spending. So far in 2017, the iPhone maker has spent $5.46m bending lawmakers' ears. Google spent less in the third quarter of the year to the wallet-busting Q2 spend of $5.93m, but it still spent $4.17m -- higher than its average spend of $4.0m per quarter over the past five years. But perhaps the most notable increase in spending has come from Oracle, which spent a whopping $3.82m on lobbying in the third quarter: double what it normally spends.
Programming

Profile of William H. Alsup, a Judge Who Codes and Decides Tech's Biggest Cases (theverge.com) 49

Sarah Jeong at The Verge has an interesting profile of William H. Alsup, the judge in Oracle v. Google case, who to many's surprise was able to comment on the technical issues that Oracle and Google were fighting about. Alsup admits that he learned the Java programming language only so that he could better understand the substance of the case. Here's an excerpt from the interview: On May 18th, 2012, attorneys for Oracle and Google were battling over nine lines of code in a hearing before Judge William H. Alsup of the northern district of California. The first jury trial in Oracle v. Google, the fight over whether Google had hijacked code from Oracle for its Android system, was wrapping up. The argument centered on a function called rangeCheck. Of all the lines of code that Oracle had tested -- 15 million in total -- these were the only ones that were "literally" copied. Every keystroke, a perfect duplicate. It was in Oracle's interest to play up the significance of rangeCheck as much as possible, and David Boies, Oracle's lawyer, began to argue that Google had copied rangeCheck so that it could take Android to market more quickly. Judge Alsup was not buying it. "I couldn't have told you the first thing about Java before this trial," said the judge. "But, I have done and still do a lot of programming myself in other languages. I have written blocks of code like rangeCheck a hundred times or more. I could do it. You could do it. It is so simple." It was an offhand comment that would snowball out of control, much to Alsup's chagrin. It was first repeated among lawyers and legal wonks, then by tech publications. With every repetition, Alsup's skill grew, until eventually he became "the judge who learned Java" -- Alsup the programmer, the black-robed nerd hero, the 10x judge, the "master of the court and of Java."
Communications

Slack Locks Down Oracle Partnership Targeting Enterprises (reuters.com) 43

From a report: Slack Technologies has secured a partnership with Oracle to integrate the tech giant's enterprise software products into the popular workplace messaging app, the two companies told Reuters. The partnership is a victory for Slack as the young startup ramps up its efforts to win the business of large enterprises in an increasingly competitive marketplace that has seen the entry of Microsoft, Facebook and countless startups. "As you see all these large enterprise software companies looking at messaging as a major platform, they're looking to partner with us first and foremost," said Brad Armstrong, Slack's head of global business and corporate development. The partnership will allow workers to use Slack as the interface for Oracle's sales, human resources and business software.
Businesses

Former Female Oracle Employees Sue Company For Alleged Pay Discrimination (techcrunch.com) 121

Three female, former Oracle employees are suing Oracle for allegedly paying women less than men in similar jobs. Rong Jewett, Sophy Wang and Xian Murray filed a lawsuit August 28, seeking a class-action status to represent all other women who have worked at the company. TechCrunch reports: The lawsuit, first reported by The Information, alleges that Oracle discriminated against women by "systematically paying them lower wage rates than Oracle pays to male employees performing substantially equal or similar work under similar working conditions," the filing states. The time period the lawsuit references is four years prior to the filing and through the date of the trial in California. Referencing how the U.S. Department of Labor sued Oracle in January based on its compliance review that found "systemic discrimination against women" and "gross disparities in pay," the lawsuit states Oracle had known or should have known about the pay disparity between its male and female employees. The plaintiffs are seeking wages due, interest and liquidated damages plus interest. They also want Oracle to guarantee they won't pay women less than men for similar work in the future.
Businesses

More Than Half of American Workers Can't Sue Their Employer (qz.com) 171

An anonymous reader shares a report: In the past two years, Google, Facebook, Twitter, Microsoft, and Oracle have faced various high-profile lawsuits related to their employment practices. And while those cases generated headlines, workers in almost every sector sue their bosses over emotional abuse, unpaid wages, and discrimination. The ability to sue over wrongful treatment at work is essential to the balance of bargaining power between employer and employee. Unfortunately, more than half of non-union, privately employed Americans -- some 60 million people -- have signed away this right. They are instead beholden to a process known as arbitration. Signing a mandatory arbitration agreement is theoretically voluntary, but refusing to do so can cost a candidate their job offer. Once signed, the agreement strips the employee of the right to take her employer to court for unfairly low pay, termination because of pregnancy, race-based discrimination, loss of paternity or maternity leave, and much more. According to a study published this week by Alexander Colvin of Cornell, more than half (54%) of private, non-unionized workplaces have mandatory arbitration procedures. For larger companies (over 1,000 workers), that jumps to 65%. By contrast, in 2003 Colvin found that just 14% of companies had arbitration agreements.
Oracle

Oracle Announces Java SE 9 and Java EE 8 (oracle.com) 64

rastos1 writes: Oracle has announced the general availability of Java SE 9 (JDK 9), Java Platform Enterprise Edition 8 (Java EE 8) and the Java EE 8 Software Development Kit (SDK). JDK 9 is a production-ready implementation of the Java SE 9 Platform Specification, which was recently approved together with Java EE 8 in the Java Community Process (JCP). Java SE 9 provides more than 150 new features, including a new module system and improvements that bring more scalability, improved security, better performance management and easier development to the world's most popular programming platform.
Businesses

Oracle's Larry Ellison Pokes Amazon Again With New Cloud Pricing Plan (siliconangle.com) 65

Oracle went on the offensive again versus Amazon.com this week with a new cloud pricing plan that gives discounts to Oracle database customers who move their databases to the cloud. From a report: Chairman and Chief Technology Officer Larry Ellison said during an event at its Redwood City, California headquarters that while Oracle has matched Amazon Web Services for base-level computing, storage and networking services known as infrastructure as a service, it's now moving to make higher-level cloud services such as databases and analytics cheaper than AWS's. Actually, Ellison claimed that Oracle's infrastructure runs faster and therefore ends up costing less, but it's clear that the company is focusing more on its traditional strengths one tier up from the infrastructure: so-called platform as a service offerings such as the Oracle Database. Oracle said it will allow customers to move their existing licenses for databases, middleware and analytics to Oracle's platform services, just as they've allowed them to bring licenses to its infrastructure before.
Java

Java EE Is Moving To the Eclipse Foundation (adtmag.com) 70

Oracle has chosen the Eclipse Foundation to be the new home of the Java Platform Enterprise Edition (Java EE), the company announced this week. Oracle made the decision in collaboration with IBM and Red Hat, the two other largest contributors to the platform. From a report: "The Eclipse Foundation has strong experience and involvement with Java EE and related technologies," wrote Oracle software evangelist David Delabassee in a blog post. This will help us transition Java EE rapidly, create community-friendly processes for evolving the platform, and leverage complementary projects such as MicroProfile. We look forward to this collaboration." Mike Milinkovich, executive director of the Eclipse Foundation, is optimistic about this move, which he said is exactly what the enterprise Java needs and what the community has been hoping for.
Businesses

Oracle Staff Report Big Layoffs Across Solaris, SPARC Teams (theregister.co.uk) 239

Simon Sharwood, reporting for the Register: Soon-to-be-former Oracle staff report that the company made hundreds of layoffs last Friday, as predicted by El Reg, with workers on teams covering the Solaris operating system, SPARC silicon, tape libraries and storage products shown the door. Oracle's media relations agency told The Register: "We decline comment." However, Big Red's staffers are having their say online, in tweets such as the one below. "For real. Oracle RIF'd most of Solaris (and others) today," an employee said. A "RIF" is a "reduction in force", Oracle-speak for making people redundant (IBM's equivalent is an "RA", or "resource action"). Tech industry observer Simon Phipps claims "~all" Solaris staff were laid off. "For those unaware, Oracle laid off ~ all Solaris tech staff yesterday in a classic silent EOL of the product."
Java

Why Oracle Should Cede Control of Java SE (infoworld.com) 110

An anonymous reader quotes InfoWorld: Now that Oracle wants to turn over leadership of enterprise Java's (Java EE's) development to a still-unnamed open source foundation, might the same thing happen with the standard edition of Java (Java SE) that Oracle also controls? Such a move could produce substantial benefits... Oracle said it has no plans to make such a move. But the potential fruits of a such a move are undeniable.

For one, a loosening of Oracle's control could entice other contributors to Java to participate more... [W]ith the current Oracle-dominated setup, other companies and individuals could be reluctant to contribute a lot if they see it as benefiting a major software industry provider -- and possible rival -- like Oracle... Indeed, the 22-year-old language and platform could be given a whole new lease on life, if the open source community rises to the occasion and boosts participation...

Despite the potential to grow Java SE by ceding control, Oracle seems content to hold on to its place as the steward of JDK development. But that could change given the tempestuous relationship Oracle has with parts of the Java community. Oracle has been at loggerheads with the community over both Java SE and Java EE... Oracle may at some point decide it is easier to just cede control rather than having to keep soothing the ruffled feathers that keep occurring among its Java partners.

Oracle

Oracle Finally Decides To Stop Prolonging the Inevitable, Begins Hardware Layoffs (theregister.co.uk) 177

Shaun Nichols, reporting for The Register: Oracle is starting layoffs that will hit its hardware division, The Register has learned. Current and some soon-to-be former staffers have whispered that the database giant is shipping out packages containing the paperwork for ending their employment. The workers have received alerts from FedEx that the packages, which will need to be signed for, are en route for a September 1 delivery. "One of my co-workers emailed that he received a notification from FedEx of a label created by Oracle America, Inc," writes one anonymous employee. "I just checked and a label has been created for my home address. This is in the US. Looks like Friday is it for Sparc MicroElectronics." The layoffs are hardly a surprise, given the performance of Oracle's hardware unit as of late. In the last financial year, Oracle reported hardware revenues of $4.15bn. By comparison, in 2016 the unit logged hardware revenues of $4.67bn. In 2015 it was $5.2bn, and 2014 saw $5.37bn.
Java

OpenJDK May Tackle Java Security Gaps With A Secretive New Group (infoworld.com) 79

An anonymous reader quotes InfoWorld: To shore up Java's security, a private group that operates outside the normal open source community process is under consideration. The proposed OpenJDK Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them... The vulnerability group and Oracle's internal security teams would work together, and it may occasionally need to work with external security organizations.

Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.

Java

Oracle Now Wants To Give Java EE to an Open Source Foundation (infoworld.com) 106

An anonymous reader quotes InfoWorld: Oracle wants to end its leadership in the development of enterprise Java and is looking for an open source foundation to take on the role. The company said Thursday that the upcoming Java EE (Enterprise Edition) 8 presents an opportunity to rethink how the platform is developed. Although development is done via open source with community participation, the current Oracle-led process is not seen as agile, flexible, or open enough. "We believe that moving Java EE technologies to an open source foundation may be the right next step, to adopt more agile processes, implement more flexible licensing and change the governance process," Oracle said in a statement...

Despite its desire to retreat from Java EE leadership, Oracle said it plans to continue participating in the evolution of Java EE technologies. "But we believe a more open process, that is not dependent on a single vendor as platform lead, will encourage greater participation and innovation, and will be in best interests of the community"... Oracle's goals for offloading Java EE would have Oracle not lead the project as it still effectively does with Java SE.

Red Hat's senior principal product manager called this "a very positive move," while Eclipse's executive director said that moving Java EE to a vendor-neutral open source foundation "would be great for both the platform and the community," adding "If asked to so, the Eclipse Foundation would be pleased to serve as the host organization."
Bug

Deserialization Issues Also Affect .NET, Not Just Java (bleepingcomputer.com) 187

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

Oracle

Oracle Fiddles With Major Database Release Cycle Numbers (theregister.co.uk) 69

An anonymous reader shares a report: Big Red has changed its database release cycle, scrapping names that see decimal points and numbers added on for an indeterminate amount of time, instead plumping for annual releases numbered by the year. So what would have been Oracle Database 12.2.0.2 will now be Oracle Database 18; 12.2.0.3 will come out a year later, and be Oracle Database 19. The approach puts Oracle only about 20 years behind Microsoft in adopting a year-based naming convention (Microsoft still uses years to number Windows Server, even though it stopped for desktop versions when it released XP). [...] Well, Big Red will surely be using the revamp as a way to boost sales of database licences -- a crucial part of its business -- which have been in decline for two years running. In fiscal 2016, Oracle reported a 12 per cent drop in annual sales of new software licences, and its most recent results for fiscal 2017 revealed a further 5 per cent drop. And, for all that Oracle has shouted about its cloudy success of late, it isn't yet a major money-maker for the biz. New software license sales make up a quarter of overall revenue, while support for that software makes up a further 45 per cent. In part, the new numbering will be a handy marketing ploy. Rather than playing with the decimal points, a release with a new whole number could be an attempt to give the impression of agility in the face of younger, fresher competitors. Meanwhile, fewer patches and releases on each system also allows Oracle to know more quickly, and more accurately, what security features each customer has. The annual numbering system is also a very simple way of telling you your system is old.
Microsoft

Apple, Google and Microsoft Are Hoarding $464 Billion In Cash (cnn.com) 256

Apple, Google and Microsoft are sitting on a mountain of cash -- and most of it is stashed far away from the taxman. Those three tech behemoths held a total of $464 billion in cash at the end of last year, according to a Moody's report published this week. From a report: Apple alone had a stunning quarter-trillion dollars of cash thanks to years of gigantic profits and few major acquisitions. That's enough money to buy Netflix three times. It's also more cash than what's sitting on the balance sheet of every major industry except tech and health care. All told, non-financial U.S. companies studied by Moody's hoarded $1.84 trillion of cash at the end of last year. That's up 11% from 2015 and nearly two and a half times the 2008 level. Roughly $1.3 trillion -- 70% of the total -- is being held overseas, where the money isn't subject to U.S. taxes. Apple, Google owner Alphabet, Microsoft, Cisco, and Oracle hold 88% of their cash overseas. Moody's said the tower of money stashed abroad reflects the "negative tax consequences of permanently repatriating money to the U.S."

Slashdot Top Deals