Language Selection

English French German Italian Portuguese Spanish

SourceForge locked in projects of fleeing users, cashed in on malvertising [Updated]

Filed under
Advertisement
Development

The takeover of the SourceForge account for the Windows version of the open-source GIMP image editing tool reported by Ars last week is hardly the first case of the once-pioneering software repository attempting to cash in on open-source projects that have gone inactive or have actually attempted to shut down their SourceForge accounts. Over the past few years, SourceForge (launched by VA Linux Systems in 1999 and now owned by the tech job site company previously known as Dice) has made it a business practice to turn abandoned or inactive projects into platforms for distribution of "bundle-ware" installers.

Despite promises to avoid deceptive advertisements that trick site visitors into downloading unwanted software and malware onto their computers, these malicious ads are legion on projects that have been taken over by SourceForge's anonymous editorial staff. SourceForge's search engine ranking for these projects often makes the site the first link provided to people seeking downloads for code on Google and Bing search results.

And because of SourceForge's policies, it's nearly impossible for open-source projects to get their code removed from the site. SourceForge is, in essence, the Hotel California of code repositories: you can check your project out any time you want, but you can never leave.

Read more

[Ed: Why am I not surprised?]

More in Tux Machines

Daniel Stenberg: Mr Robot curl

Vasilis Lourdas reported that he did a “curl sighting” in the show and very well I took a closer peek and what do we see some 37 minutes 36 seconds into episode 8 season 4… (I haven’t followed the show since at some point in season two so I cannot speak for what actually has happened in the plot up to this point. I’m only looking at and talking about what’s on the screenshots here.) Elliot writes Python. In this Python program, we can see two curl invokes, both unfortunately a blurry on the right side so it’s hard to see them exactly (the blur is really there in the source and I couldn’t see/catch a single frame without it). Fortunately, I think we get some additional clues later on in episode 10, see below. He invokes curl with -i to see the response header coming back but then he makes some questionable choices. The -k option is the short version of --insecure. It truly makes a HTTPS connection insecure since it completely switches off the CA cert verification. We all know no serious hacker would do that in a real world use. Perhaps the biggest problem for me is however the following -X POST. In itself it doesn’t have to be bad, but when taking the second shot from episode 10 into account we see that he really does combine this with the use of -d and thus the -X is totally superfluous or perhaps even wrong. The show technician who wrote this copied a bad example… Read more

Ampere's Arm-based eMAG CPU is now available in a workstation

Avantek offers the workstation with a few graphics cards options including the AMD FirePro W2100 2GB, a Radeon Pro WX 5100 8GB, and the Nvidia Quadro GV100 32GB. The workstation is only offered running Linux with a few different flavors including Ubuntu, centOS and Linux SUSE / openSUSE. Read more

It's Not A VPN-busting Bug, It's A Social Media Enhancer For UNIX Users

Kidding aside, this vulnerability applies to most UNIX based OSes, with most Linux distros, Android, iOS, macOS, FreeBSD, and OpenBSD all affected. The attacker needs to be able to intercept your data, which means they need to already be on the same network span as your machine or by having control of the router or other exit point, but if they do they can use this flaw to determine the exact SEQ and ACK numbers in your encrypted session. That information can be used to successfully inject data, hijack the connection and possibly redirect your VPN session to imposter pages or other places on the web you really don’t want to go to. Not all VPNs are vulnerable, the researches quoted at The Register tested this on OpenVPN, WireGuard, and IKEv2/IPSe. Read more

New GNU/Linux Screencasts and Audiocasts: Ubuntu Cinnamon Remix 19.10, Debian 11 Alpha 1, This Week in Linux and Linux Headlines

  • Ubuntu Cinnamon Remix 19.10 | Cinnamon, Ubuntu's new flavor.

    In this video, I am going to show an overview of Ubuntu Cinnamon Remix 19.10 and some of the applications pre-installed.

  • Debian 11 Alpha 1 Gnome Run Through

    In this video, we are looking at Debian 11 Alpha 1, the Gnome edition.

  • Episode 89 | This Week in Linux

    01:32 = Sponsored by Digital Ocean · [link] 02:30 = elementary OS 5.1 “Hera” Released · [elementary.io] 07:15 = Ubuntu 20.04 LTS Pre-release Survey · [ubuntu.com] 09:36 = Ubuntu Cinnamon – First Release · [Links: ubuntu.com, 13:35 = Tails 4.1 Released · [tails.boum.org] 16:39 = Kali Linux 2019.4 Released · [kali.org] 19:49 = CAINE 11.0 Released · [caine-live.net] 21:13 = DLN + FreeGeek = DLN Charity Drive · link coming soon 23:19 = Firefox 71 Released · [mozilla.org] 25:17 = Timekpr-nExT (Parental Controls) · [launchpad.net/timekpr-next] 29:24 = TWinL Housekeeping 33:21 = KDE Improvements for Plasma 5.18 · [Links: pointieststick.com 36:40 = Lutris 0.5.4 Released · [Links: lutris.net, 39:02 = Humble Choice Replaces Humble Monthly · [tuxdigital.com/go/humble-choice] 41:45 = Indie Hits Sale on Humble Store · [tuxdigital.com/go/humble-indie-hits-sale] 42:13 = Humble Sonic Bundle 2019 · [tuxdigital.com/go/humble-sonic-bundle-2019] 43:27 = Data Science Book Bundle · [tuxdigital.com/go/ 43:56 = Yogscast Jingle Jam · [humblebundle.com] 45:14 = Outro

  • 2019-12-09 | Linux Headlines 64

    The Raspberry Pi 4 Ubuntu bugs get sorted out, and Canonical reaffirms its commitment to the platform and all future devices. Plus an approachable way to give back to KDE, and more.