Should Companies Audit Their Software Stacks for Critical Open Source Dependencies?

Thoughtworks is a technology consultancy/distributed agile software design company. The principle technologist in its CTO’s office warns that managers of IT assets “need to keep up” with the changing economics of open source:

Early 2022 has brought with it an unusually high level of commotion in the open-source community, largely focused on the economics of who — and how we — should pay for “free” software. But this isn’t just some geeky flame war. What’s at stake is critical for vast swaths of the business world….

We know of many open-source enthusiasts who maintain their software personally while leading busy professional lives — the last thing they want is the responsibility of a service-level agreement because someone paid them for their creation. So, is this the end of the road for the open-source dream? Certainly, many of the open-source naysayers will view the recent upheavals as proof of a failed approach. They couldn’t be more wrong. What we’re seeing today is a direct result of the success of open-source software. That success means there isn’t a one-size-fits-all description to define open-source software, nor one economic model for how it can succeed.

For internet giants like Facebook or Netflix, the popularity, or otherwise, of their respective JavaScript library and software tool — React and Chaos Monkey — is beside the point. For such companies, open-source releases are almost a matter of employer branding — a way to show off their engineering chops to potential employees. The likelihood of them altering licensing models to create new revenue streams is small enough that most enterprises need not lose sleep over it. Nonetheless, if these open-source tools form a critical part of your software stack or development process, you might want some form of contingency plan — you’re likely to have very little sway over future developments, so understanding your risks helps.

For companies that have built platforms containing open-source software, the risks are more uncertain. This is in line with Thoughtworks’ view that all businesses can benefit from a greater awareness of what software is running in their various systems. In such cases, we advise companies to consider the extent to which they’re reliant on that piece of software: are there viable alternatives? In extreme circumstances, could you fork the code and maintain it internally?

Once you start looking at crucial parts of your software stack where you’re reliant on hobbyists, your choices begin to dwindle. But if Log4J’s case has taught us anything, it’s this: auditing what goes into the software that runs your business puts you in a better place than being completely caught by surprise.

Read more of this story at Slashdot.

OpenBSD 7.1 Released with Support for Apple M1, Improvements for ARM64 and RISC-V

“Everyone’s favorite security focused operating system, OpenBSD 7.1 has been released for a number of architectures,” writes long-time Slashdot reader ArchieBunker, “including Apple M1 chips.”

Phoronix calls it “the newest version of this popular, security-minded BSD operating system.”
With OpenBSD 7.1, the Apple Silicon support is now considered “ready for general use” with keypad/touchpad support for M1 laptops, a power management controller driver added, I2C and SPI controller drivers, and a variety of other driver additions for supporting the Apple Silicon hardware.
OpenBSD 7.1 also has a number of other improvements benefiting the 64-bit ARM (ARM64) and RISC-V architectures. OpenBSD 7.1 also brings SMP kernel improvements, support for futexes with shared anonymous memory, and more. On the graphics front there is updating the Linux DRM code against the state found in Linux 5.15.26 as well as now enabling Intel Elkhart Lake / Jasper Lake / Rocket Lake support.

The Register notes OpenBSD now “supports a surprisingly wide range of hardware: x86-32, x86-64, ARM7, Arm64, DEC Alpha, HP PA-RISC, Hitachi SH4, Motorola 88000, MIPS64, SPARC64, RISC-V 64, and both Apple PowerPC and IBM POWER.”
The Register’s FOSS desk ran up a copy in VirtualBox, and we were honestly surprised how quick and easy it was. By saying “yes” to everything, it automatically partitioned the VM’s disk into a rather complex array of nine slices, installed the OS, a boot loader, an X server and display manager, plus the FVWM window manager. After a reboot, we got a graphical login screen and then a rather late-1980s Motif-style desktop with an xterm.
It was easy to install XFCE, which let us set the screen resolution and other modern niceties, and there are also KDE, GNOME, and other pretty front-ends, plus plenty of familiar tools such as Mozilla apps, LibreOffice and so on….

We were expecting to have to do a lot more work. Yes, OpenBSD is a niche OS, but the project gave the world OpenSSH, LibreSSL, the PF firewall as used in macOS, much of Android’s Bionic C library, and more besides…. In a world of multi-gigabyte OSes, it’s quite refreshing. It felt like stepping back into the early 1990s, the era of Real Unix, when you had to put in some real effort and learn stuff in order to bend the OS to your will — but in return, you got something relatively bulletproof.

Read more of this story at Slashdot.

How US Billionaires Can Avoid Paying Income Taxes

On April 15th Americans filed their taxes with the Internal Revenue Service (or IRS). But on the same day ProPublica was reporting a difference between “the rich and the rest of us” — that their wealth just isn’t easily defined:

For one, wages make up only a small part of their earnings. And they have broad latitude in how they account for their businesses and investments. Their incomes aren’t defined by a tax form. Instead, they represent the triumph of careful planning by skilled professionals who strive to deliver the most-advantageous-yet-still-plausible answers to their clients. For them, a tax return is an opening bid to the IRS. It’s a kind of theory….

We counted at least 16 other billionaires (along with hundreds of other ultrawealthy people, including hedge fund managers and former CEOs) among the stimulus check recipients. This is just how our system works. It’s why, in 2011, Jeff Bezos, then worth $18 billion, qualified for $4,000 in refundable child tax credits. (Bezos didn’t respond to our questions.) A recent study by the Brookings Institution set out with a simple aim: to compare what owners of privately held businesses say they earn with the income that appears on the owners’ tax returns. The findings were stark: “More than half of economic income generated by closely held businesses does not appear on tax returns and that ratio has declined significantly over the past 25 years.”

That doesn’t mean business owners are illegally hiding income from the IRS, though it’s certainly a possible contributor. There are plenty of ways to make income vanish legally. Tax perks like depreciation allow owners to create tax losses even as they expand their businesses… “Losses” from one business can also be used to wipe out income from another. Sometimes spilling red ink can be lots of fun: For billionaires, owning sports teams and thoroughbred racehorses are exciting loss-makers. Congress larded the tax code with these sorts of provisions on the logic that what’s good for businesses is good for the economy. Often, the evidence for this broader effect is thin or nonexistent, but you can be sure all this is great for business owners. The Brookings study found that households worth $10 million or more benefited the most from being able to make income disappear….

In the tax system we have, billionaires who’d really rather not pay income taxes can usually find a way not to. They can bank their accumulating gains tax-free and deploy tax losses to wipe out whatever taxable income they might have. They can even look forward to a few thousand dollars here and there from the government to help them raise their kids or get through a national emergency.
This system also means it’s much harder to catch underreported income on the tax returns of the wealthy, the article points out. And with so many legal deducations, it’s also hard to prove the low incomes really exceed what the law allows. Even then, the wealthy can still hire an army of the best tax lawyers to make their case in court.

And now thousands of auditors have left the agency — and have not been replaced. The end result? “Audits of the wealthy have plummeted.

“Business owners have still more reason to be bold….”

Read more of this story at Slashdot.

American Phone-Tracking Firm Demo’d Surveillance Powers By Spying On CIA and NSA

Anomaly Six, a secretive government contractor, claims to monitor the movements of billions of phones around the world and unmask spies with the press of a button. Reader BeerFartMoron shares a report: In the months leading up to Russia’s invasion of Ukraine, two obscure American startups met to discuss a potential surveillance partnership that would merge the ability to track the movements of billions of people via their phones with a constant stream of data purchased directly from Twitter. According to Brendon Clark of Anomaly Six — or “A6” — the combination of its cellphone location-tracking technology with the social media surveillance provided by Zignal Labs would permit the U.S. government to effortlessly spy on Russian forces as they amassed along the Ukrainian border, or similarly track Chinese nuclear submarines. To prove that the technology worked, Clark pointed A6’s powers inward, spying on the National Security Agency and CIA, using their own cellphones against them.

Virginia-based Anomaly Six was founded in 2018 by two ex-military intelligence officers and maintains a public presence that is scant to the point of mysterious, its website disclosing nothing about what the firm actually does. But there’s a good chance that A6 knows an immense amount about you. The company is one of many that purchases vast reams of location data, tracking hundreds of millions of people around the world by exploiting a poorly understood fact: Countless common smartphone apps are constantly harvesting your location and relaying it to advertisers, typically without your knowledge or informed consent, relying on disclosures buried in the legalese of the sprawling terms of service that the companies involved count on you never reading.

Read more of this story at Slashdot.

Ebook Services Are Bringing Unhinged Conspiracy Books into Public Libraries

Librarians say Holocaust deniers, antivaxxers, and other conspiracy theorists are being featured in the catalogs of a popular ebook lending service. From a report: In February, a group of librarians in Massachusetts identified a number of Holocaust denial and anti-Semitic books on Hoopla, including titles like “Debating The Holocaust” and “A New Nobility of Blood and Soil” — the latter referring to the infamous Nazi slogan for nationalist racial purity. After public outcry from library and information professionals, Hoopla removed a handful of titles from its digital collection.

In an email obtained by the Library Freedom Project last month, Hoopla CEO Jeff Jankowski explained that the titles came from the company’s network of more than 18,000 publishers: “[The titles] were added within the most recent twelve months and, unfortunately, they made it through our protocols that include both human and system-driven reviews and screening.” However, quick Hoopla keyword searches for ebooks about “homosexuality” and “abortion” turn up dozens of top results that contain largely self-published religious texts categorized as “nonfiction,” including several titles like “Can Homosexuality Be Healed” which promote conversion therapy and anti-LGBTQ+ rhetoric. This prompted a group of librarians to start asking how these titles are appearing in public library catalogs and why they are ranked so high.

Read more of this story at Slashdot.