Daniel_Stuckey (2647775) writes "Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. Think of Project Un1c0rn as a Google for site security. Launched on May 15th, the site's creators say that so far it has indexed 59,000 websites and counting. The goal, according to its founders, is to document open leaks caused by the Heartbleed bug, as well as 'access to users' databases' in Mongo DB and MySQL. According to the developers, those three types of vulnerabilities are most widespread because they rely on commonly used tools. For example, Mongo databases are used by popular sites like LinkedIn, Expedia, and SourceForge, while MySQL powers applications such as WordPress, Drupal or Joomla, and are even used by Twitter, Google and Facebook."

X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA." Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?

Several readers sent word that the website for TrueCrypt, the popular disk encryption system, says that development has ended, and Windows users should switch to BitLocker. A notice on the site reads, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. ... You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." It includes a link to a new version of TrueCrypt, 7.2, and provides instructions on how to migrate to BitLocker. Many users are skeptical of a site defacement, and there's been no corroborating post or communication from the maintainers. However, the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases. A source code diff of the two versions has been posted, and the new release appears to simply remove much of what the software was designed to do. It also warns users away from relying on it for security. (The people doing an audit of TrueCrypt had promised a 'big announcement' soon, but that was coincidental.) Security experts are warning to avoid the new version until the situation can be verified.

We're thankfully long past the days when an emailed Word document was useless without a copy of Microsoft Word, and that's in large part thanks to the success of the OpenOffice family of word processors. "Family," because the OpenOffice name has been attached to several branches of a codebase that's gone through some serious evolution over the years, starting from its roots in closed-source StarOffice, acquired and open-sourced by Sun to become OpenOffice.org. The same software has led (via some hamfisted moves by Oracle after its acquisition of Sun) to the also-excellent LibreOffice. OpenOffice.org's direct descendant is Apache OpenOffice, and an anonymous reader writes with this excellent news from that project: "The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 170 Open Source projects and initiatives, announced today that Apache OpenOffice has been downloaded 100 million times. Over 100 million downloads, over 750 extensions, over 2,800 templates. But what does the community at Apache need to do to get the next 100 million?" If you want to play along, you can get the latest version of OpenOffice from SourceForge (Slashdot's corporate cousin). I wonder how many government offices -- the U.S. Federal government has long been Microsoft's biggest customer -- couldn't get along just fine with an open source word processor, even considering all the proprietary-format documents they're stuck with for now.

rjmarvin (3001897) writes "Two Princeton computer science students have created an open source platform for developing voice-controlled applications that are always on. Created by Shubhro Saha and Charlie Marsh, Jasper runs on the Raspberry Pi under Raspbian, using a collection of open source libraries to make up a development platform for building voice-controlled applications. Marsh and Saha demonstrate Jasper's capability to perform Internet searches, update social media, and control music players such as Spotify. You need a few easily obtainable bits of hardware (a USB microphone, wifi dongle or ethernet, and speakers). The whole thing is powered by CMU Sphinx (which /. covered the open sourcing of back in 2000). Jasper provides Python modules (under the MIT license) for recognizing phrases and taking action, or speaking when events occur. There doesn't seem to be anything tying it to the Raspberry Pi either, so you could likely run it on an HTPC for always-on voice control of your media center.

New submitter brondsem writes: "Today the Apache Software Foundation announced the Allura project for hosting software development projects. Think GitHub or SourceForge on your own servers — Allura has git, svn, hg, wiki, tickets, forums, news, etc. It's written in python and has a modular and extensible platform so you can write your own tools and extensions. It's already used by SourceForge, DARPA, German Aerospace Center, and Open Source Projects Europe. Allura is open source; available under the Apache License v2.0. When you don't want all your project resources in the cloud on somebody else's walled garden, you can run Allura on your own servers and have full control and full data access." (SourceForge shares a corporate overlord with Slashdot).

Former chairman of VA Software and venture capitalist, Larry Augustin, co-founded VA Research in 1993 and was one of the driving forces behind the creation of Sourceforge. VA bought Andover.net in 2000, acquiring a number of media sites, including Slashdot. He serves on the board of several companies and is currently the CEO of SugarCRM. Larry has agreed to take some time and answer your questions about the world of venture capital, open source software, and surviving the dotcom bubble. As usual, ask as many as you'd like, but please, one question per post

enharmonix writes "I have a big decision to make. I am probably going to buy a laptop that I will primarily use for music. I would prefer an OEM distro so I don't need to install the OS myself (not that I mind), but I have no preference between open- and closed-source software as an end-user; I just care about the quality of the product. There are two applications that I absolutely must have: 1) a standard notation transcription program with quality auditioning (i.e., playback with quality sound fonts or something similar, better than your standard MIDI patches) that can also accept recorded audio in lieu of MIDI playback, and 2) a capable synthesizer (the more options, the better). If there's software out there that does both 1 and 2 in the same app, that's even better. I've played with some of Ubuntu's offerings for music a few years ago and some are very good, though not all of them are self-explanatory and the last time I checked, none of them really met my needs. I am not so worried about number 2 because I think I could pretty easily develop my own in .NET/Mono, which I think would be a fun project (which would be open source, of course). I am a Gnome fan so if I go with Linux, I will almost certainly go with standard Ubuntu over Kubuntu, but Gnome seems to rule out Rosegarden which was the best FOSS transcription software out there the last time I checked. The other solution I've thought of is to just shell out the $600 for Finale, which I'm more than willing to do, but I'm not so sure I want Windows 8 and I'm just not sure I can afford to go with a Mac on top of the $600 for Finale. I don't intend to put more than one OS on my laptop, either. Any slashdotters out there dabble in composing/recording, using MIDI, sound fonts, recorded audio, and/or synthesizers? What setup of hardware/OS/software works for you? Can FOSS music software compete with their pricier closed source competitors?" The KXStudio apps installed over Debian or Ubuntu tend to be pretty nice (better session handling that gladish provides at least).

First time accepted submitter hughbar writes "I live in a London suburb that has many activities and classes, yoga, IT [of course], running, art, assorted volunteering and many others. With the help of the local council, we'd now like to make a centralised, searchable database of these, with a number of helpful features: Easy to make submissions, otherwise the whole thing will always be out of date; Web accessible [obviously] but mobile phone friendly as well; Maybe, publish and subscribe, so people can 'subscribe' to yoga listings for example; Handles repeating events, like a classical web calendar; Maybe, can be consolidated with nearby events calendars. I'm aware of MRBS and WebCalendar, but I'm wondering whether there are other suggestions, especially as this is a useful social application. And, yes, I'd like it done with open source, then we can tailor it."

Their website's "About" page says, under the headline, "Our Big Mission": "The Eye Tribe intends to become the leading provider of eye control technology for mass market consumer devices by licensing the technology to manufacturers." Their only product at the moment is a $99 development kit ($142.50 with shipping and VAT). Some people may want to say, "This is old news. Wasn't there an open source project called Gaze Tracker that was originally developed to help handicapped people interact with the world?" Yes, there was. The Eye Tribe is an outgrowth of the Gaze Tracker research group, which is still going strong and still offers its software for free download (from SourceForge) under an open source license. The company's funding comes in large part from a government grant. In the interview (below), The Eye Tribe CEO Sune Johansen notes that they have just started shipping their development kit, and that they hope to start selling an eye control kit for tablet computers to the general public before long, but he doesn't want to commit to a specific shipping date because they don't want to sell to end users until "...we have enough applications out there so that it makes sense for the consumers to buy it directly."

An anonymous reader writes "The recent report of X11/X.Org security in bad shape rings more truth today. The X.Org Foundation announced today that they've found a X11 security issue that dates back to 1991. The issue is a possible stack buffer overflow that could lead to privilege escalation to root and affects all versions of the X Server back to X11R5. After the vulnerability being in the code-base for 23 years, it was finally uncovered via the automated cppcheck static analysis utility." There's a scanf used when loading BDF fonts that can overflow using a carefully crafted font. Watch out for those obsolete early-90s bitmap fonts.

In 1990, a development studio called Toys for Bob created a game called Star Control, a fun little space combat game with a bit of strategy added in. In 1992, they released Star Control 2, a full-blown space adventure RPG, which became one of the seminal works of early PC gaming. (Later open-sourced and released for modern systems.) After that, creators Fred Ford and Paul Reiche III lost control of the franchise to Accolade, who botched Star Control 3 and eventually abandoned the series. Last July, Stardock, the studio behind Sins of a Solar Empire, acquired the rights, and they're now discussing their plans to resurrect the classic series. They'll be using Star Control 2 as a template and an inspiration for all aspects of the game, though they won't be using any of the IP from Star Control I & II. They've also contacted Ford and Reiche and will try to hold true to their creative intentions. (The two currently run an Activision game studio, so they won't be involved with the new game.) Production will begin this winter.

jones_supa writes "A month ago there was worry about Kdenlive main developer being missing. Good news guys, Jean-Baptiste Mardelle has been finally reached and is doing fine. In a new mailing list post by Vincent Pinon, he says he managed to find Mardelle's phone number and contacted the longtime KDE developer. It was found out that Mardelle took a break over the summer but then lost motivation in Kdenlive under the burden of the ongoing refactoring of the code. Pinon agreed that there are 'so many things to redo almost from scratch just to get the 'old' functionalities'. The full story can be read from the kdenlive-devel mailing list. After talking with Jean-Baptiste, Vincent has called upon individual developers interested in Kdenlive to come forward. Among the actions called for is putting the Git master code-base back in order, ensuring the code is in good quality, provide new communication about the project, integrate new features like GPU-powered effects and a Qt5 port, and progressively integrate the new Kdenlive design."

An anonymous reader writes "Google has launched the Google Voice Search Hotword extension for Chrome, bringing the 'OK Google' feature to the desktop. You can download the new tool, currently in beta, now directly from the Chrome Web Store. Android users with version 4.4 KitKat will recognize the feature: it lets you talk to Google without first clicking or typing. It's completely hands-free, provided you're already on Google.com: just say 'OK Google' and then ask your question." Quick, someone wire Pocketsphinx up to Firefox, or integrate Simon into Krunner.

First time accepted submitter gnosygnu writes "Want your own copy of English Wikipedia with images? Got 100 GB of disk space? Then open-source app XOWA may be of interest to you. The project released torrents yesterday for the 2013-11-04 version of English Wikipedia. There's 100 GB of sqlite databases containing 13.9 million pages, and 3.7 million images — readable from any Windows, Linux, or Mac OS X system. Image downloads for other wikis are building, but you can still use XOWA to read the text-only version for other wikis like Wiktionary, Wikisource, Wikiquote and 660 more. Next time you find yourself stranded without the internet, you can pull out your own copy of Wikipedia for use."

Last week, we mentioned that the GIMP project had elected to leave SourceForge as its host, citing SourceForge's advertising policies. SourceForge (which shares a parent company with Slashdot) has released a statement about those policies, addressing in particular both ads that are confusing in themselves and their revenue-sharing system called DevShare, based on the provision of third-party software along with users' downloads. Among other things, the SF team is appealing to users to help them find and block misleading ads, and has this to say about the additional downloads: "The DevShare program has been designed to be fully transparent. The installation flow has no deceptive steps, all offers are fully disclosed, and the clear option to completely decline the offer is always available. All uninstallation procedures are exhaustively documented, and all third party offers go through a comprehensive compliance process to make sure they are virus and malware free."

Dangerous_Minds writes "GIMP, a free and open source alternative to image manipulation software like Photoshop, recently announced that it will no longer be distributing their program through SourceForge. Citing some of the ads as reasons, they say that the tipping point was 'the introduction of their own SourceForge Installer software, which bundles third-party offers with Free Software packages. We do not want to support this kind of behavior, and have thus decided to abandon SourceForge.' The policy changes were reported back in August by Gluster. GIMP is now distributing their software via their own FTP page instead." Note: SourceForge and Slashdot share a corporate parent.

Seemingly to inflict more suffering upon himself, Matthew Garrett (lord of getting things to boot using EFI) decided that booting directly into Zork would be cool. Quoting his weblog entry: "So, Frotz seemed like the natural choice when this happened. But despite having a set of functionality that makes it look much more like an OS than a boot environment, UEFI doesn't actually expose a standard C library. The EFI Application Development Kit solves this particular design decision. Porting Frotz ended up involving far more fixing up of Frotz bugs that tripped up -Werror than anything else. One note, though - make sure you include DevShell in the list of required packages at build time, otherwise file i/o will mysteriously fail." Grab the code, assuming you have a copy of Zork (or any other Z-machine game, as long as you name it ZORK1.DAT, I think).

phlawed writes "I've been a Linux user since the previous millennium. I came from OS/2, which I really liked. I quickly felt at home with icewm, using a suitably tweaked config to give me something resembling Presentation Manager. I may have commented on that before. Today, I find myself in a position where my preferred 'environment' is eroding. The only force keeping icewm rolling these days is the distribution package maintainers. I can't code in any meaningful way, nor do I aspire to. I could easily pay for a supported version of icewm, but I can't personally pay someone enough to keep it alive. I'd love it if someone took a personal interest in the code, to ensure that it remains up to date, or to make it run on Wayland or whatever. I want someone to own the code, be proud of it. Is there a general solution for this situation? How do I go about drumming up interest for an old project?"

Koookiemonster writes "Our company has many projects, each one with a folder on a Samba drive (Z:\). Our problem is syncing only the programmers' current projects (~30 at any time) between Z:\ and their C:\Projects\-folder on five Windows 7 laptops. If we sync the whole Z:\-drive, our projects folders would be filled with too many subfolders, making it difficult to navigate. The folders contain OpenPCS projects (PLC) and related files (Word, Excel, PDF documents); a common project folder is 50 MB. Is there any easy to use, low-budget sync software with scripting, so that we could e.g. only sync folders that exist locally?" (Read more details, below, of what Koookiemonster is looking for.)