• chevron_right

    Google lance une petite équipe spécialisée dans la mise à jour du logiciel libre critique / Numerama · 5 days ago - 14:42

Open source logiciel

Google annonce la mise en place en interne d'une équipe rassemblant des ingénieurs, dont la mission sera de donner un coup de main pour maintenir correctement des logiciels libres jugés critiques. [Lire la suite]

Abonnez-vous aux newsletters Numerama pour recevoir l’essentiel de l’actualité

  • chevron_right

    Backdoor in public repository used new form of attack to target big firms / ArsTechnica · Wednesday, 11 May - 22:07

Skull and crossbones in binary code

Enlarge (credit: Getty Images )

A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploits public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.

Dependency confusion is a new form of supply-chain attack that came to the forefront in March 2021 , when a researcher demonstrated he could use it to execute unauthorized code of his choice on networks belonging to Apple, Microsoft, and 33 other companies. The researcher, Alex Birsan, received $130,000 in bug bounties and credit for developing the new attack form.

A few weeks later, a different researcher uncovered evidence that showed that Amazon, Slack, Lyft, Zillow, and other companies had been targeted in attacks that used the same technique. The release of more than 200 malicious packages into the wild indicated the attack Birsan devised appealed to real-world threat actors.

Read 14 remaining paragraphs | Comments

  • chevron_right

    5 astuces de VLC bien pratiques pour faire plus que lire des vidéos / Numerama · Sunday, 17 April - 16:23

Vous utilisez VLC pour lire des vidéos ? Vous avez bien raison. Mais VLC comporte tant d'options qu'il est possible de lui demander de faire davantage. [Lire la suite]

Abonnez-vous aux newsletters Numerama pour recevoir l’essentiel de l’actualité

  • chevron_right

    Sabotage: Code added to popular NPM package wiped files in Russia and Belarus / ArsTechnica · Friday, 18 March - 18:31

Sabotage: Code added to popular NPM package wiped files in Russia and Belarus

Enlarge (credit: Getty Images)

The developer of a popular open source package has been caught adding malicious code to that package, which wiped files from computers located in Russia and Belarus, in a protest that has enraged many users and raised concerns about the safety of free and open source software.

The application, node.ipc, adds remote Inter Process Communication and neural networking capabilities to other open source code libraries. As a dependency, node.js is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.

A deliberate and dangerous act

Two weeks ago, the node.ipc author pushed a new version of the library that sabotaged computers located in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node.ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced it with a heart emoji.

Read 17 remaining paragraphs | Comments

  • Sc chevron_right

    Finding Vulnerabilities in Open Source Projects / Schneier · Wednesday, 2 February - 16:01

The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects:

The “Alpha” side will emphasize vulnerability testing by hand in the most popular open-source projects, developing close working relationships with a handful of the top 200 projects for testing each year. “Omega” will look more at the broader landscape of open source, running automated testing on the top 10,000.

This is an excellent idea. This code ends up in all sorts of critical applications.

Log4j would be a prototypical vulnerability that the Alpha team might look for ­– an unknown problem in a high-impact project that automated tools would not be able to pick up before a human discovered it. The goal is not to use the personnel engaged with Alpha to replicate dependency analysis, for example.

  • chevron_right

    LibreOffice, Mastodon : l’UE offre 200 000 € pour sécuriser certains logiciels libres / Numerama · Monday, 24 January - 15:19


La Commission européenne met en place un programme de chasse aux bugs pour certains logiciels libres que ses services utilisent fortement. [Lire la suite]

Abonnez-vous aux newsletters Numerama pour recevoir l’essentiel de l’actualité

  • chevron_right

    Log4j : la Maison-Blanche réunit le gratin de la tech pour discuter de la sécurité de l’open source / Numerama · Thursday, 13 January - 18:13

Une réunion doit évoquer la manière de sécuriser l'open source, avec, en filigrane, la question du financement de projets cruciaux pour la tech. [Lire la suite]

Abonnez-vous aux newsletters Numerama pour recevoir l’essentiel de l’actualité

  • chevron_right

    DXVK 1.9.3 is out supporting DLSS, D3D9 improvements and more / GamingOnLinux · Tuesday, 11 January - 13:08 · 1 minute

DXVK, the Vulkan-based implementation of D3D9, D3D10 and D3D11 for Wine / Proton has version 1.9.3 out now . This is what's used in Steam Play Proton , to help get Windows games running nicely on Linux. It's a bit of an uphill battle to get so many tens of thousands of games to work nicely, but DXVK shows just how powerful and flexible Vulkan is as an API.

This release brings support for NVIDIA DLSS (Deep Learning Super Sampling) for supported games, when used along with dxvk-nvapi . There's also a bunch of optimizations and accuracy improvements for D3D9 that should help fix games like Red Orchestra 2, Dark Souls 2 (original version), Dog Fight 1942, Bayonetta, Rayman Origins, Guilty Gear Xrd and Richard Burns Rally.

17666662851641906102gol1.jpg Pictured - Deep Rock Galactic on Linux with DXVK (Proton)

Other improvements include a fix for a "DXGI issue which would sometimes cause games to fail to enter fullscreen mode on some displays that do not support low rates across all resolutions" and improvements for Black Mesa, Crysis 3 Remastered, Euro Truck Simulator, Injustice Gods Among Us, Rocksmith 2014, Spliter Cell: Chaos Theory, Sim City 2013 and The Guild 3.

As a reminder: you can upgrade the version of DXVK used in Proton, without waiting on a new release. To do so you can just overwrite the existing DXVK files with the release download of DXVK 1.9.3. You can find your Proton install somewhere like this (depending on your Steam Library drives):

path-to-your/SteamLibrary/steamapps/common/Proton x.x/dist

Where x.x is whatever Proton version installed you wish to give a new DXVK.

Inside there you will see "lib" and "lib64", for 32bit and 64bit. Inside each of those, there's a "wine" folder and inside there is a "dxvk" folder and that's where you replace the files with new versions. Do so at your own risk but it's usually harmless. If you mess anything up, one way to ensure it gets reinstalled cleanly is just to remove the "/dist" folder.

Article from taken from the RSS feed.