Here's a little something to sour your morning coffee with the acid taste of anxiety: an interesting piece by Joanna Rutkowska pointing out what she claims is an inherent security flaw in the X Window GUI model :

... Start another terminal window, and switch to root (e.g. using su, or sudo). Notice how the xinput running as user is able to sniff all your keystrokes, including root password (for su), and then all the keystrokes you enter in your root session. Start some GUI app as root, or as different user, again notice how your xinput can sniff all the keystrokes you enter to this other app!

I never knew this and am not aware of much discussion going on about the issue. Is this a fundamental flaw that Windows Vista addresses more successfully, as the author claims, or has the time truly come to do away with the X Window model and develop something else? Did the UNIX-Haters Handbook get this one right?

What do you get when you cross an enterprising and talented musician with a hardware hacker? For starters, you get Imogen Heap, a UK musician who wants to change how we interact with our equipment when producing and performing music . She says,

Fifty percent of a performance is racing around between various instruments and bits of technology on stage. I wanted to create something where I could manipulate my computer on the move wirelessly so that music becomes more like a dance rather than a robotic act like pressing a button or moving a fader.

And that's what she's doing. She's created a pair of technical gloves called Mi.Mu that use a series of sensors to can be connected to standard audio equipment to manipulate sound. Any budding musician that has crouched over his/her digital audio equipment fiddling with knobs, sliders, and faders ought to see the advantage in a new interface that allows you to express your music by moving your body, as well as the potential advantages in a stage performance.

Is this a more interesting future for the coming world of wearable computers and technology? And beyond hands, what can we do with this kind of technology?

Today, ISC released the last version of BIND 10 , ending the organization's development work and signalling that no further updates will be made to the source pool.

The Bundy Project is currently working with the ISC to move the code to GitHub to continue the program's development.

BIND 9 is the most popular DNS server in use today.

Ubuntu released version 14.04 LTS (codename "Trusty Tahr") today. This is a long-term support distribution, meaning Ubuntu will support it with security and bug fixes for 5 years as it slowly replaces Ubuntu 12.04 LTS that preceded it.

• http://xubuntu.org/getxubuntu/
• http://www.kubuntu.org/getkubuntu
• http://lubuntu.net/
• http://www.ubuntu.com/download/server

Recent notable changes, such as the move to systemd or the Mir display server, are absent in this release. However, this release adds arm64 and ppc64el architectures. OpenStack and other "cloud" tools also received many updates.

Although critics often disparage the animal codename, the uniqueness of the word does aide Internet searches. For example, if you search for "Ubuntu Bluetooth" you may get outdated information from previous versions that is no longer relevant. However, adding "Precise Pangolin" or "Trusty Tahr" really helps narrow down the results.

What's cooler than a robot? A micro-robot. What's cooler than that? A swarm of them , organizing effortlessly, like ants, to accomplish complicated tasks in parallel and on a small scale, like the manufacture of circuit boards or other products, and dealing effortlessly with both solids and liquids. Sound interesting? It does to SRI International , who has developed and patented a technology called Diamagnetic Micro Manipulation (DM3).

It uses "printed circuit boards to drive and control micro-robots built from simple, low-cost magnets that are propelled electromagnetically. This could enable cost-effective production of large numbers of micro-robots that can reliably handle a wide variety of solid and liquid materials - including electronics. ... [Their] vision is to enable an assembly head containing thousands of micro-robots to manufacture high-quality macro-scale products while providing millimeter-scale structural control. For example, some micro-robots will carry components (electronic as well as mechanical, such as truss elements), some micro-robots will deposit liquids, and others will perform in situ quality analysis. Mounted to a mobile robotic base, a micro-factory will be able to build parts of practically any size."

Have a look at their statement on an ongoing DARPA Open Manufacturing proposition for Microfactories for smart manufacturing . These scare me more than Big-Dog . Lets hope they can never self replicate and swarm by the millions .

Back in October 2013, Kenneth White and Matthew Green kicked off the idea to do a full and complete audit of TrueCrypt, the most popular disk encryption package out there. They raised over $60,000 dollars and 33BTC to this end, and got underway.
The first part of the audit - the in-depth source code review - was performed by a security firm and completed on April 14 of this year ( report ).
The results are interesting to read. No bogeys have been found so far, though 11 medium-to-minor items were identified. But the authors did note:

Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of inse-cure or deprecated functions, inconsistent variable types, and so forth.

The next stage, cryptanalysis , has begun and is proceeding.
I'm sure plenty of people are thinking, "How about doing the same thing for OpenSSL?" I'd personally prefer to see this sort of effort going into improving the OpenSSL software.

Widely reported this week is a phenomenon that has taken the scientific community by storm. In November 2008, 265 cherry stones (seeds) were sent to the ISS by Japan. They came back to Earth in July the following year. Some were sent for laboratory tests, but most were ferried back to their places of origin, and a selection was planted at nurseries near the Ganjoji temple.

By April this year, the "space cherry tree" had grown to around four metres (13 feet) tall, and suddenly produced nine flowers, each with just five petals, compared with about 30 on flowers of the parent tree. It normally takes about 10 years for a cherry tree of the similar variety to bear its first buds. Cross-pollination with another species could not be ruled out, but a lack of data is hampering an explanation for the early bloom. Says a Miho Tomioka, a spokewoman for the project's organizer :

The seeds were sent to the ISS as part of an educational and cultural project to let children gather the stones and learn how they grow into trees and live on, after returning from space. We had expected the (Ganjoji) tree to blossom about 10 years after planting, when the children come of age.

Read more at the Japan Times , Engadget , or Discovery .

[Ed. note: Discovery is also running an article on how to have sex in space . Tech journalism isn't what it used to be.]

The Heartbleed bug has sparked new interest in cleaning up the OpenSSL code base. As evidenced by OpenBSD's CVS repository, the team has started removing old platform specific code, style inconsistencies, non-free hardware crypto engines, and dubious wrappers from the library. Perhaps the best side effect of the Heartbleed bug will be a much cleaner and more secure OpenSSL package.

Ed. note: So, is a catastrophic and highly public failure what it takes to catalyze action in some projects? And if so, which other projects are in need of some energizing disaster?

Update: The mentioned cleanup is taking place in the OpenBSD CVS repository. The official OpenSSL repository information can be found at http://www.openssl.org/source/repos.html

The Debian project has been running an election for the past six weeks to determine the new Debian Project Leader. And now the results are in, and Lucas Nussbaum was re-elected . Congrats to Mr. Nussbaum , and good luck to you, sir!

As always in Debian, the result of the voting was determine using the Condorcet method in which each voter ranks the candidates from high to low preference.

Mr. Nussbaum will steer the ship as Debian prepares its upcoming release ( Jessie ), whose release goals include lots of security hardening.

Updates for this week include:

• Added an internal mail system. Users can now privately message each other using familiar email style (username@pipedot.org) addresses.
• New captcha system based off of the textcaptcha.com service.
• You can now submit stories as an AC without logging in.
• You can now post comments as an AC without logging in.
• Raised the default moderation score to 1 for non-AC comments.
• You can no longer moderate your own comments.
• Hide and Expand thresholds can now be saved in your account settings page.
• Added icons to hopefully improve the visibility of certain functions (The syndication feed at the bottom of the page and the Reply button at the top of comment sections)