wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."

Last week you had the chance to ask ESR about books, guns, and open source software. Below you'll find his answers to those questions.

Author of The Cathedral and the Bazaar and The Art of Unix Programming, Eric S.Raymond (ESR) has long been an important spokesperson for the open source movement. It's been a while since we talked to the co-founder of the Open Source Initiative so ESR has agreed to give us some of his time and answer your questions. As usual, ask as many as you'd like, but please, one question per post.

benrothke writes "When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented 'little practical information' to the public. While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts." Read below for the rest of Ben's review.

Saint Aardvark writes "If you're a Unix or Linux sysadmin, you know sudo: it's that command that lets you run single commands as root from your own account, rather than logging in as root. And if you're like me, here's what you know about configuring sudo:

1.) Run sudoedit and uncomment the line that says "%wheel ALL=(ALL) ALL".
2.) Make sure you're in the wheel group.
3.) Profit!

If you're a sysadmin, you need to stop people from shooting themselves in the foot. There should be some way of restricting use, right? Just gotta check out the man page.... And that's where I stopped, every time. I've yet to truly understand Extended Backus-Naur Form, and my eyes would glaze over. And so I'd go back to putting some small number of people in the 'wheel' group, and letting them run sudo, and cleaning up the occasional mess afterward. Fortunately, Michael W. Lucas has written Sudo Mastery: User Access Control for Real People." Keep reading for the rest of Saint Aardvark's review.

paugq writes "NuttX is a real-time operating system (RTOS) with an emphasis on standards compliance and small footprint. Scalable from 8-bit to 32-bit microcontroller environments, the primary governing standards in NuttX are POSIX and ANSI standards. Additional standard APIs from Unix and other common RTOS's (such as VxWorks) are adopted for functionality not available under these standards, or for functionality that is not appropriate for deeply-embedded environments. NuttX was first released in 2007 by Gregory Nutt under the permissive BSD license, and today the 100th release was made: NuttX 6.33. Supported platforms include ARM, Atmel AVR, x86, Z80 and others."

TopSpin writes "Alcatel-Lucent has authorized The University of California, Berkeley to 'release all Plan 9 software previously governed by the Lucent Public License, Version 1.02 under the GNU General Public License, Version 2.' Plan 9 was developed primarily for research purposes as the successor to Unix by the Computing Sciences Research Center at Bell Labs between the mid-1980s and 2002. Plan 9 has subsequently emerged as Inferno, a commercially supported derivative, and ports to various platforms, including a recent port to the Raspberry Pi. In Plan 9, all system interfaces, including those required for networking and the user interface, are represented through the file system rather than specialized interfaces. The system provides a generic protocol, 9P, to perform all communication with the system, among processes and with network resources. Applications compose resources using union file systems to form isolated namespaces."

Nw submitter CMULL writes "Stop typing Git over and over again. Ruby on Rails development and consulting firm thoughtbot created an interactive shell dedicated to Git commands, gitsh. One of the primary developers says there is a need for this shell because many early Unix utilities don't take sub-commands like Git."

goruka writes with news that a new game engine has been made available to Free Software developers under the permissive MIT license "Godot is a fully featured, open source, MIT licensed, game engine. It focuses on having great tools, and a visual oriented workflow that can deploy to PC, Mobile and Web platforms with no hassle. The editor, language and APIs are feature rich, yet simple to learn. Godot was born as an in-house engine, and was used to publish several work-for-hire commercial titles. With more than half a million lines of code, Godot is one of the most complex Open Source game engines at the moment, and one of the largest commitments to open source software in recent years. It allows developers to make games under Linux (and other unix variants), Windows and OSX." The source is available via Github, and, according to Phoronix, it's about as featureful as the Unity engine.

angry tapir writes "Oracle is continuing its legal battle against third-party software support providers it alleges are performing such services in a manner that violates its intellectual property. Last week, Oracle sued StratisCom, a Georgia company that offers customers support for Oracle's Solaris OS, claiming it had 'misappropriated and distributed copyright, proprietary software code, along with the login credentials necessary to download this code from Oracle's password-protected websites.'"

Hugo Villeneuve writes "What piece of code, in a non-assembler format, has been run the most often, ever, on this planet? By 'most often,' I mean the highest number of executions, regardless of CPU type. For the code in question, let's set a lower limit of 3 consecutive lines. For example, is it:

• A UNIX kernel context switch?
• A SHA2 algorithm for Bitcoin mining on an ASIC?
• A scientific calculation running on a supercomputer?
• A 'for-loop' inside on an obscure microcontroller that runs on all GE appliance since the '60s?"

Hugh Pickens DOT Com writes "Charles Stross has written a very clever article where he describes the religious metaphor he uses with non-technical folks to explain the relationship between Mac OS X and UNIX. There is one true religion in operating systems says Stross and it is UNIX although there's also an earlier, older, more arcane religion with far fewer followers, MULTICS, from which UNIX sprang as a stripped-down rules-deficient heresy. If MULTICS is Judaism then UNIX is Christianity. By the mid-1970s there were two main sects: AT&T UNIX, which we may liken unto the Roman Catholic Church, and BSD UNIX, which we may approximate to the Orthodox Churches. In an attempt to control the schisms, the faithful defined a common interoperating subset of the one true religion that all could agree on—the Nicene Creed of UNIX which is probably POSIX. Stross says that today the biggest church in the whole of UNIX is Mac OS X, which rests on the bedrock of Orthodox BSD but "has added an incredible, towering superstructure of fiercely guarded APIs and proprietary user interface stuff that renders it all but unrecognizable to followers of the Catholic AT&T path." But lo, in the late 1980s, UNIX succumbed to the sins of venality, demanding too much money from the faithful and so, in 1991 Linus Torvalds nailed his famous source code release to the cathedral door and kicked off the Reformation. 'The Linux wars were brutal and unforgiving and Linux itself splintered into a myriad of fractious Protestant churches, from the Red Hat wearing Lutherans to the Ubuntu Baptists.' More recently, a deviant faith has sprung from Linux. 'Android is the Church of Latter Day Saints of UNIX: hard-working, sober, evangelizing the public, and growing at a ferocious rate. There are some strange fundamentalist Mormon Android churches living in walled communities under the banners of Samsung and Amazon, but for the most part the prosperous worship at the Church of Google.' Stross notes that as with all religion, those sects with most in common are the ones who hold the most vicious grudges against one another. 'Is that clear?'"

theodp writes "In 1919, Nora Bayes sang, "How ya gonna keep 'em down on the farm after they've seen Paree?" In 2013, discussing User Culture Versus Programmer Culture, CS Prof Philip Guo poses a similar question: 'How ya gonna get 'em down on UNIX after they've seen Spotify?' Convincing students from user culture to toss aside decades of advances in graphical user interfaces for a UNIX command line is a tough sell, Guo notes, and one that's made even more difficult when the instructors feel the advantages are self-evident. 'Just waving their arms and shouting "because, because UNIX!!!" isn't going to cut it,' he advises. Guo's tips for success? 'You need to gently introduce students to why these tools will eventually make them more productive in the long run,' Guo suggests, 'even though there is a steep learning curve at the outset. Start slow, be supportive along the way, and don't disparage the GUI-based tools that they are accustomed to using, no matter how limited you think those tools are. Bridge the two cultures.'" Required reading.

An anonymous reader writes "DragonFlyBSD 3.6 was released [Monday] with the big new features being dports, Intel and AMD Radeon KMS kernel graphics drivers, major SMP improvements, and improved language support. Dports is the new package management system based upon the FreeBSD Ports collection and replaces pkgsrc as the default; over 20k packages are available via dports. Major SMP scaling improvements come via reducing lock contention within the kernel and other multi-core enhancements. The Intel and Radeon graphics drivers on DragonFlyBSD were ported from the FreeBSD kernel, which in turn were ported from the upstream Linux kernel."

An anonymous reader writes "The FreeBSD Foundation's annual year-end fundraising drive is currently running. Their goal this year is US$ 1M, and they're currently at US$ 427K. In 2013, the efforts that were funded were from the last drive were: Native iSCSI kernel stack, Updated Intel graphics chipset support, Integration of Newcons, UTF-8 console support, Superpages for ARM architecture, and Layer 2 networking updates. Also various conferences and summit sponsorships, as well as hardware purchases for the Project. The Foundation is a US 501(c)3 non-profit, so your donations (if in the US) are tax-deductible. Some of the larger 2013 (corporate?) sponsors so far are NetApp, LineRate, WhatsApp, and Tarsnap."

First time accepted submitter VZ writes "The first new stable wxWidgets release in years and the first new major release since 1998 has just been announced. wxWidgets 3.0 now includes official support for Cocoa-based 32 and 64 bit applications under OS X, GTK+ 3 under Unix and has thousands of other improvements." Update: 11/12 01:00 GMT by U L : Clarification: it's been several years since the 2.8 release series, and fifteen years since wxWidgets 2.0.

An anonymous reader writes "The release of OpenBSD 5.4 has been announced. New and notable advancements include new or extended platforms like octeon and beagle, moving VAX to ELF format, improved hardware support including Kernel Mode Setting (KMS), overhauled inteldrm(4), experimental support for fuse(4), reworked checksum handling for network protocols, OpenSMTPD 5.3.3, OpenSSH 6.3, over 7,800 ports, and many other improvements and additions."

netbuzz writes "On Nov. 2, 1988, mainstream America learned for the first time that computers get viruses, too, as the now notorious "Morris worm" made front-page headlines after first making life miserable for IT professionals. A PBS television news report about the worm offers a telling look at how computer viruses were perceived (or not) at the time. 'Life in the modern world has a new anxiety today,' says the news anchor. 'Just as we've become totally dependent on our computers they're being stalked by saboteurs, saboteurs who create computer viruses.'"

Hugh Pickens DOT Com writes "Computer Scientist Daniel Lemire has had an interesting discussion going on at his site about the ideas in software that are universally recognized as useful. 'Let me put it this way: if you were to meet a master of software programming, what are you absolutely sure he will recommend to a kid who wants to become a programmer?' Lemire's list currently includes structured programming; Unix and its corresponding philosophy; database transactions; the 'relational database;' the graphical user interface; software testing; the most basic data structures (the heap, the hash table, and trees) and a handful of basic algorithms such as quicksort; public-key encryption and cryptographic hashing; high-level programming and typing; and version control. 'Maybe you feel that functional and object-oriented programming are essential. Maybe you think that I should include complexity analysis, JavaScript, XML, or garbage collection. One can have endless debates but I am trying to narrow it down to an uncontroversial list.' Inspired by Lemire, Philip Reames has come up with his own list of 'Things every practicing software engineer should aim to know.'"

jrepin writes "Which day could be better suited for publishing a set of Hurd package releases than the GNU project's 30th birthday? These new releases bundle bug fixes and enhancements done since the last releases more than a decade ago; really too many (both years and improvements) to list them individually, The GNU Hurd is the GNU project's replacement for the Unix kernel. It is a collection of servers that run on the Mach microkernel to implement file systems, network protocols, file access control, and other features that are implemented by the Unix kernel or similar kernels (such as Linux)."