10 interesting stories served every morning and every evening.
Well, as of sometime on December 5th a huge number of the archivists that were scrambling to rescue archives from Yahoo Groups, had their {e-mail addresses} apparently banned so they can no longer rescue the archives anymore of the groups they had set up operations to do so.
So that means that for me anyway, Verizon has lost all benefit of the doubt, and is likely at least aware of what Yahoo is doing to groups, or is at worst, complicit.
We are receiving comments and messages from the frustrated and angry groups archivists, and some of those are posted below. You can send in your own if you e-mail it to owlsy@yahoo.com . I won’t put up threatening, nasty or vitriolic messages however, so you can be angry, but be angry in a controlled way that makes us better than them.
From some of our archivists, dated Wednesday, December 4th:
The Archive Team (who is working with to save content to upload to the Internet Archive) was again blocked by Yahoo The block is wiping out the past month of work done by hundreds of volunteers.
This info was reported on their IRC channel.
Yahoo banned all the email addresses that the Archive Team volunteers had been using to join Yahoo Groups in order to download data. Verizon has also made it impossible for the Archive Team to continue using semi-automated scripts to join Yahoo Groups — which means each group must be re-joined one by one, an impossible task (redo the work of the past 4 weeks over the next 10 days)
On top of that, something Yahoo did has killed the last third party tool that users and owners have been using to access their messages, photos and files. (PGOlffine).. Note: not everyone who paid for the PGOffline license is being impacted by the problem. but the developer does not have a workaround. Here is their post about it.
Yahoo’s own data tools do not provide Group Photos and, as in my case, for two IDs I keep getting the data from another Yahoo account.
The Internet Archive/Archive Team Faces 80% Loss of Data Due To Verizon Blocking
@betamax meedee+: we’ve lost the access to the vast majority of the groups we joined [because Verizon blocked access to our accounts]
…. the effect is that some percentage…..of the signed up groups can no longer be fetched from ….”
They are working to get a final number but the Archive Team estimates that is a 80% loss of the Groups they and their volunteers spent the last month joining in preparation for archiving.
For our community, this is a 100% loss of the Groups we submitted to the Archive Team for archiving(30,000).
Thanks for reaching out. It would be really great if you could both forward it to Verizon and publish it on the blog. We had a lot of ‘external’ (non Archive Team) volunteers helping out, with the expectation that the groups they were joining would be saved, and it is important to communicate to them that Yahoo have basically destroyed most of our progress and work will now need to begin from scratch. I want to avoid a situation where someone comes along in six months time, asking for a group they expected to be saved because they joined it, and having to tell them we didn’t manage to save it.
It would also be good to communicate to Yahoo our disappointment that they decided to block our archival efforts without opening a dialogue with us. We’ve always said we’d be happy to work with Yahoo to archive Groups in a way that minimizes disruption to their services. Realistically the only way we’re going to get anywhere near the number of groups we had joined prior to their mass-banning of our accounts is with an extension to the deletion date, which I know you’ve been pushing strongly for. (The ‘best’ solution would be for Verizon to un-ban our accounts, but I doubt that is going to happen).
Many thanks for your fantastic work so far in keeping the spotlight and pressure on Yahoo / Verizon.
I hope to address your concerns and add some clarity on the issues you’re referencing.
Regarding the 128 people that joined Yahoo Groups with the goal to archive them — are those people from Archiveteam.org? If so, their actions violated our Terms of Service. Because of this violation, we are unable reauthorize them. Also, moderators of Groups can ban users if they violate their Groups’ terms, so previously banned members will be unable to download content from that Group. If you can send the user information, we can investigate the cause of lack of access.
The Groups Download Manager will download any content an individual posted to Yahoo Groups. However, it will not download attachments and photos uploaded to the Group by other members. For those that are having difficulty with the files delivered, this help article explains the types of files within the .zip file sent and how to find third party applications that open them. This is the only way that we can deliver data to our users.
While users will no longer be able to post or upload content to the site, the email functionality exists. If you are having issues with this feature, please reach out to YahooGroupsEscalations@verizonmedia.com and we will work to fix the problem with any delay.
I understand your usage of groups is different from the majority of our users, and we understand your frustration. However, the resources needed to maintain historical content from Yahoo Groups pages is cost-prohibitive, as they’re largely unused.
Regarding your concern around timeline, on 10/16, we posted this help page and began sending emails to Groups users explaining the changes to come, including the 12/14 deadline for download request.
On 11/12 and 11/19, we confirmed in email to you that so long as a request to download was put in by December 14th, we will ensure your download is complete before any deletion. This is the case for all Groups users and step-by-step instructions are being sent now to users to support them through the process.
We recognize this transition may be difficult, and we’d like to provide as much assistance and clarity as we can.
From there, I sent two replies — one when I was angrier, and one when I calmed down
VERIZON/YAHOO does NOT understand our frustration.
THE ACCESS IS OFF AND ON.
YAHOO has mistreated us and abused us all for 6 years, and it’s all coming out this weekend. VERIZON owns Yahoo now, and is the one who should clean up their mess.
If we are allowed to have our archives from Verizon/Yahoo, then we should be able to get them ourselves any way we wish. All Verizon plans to do is throw it away. The stuff you send us is messed up, broken, incomplete, and virus ridden. It is UNACCEPTABLE as a solution.
The 128 people you banned were REQUESTED by the group owners to get their stuff.
Verizon refuses to give us more time to get it. We can’t do it in 7 days.
So, we will continue to press public opinion about this issue, in every arena that we can with all that we have to make this deletion stop and give us more time, and work something out with Verizon to get our stuff, which is costly to store, and go away.
Bottom line. Give us our archives and we’ll leave and never come back.
……And this is the second e-mail I sent when I calmed down:
Please relay this to Verizon/Yahoo.
This is the unfairness that Verizon has shown to Yahoo Groups Users.
First of all, the initial letter said that Verizon had researched the use of Yahoo Groups. This is a complete falsehood. You know how I know it is? Because if you had truly researched the use of Yahoo Groups, you’d have found the 30,000 active groups that are used often, many on a daily basis, despite them being broken in many areas. But Verizon did not do that. If they had, they would have found:
A police cooperative in Washington DC that was using them as a network to communicate with their respective neighborhoods with over 17,000 members.
A phone company in the UK that assigns phone numbers using the groups and now will lose all those phone designations when it’s deleted.
A Birding group in new Delhi with 2,000 members that has collected data and research on birds for TWO DECADES.
An Adoption group in France, that has been using it for years and years to communicate and share history and photos and more.
They also would have found:
Numerous support groups for people who are suicidal or depressed.
Numerous medical groups for people to communicate more effectively with their doctors.
Numerous support and help groups for the Elderly.
Numerous Historical groups for WW2 Veterans, Vietnam Veterans, and etc.
Numerous science groups that have used them for years and have all their research there.
Numerous fan fiction groups or arts groups that have shared their work for years.
No Verizon, these groups are NOT largely unused. You just didn’t do your homework. You didn’t find us, who could have told you they were used all the time. You didn’t make an effort to understand what groups were, and how they were used. You just decided they weren’t being used, and weren’t important and decided, “Hey, let’s just delete them!”
So not researching thoroughly, and probably listening to Yahoo’s telling you they weren’t being used was your first mistake.
The second mistake, when the intial plan to delete our archives was hatched, some people learned it on October 17th. Not everyone did. That’s because it was very quiet and low key, and not everyone goes to the website all the time. Many use it when they need to search for something, or check out a photo. The point is it’s a mail list with an archive.
Some e-mails were sent to members, and perhaps maybe all were sent, but believe me, all did not arrive on that date. People began finding out by receiving letters days, weeks, and even a full month later. This is because Groups e-mail is unreliable. Period. It has been unreliable since Mayer broke it in 2013.
Even those learning it on October 17th, had a very small window of time to save their group. It was a period of 58 days, less than 2 months. That was never going to be enough time for over 30,000 groups to save their archives.
As you said, photos were not downloaded from the groups as a group. So anyone who wanted them had to manually save them by hand. And there are groups with thousands or hundreds of thousands of photos, especially art groups and photography groups. It couldn’t be done in the time we were given.
This delay in us finding out, left barely weeks for some people to act. Thus the panic all over the Internet, which Verizon would see if they would just look, was immediate and furious. They came to me, because I stopped the destruction of Yahoo Groups in 2010, and have been crusading against Yahoo for their unethical treatment of us, and fighting to protect our archives for 6 years.
So, as I had kept the Crusade blog up and the Crusade groups open, they all fled back to me. And this time, it wasn’t that we couldn’t get them [our archives] and leave, and it wasn’t that they had broken access. This time Verizon planned total destruction. This time it was for keeps. So of course, I had to start the Crusade again and take it to high gear.
So the best thing Verizon could do, since they are just going to throw us all into the trash anyway, as we aren’t important to them, is let us get our archives any way we can.
The terms of service really should not apply to people who have been told, we’re gonna delete you from existence. If it’s lawful for us to get them from you, in broken buggy and virus ridden state, it’s just as lawful for us to get them ourselves.
Yahoo made a huge mess of us. I tried to warn Verizon even before they purchased it. They did not listen. Now they have the mess on their hands, and we will not be silent. Even if Verizon really does delete us out of existence, we will never stop telling the world what they and Yahoo did. Because it’s high time Yahoo Groups Users start being treated as human beings again.
Bottom line. Verizon is being unfair to a group of people using a property they purchased, they are being unethical in the manner in which they announced it, and unreasonable in the time that they gave us to accomplish it.
So we demand fair and equal treatment, and will stand up for it until we get it.
Ooohkay-then. Thats how they want to be. As you know, the Owl’s gloves are off and this really nails it home how complicit Verizon is going to be. At the same time, press has become aware of Verizon/Yahoo’s choice to become another statistic for bad PR over the matter. We too have this power, and some articles about our cause are already pending over this weekend.
It is time that we take this up a notch. Archiving is still going on through the various teams, but we can begin the fight on another side of this scenario. Won’t you join us?
...
Read the original on modsandmembersblog.wordpress.com »
There’s a popular thread on Hacker News with lots of people complaining about how Google AMP (Accelerated Mobile Pages) is ruining their mobile web experience.
This week I also got two AMP links sent to me via Telegram and to see those Google URLs replacing unique domain names made me a bit sad on behalf of the owners of those sites. As a site owner myself, it feels like sovereignty of a website being taken away.
Other than people sharing links with me, I rarely encounter AMP in the wild. It is possible to restrict Google AMP from your life both as a web user and as a web developer. Here’s how you can fight back against Google AMP.
Other search engines such as Qwant and DuckDuckGo don’t rank AMP sites. So taking the step of switching from Google search to a more ethical choice removes most of the AMP touch points you might have.
It’s simple to switch the default search engine in your browser of choice. You can do it in the browser settings directly. Anything other than Google will get you in the no-AMP territory.
But now you might say all those non-AMP websites you visit are full of advertising, distractions and are slow to load? There’s a solution for that too.
Firefox is a great browser alternative that is worth a try. Just visiting a site with Firefox’s Enhanced Tracking Protection on makes a faster and less intrusive web. It’s a built-in blocker of intrusive ads and invisible scripts.
Firefox also has a Reader Mode so any site can be clutter-free even without AMP. And these features work both on Firefox for desktop and Firefox for mobile. Here’s how the Reader View looks like in Firefox Preview for Android:
Publishers and other site owners feel forced to use AMP as they fear that they’ll lose Google visibility and traffic without it. These are the forces some publishers cannot resist until more people stop using Google Chrome and search.
You as a site owner or developer are a different case. I like the idea of a faster and distraction-free web but I don’t like the idea of web being controlled and molded by one company. Especially not one that is the largest advertising company in the world.
This is the Googled-web Google wants to see you develop. The web “delivered by Google”. Your site being integrated with all the other cool Google products such as Analytics and AdSense.
I enjoy visiting sites created by real people. The AMP pages are more boring, less diverse, less competitive, less functional and have less personality.
The main reason AMP exists is that the sites are slow to load. But why are the sites slow to load in the first place? They feature many unnecessary third-party elements that do nothing for the user experience other than slow it all down.
Google themselves will point the finger at their own analytics and ads if you use their webpage speed tests to measure the performance of your site. They even provide guides on how to make third-party resources less slow.
Analytics scripts, advertising scripts, social media scripts and so much more junk. It is normal to visit a site and the majority of it is composed of unnecessary elements that you don’t see. This is why the web is so much faster with Firefox’s Enhanced Tracking Protection or with an adblocker.
Firefox blocks almost 30 different trackers on a single page of Wired. It also blocks the auto-play of video and audio. This is about 30% of the total page weight. It’s important to note that Wired still gets to display their banners for people to subscribe to the magazine.
As a reader, you don’t really see any difference at all in the article that you’re reading. All this content that they try to load and that is blocked by Firefox is not useful to you.
Here are some stats:
* 94% of sites include at least one third-party resource
* 56% include at least one ad resource
* Google owns 7 of the top 10 most popular third-party calls
And what are these calls that Google owns? They’re things such as Google Analytics, Google Fonts and Google’s DoubleClick advertising scripts.
So you can see why there must be some kind of internal struggle at Google. They understand the value of a faster web but they also cannot go after the main cause of the slow web. And this is how technology such as AMP gets invented and makes things worse.
We should be treating the cause of this slow web disease instead.
It’s possible to make your site faster than an AMP site without using AMP. You need to put the speed as the priority when developing.
* Restrict unnecessary elements. Understand every request your site is making and consider how useful they are. Do those flashing and distracting calls-to-action actually make a difference to the goals you have or are they simply annoying 99% of people that visit your site? Do you really need auto-playing videos?
* Restrict third-party connections and scripts. Do you actually need Google fonts? Do you need the official social media share buttons? Do you need to collect all that behavioral data that you may never look at? There are better and lighter solutions for each of these.
* Lazy load images and videos. There’s simply no reason to load your full page and everything on it as soon as a visitor enters your site. Lazy loading only loads images in the browser’s view and the rest only as the visitor scrolls down the page.
* I have a full guide on steps I took to speed up my WordPress site and get top scores on the different webpage speed tests.
By doing this your original site will load faster than the AMP sites. And the web experience will be better, more open and more diverse to everyone.
I also tweet about things that I care about, think about and work on. If you’d like to hear more, do follow me or add your email to my occasional newsletter.
I’m a digital marketer who grows startups and traffic using content, search and social media marketing. I’m available for hire so if you have a marketing problem that you’d like my help with, reach out to me by emailing hi at my full name dot com.Learn more about me.
...
Read the original on markosaric.com »
December 2019
The most damaging thing you learned in school wasn’t something you
learned in any specific class. It was learning to get good grades.
When I was in college, a particularly earnest philosophy grad student
once told me that he never cared what grade he got in a class, only
what he learned in it. This stuck in my mind because it was the
only time I ever heard anyone say such a thing.
For me, as for most students, the measurement of what I was learning
completely dominated actual learning in college. I was fairly
earnest; I was genuinely interested in most of the classes I took,
and I worked hard. And yet I worked by far the hardest when I was
studying for a test.
In theory, tests are merely what their name implies: tests of what
you’ve learned in the class. In theory you shouldn’t have to prepare
for a test in a class any more than you have to prepare for a blood
test. In theory you learn from taking the class, from going to the
lectures and doing the reading and/or assignments, and the test
that comes afterward merely measures how well you learned.
In practice, as almost everyone reading this will know, things are
so different that hearing this explanation of how classes and tests
are meant to work is like hearing the etymology of a word whose
meaning has changed completely. In practice, the phrase “studying
for a test” was almost redundant, because that was when one really
studied. The difference between diligent and slack students was
that the former studied hard for tests and the latter didn’t. No
one was pulling all-nighters two weeks into the semester.
Even though I was a diligent student, almost all the work I did in
school was aimed at getting a good grade on something.
To many people, it would seem strange that the preceding sentence
has a “though” in it. Aren’t I merely stating a tautology? Isn’t
that what a diligent student is, a straight-A student? That’s how
deeply the conflation of learning with grades has infused our
culture.
Is it so bad if learning is conflated with grades? Yes, it is bad.
And it wasn’t till decades after college, when I was running Y Combinator, that I realized how bad it is.
I knew of course when I was a student that studying for a test is
far from identical with actual learning. At the very least, you
don’t retain knowledge you cram into your head the night before an
exam. But the problem is worse than that. The real problem is that
most tests don’t come close to measuring what they’re supposed to.
If tests truly were tests of learning, things wouldn’t be so bad.
Getting good grades and learning would converge, just a little late.
The problem is that nearly all tests given to students are terribly
hackable. Most people who’ve gotten good grades know this, and know
it so well they’ve ceased even to question it. You’ll see when you
realize how naive it sounds to act otherwise.
Suppose you’re taking a class on medieval history and the final
exam is coming up. The final exam is supposed to be a test of your
knowledge of medieval history, right? So if you have a couple days
between now and the exam, surely the best way to spend the time,
if you want to do well on the exam, is to read the best books you
can find about medieval history. Then you’ll know a lot about it,
and do well on the exam.
No, no, no, experienced students are saying to themselves. If you
merely read good books on medieval history, most of the stuff you
learned wouldn’t be on the test. It’s not good books you want to
read, but the lecture notes and assigned reading in this class.
And even most of that you can ignore, because you only have to worry
about the sort of thing that could turn up as a test question.
You’re looking for sharply-defined chunks of information. If one
of the assigned readings has an interesting digression on some
subtle point, you can safely ignore that, because it’s not the sort
of thing that could be turned into a test question. But if the
professor tells you that there were three underlying causes of the
Schism of 1378, or three main consequences of the Black Death, you’d
better know them. And whether they were in fact the causes or
consequences is beside the point. For the purposes of this class
they are.
At a university there are often copies of old exams floating around,
and these narrow still further what you have to learn. As well as
learning what kind of questions this professor asks, you’ll often
get actual exam questions. Many professors re-use them. After
teaching a class for 10 years, it would be hard not to, at least
inadvertently.
In some classes, your professor will have had some sort of political
axe to grind, and if so you’ll have to grind it too. The need for
this varies. In classes in math or the hard sciences or engineering
it’s rarely necessary, but at the other end of the spectrum there
are classes where you couldn’t get a good grade without it.
Getting a good grade in a class on x is so different from learning
a lot about x that you have to choose one or the other, and you
can’t blame students if they choose grades. Everyone judges them
by their grades �graduate programs, employers, scholarships, even
their own parents.
I liked learning, and I really enjoyed some of the papers and
programs I wrote in college. But did I ever, after turning in a
paper in some class, sit down and write another just for fun? Of
course not. I had things due in other classes. If it ever came to
a choice of learning or grades, I chose grades. I hadn’t come to
college to do badly.
Anyone who cares about getting good grades has to play this game,
or they’ll be surpassed by those who do. And at elite universities,
that means nearly everyone, since someone who didn’t care about
getting good grades probably wouldn’t be there in the first place.
The result is that students compete to maximize the difference
between learning and getting good grades.
Why are tests so bad? More precisely, why are they so hackable?
Any experienced programmer could answer that. How hackable is
software whose author hasn’t paid any attention to preventing it
from being hacked? Usually it’s as porous as a colander.
...
Read the original on paulgraham.com »
The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ connections to make multiple requests against the targeted site. These requests consume all the resources of the targeted site, making it unavailable:
Figure 1: Simplified diagram of how the Great Cannon operates
The Great Cannon was the subject of intense research after it was used to disrupt access to the website Github.com in 2015. Little has been seen of the Great Cannon since 2015. However, we’ve recently observed new attacks, which are detailed below.
The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong. Using a simple script that uses data from UrlScan.io, we identified new attacks likely starting Monday November 25th, 2019.
Websites are indirectly serving a malicious javascript file from either:
Normally these URLs serve standard analytics tracking scripts. However, for a certain percentage of requests, the Great Cannon swaps these on the fly with malicious code:
The code attempts to repeatedly request the following resources, in order to overwhelm websites and prevent them from being accessible:
These may seem like an odd selection of websites and memes to target, however these meme images appear on the LIHKG forums so the traffic is likely intended to blend in with normal traffic. The URLs are appended to the LIHKG image proxy url (eg; https://na.cx/i/6hxp6x9.gif becomes https://i.lih.kg/540/https://na.cx/i/6hxp6x9.gif?t=6009966493) which causes LIHKG to perform the bandwidth and computationally expensive task of taking a remote image, changing its size, then serving it to the user.
It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious Javascript code that we won’t discuss here.
Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US based services.
These attacks would not be successful if the following resources were served over HTTPS instead of HTTP:
You may want to consider blocking these URLs when not sent over HTTPS.
Below we have described previous Great Cannon attacks, including previous attacks against LIHKG in September 2019.
During the 2015 attacks, DDoS scripts were sent in response to requests sent to a number of domains, for both Javascript and HTML pages served over HTTP from behind the Great Firewall.
A number of distinct stages and targets were identified:
* March 3 to March 6, 2015: Initial, limited test firing of the Great Cannon starts.
* March 13: New attacks against an organization that monitors censorship (GreatFire.org).
Figure 3: Snippet of the code used in early Great Cannon attacks. Later scripts were improved to not require external Javascript libraries.
* March 25: Attacks against GitHub.com start, targeting content hosted from the site GreatFire.org and a Chinese edition of the New York Times. This resulted in a global outage of the GitHub service.
Figure 4: The URLs targeted in the attack against Github.com.
* March 26th - Attacks began using code hidden with the Javascript obfuscator “packer”:
Figure 5: Snippet of the obfuscated code. Current attacks continue to use the same obfuscation.
Research by CitizenLab identified multiple likely points where the malicious code is injected. The Great Cannon operated probabilistically, injecting return packets to a certain percentage of requests for Javascript from certain IP addresses. As noted by commentators at the time, the same functionality could also be used to insert exploitation code to enable “Man-on-the-side” attacks to compromise key targets.
In August 2017, Great Cannon attacks against a Chinese-language news website (Mingjingnews.com) were identified by a user on Stack Overflow. The code in the 2017 attack is significantly re-written and is largely unchanged in the attacks seen in 2019.
Figure 6: An excerpt of the code to target Mingjingnews.com in 2017.
We have continued to see attacks against Mingjingnews in the last year.
On August 31, 2019, the Great Cannon initiated an attack against a website (lihkg.com) used by members of the Hong Kong democracy movement to plan protests.
The Javascript code is very similar to the packer code used in the attacks against Mingjingnews observed in 2017 and onward, and the code was served from at least two locations:
Later versions targeted multiple pages and attempted (unsuccessfully) to bypass DDoS mitigations that the website owners had implemented.
We detect the Great Cannon serving malicious Javascript with the following Suricata rules from AT&T Alien Labs and Emerging Threats Open.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“AV INFO JS File associated with Great Cannon DDoS”; flow:to_server,established; content:“GET”; http_method; content:“push.js”; http_uri; content:“push.zhanzhang.baidu.com”; http_host; flowbits:set,AVCannonDDOS; flowbits:noalert; classtype:misc-activity; sid:4001470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“AV INFO JS File associated with Great Cannon DDoS”; flow:to_server,established; content:“GET”; http_method; content:“11.0.1.js”; http_uri; content:“js.passport.qihucdn.com”; http_host; flowbits:set,AVCannonDDOS; flowbits:noalert; classtype:misc-activity; sid:4001471; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:“AV INFO Potential DDoS attempt related to Great Cannon Attacks”; flow:established,to_client; content:“200″; http_stat_code; file_data; content:“isImgComplete”; flowbits:isset,AVCannonDDOS; reference:url,otx.alienvault.com/pulse/5d6d4da02ee2b6fbff703067; classtype:policy-violation; sid:4001473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“AV INFO JS File associated with Great Cannon DDoS”; flow:to_server,established; content:“GET”; http_method; content:“hm.js”; http_uri; content:“hm.baidu.com”; http_host; flowbits:set,AVCannonDDOS; flowbits:noalert; classtype:misc-activity; sid:4001472; rev:1;)
ET WEB_CLIENT Great Cannon DDoS JS M1 sid:2027961
ET WEB_CLIENT Great Cannon DDoS JS M2 sid:2027962
ET WEB_CLIENT Great Cannon DDoS JS M3 sid:2027963
ET WEB_CLIENT Great Cannon DDoS JS M4 sid:2027964
Additional indicators and code samples are available in the Open Threat Exchange pulse.
...
Read the original on cybersecurity.att.com »
Welcome to BIG, a newsletter about the politics of monopoly. If you’d like to sign up, you can do so here. Or just read on…
A few days ago, Ian MacDougall came out with a New York Times/ProPublica piece on how consulting giant McKinsey structured Trump immigration policy. Lots of people cover immigration. I’m going to discuss why the government buys overpriced services from McKinsey. (Spoiler: It goes back to, of course, Bill Clinton.)
First, I’ll be doing a book talk in D. C. on the evening of Dec 10th and one in New York on the evening of Dec 18th for my book Goliath: The 100-Year War Between Monopoly Power and Democracy. There’s info below my signature with details. Business Insider named Goliath one of the best books of the year on how we can rethink capitalism. If you have thoughts on the book, as always, let me know.
In case you’re in the listening to podcast mode, I was recently on Lapham’s Quarterly podcast and Pitchfork Economics with Nick Hanauer to talk monopoly and Goliath.
As regular readers of BIG know, my basic theory of the world is that most of our political economy problems are caused by these guys being in charge of everything.
The Point of McKinsey: Charging $3 Million a Year for the Work of a 23-Year Old
McKinsey has a lot of high-flying rhetoric about strategy, sustainability, and social justice. The company ostensibly pursues intellectual and business excellence, while also using its people skills to help Syrian refugees. That’s nice.
But let’s start with what McKinsey is really about, which is getting organizational leaders to pay a large amount of money for fairly pedestrian advice. In MacDougall’s article on McKinsey’s work on immigration, most of the conversation has been about McKinsey’s push to engage in cruel behavior towards detainees. But let’s not lose sight of the incentive driving the relationship, which was McKinsey’s political ability to extract cash from the government. Here’s the nub of that part of the story.
The consulting firm’s sway at ICE grew to the point that McKinsey’s staff even ghostwrote a government contracting document that defined the consulting team’s own responsibilities and justified the firm’s retention, a contract extension worth $2.2 million. “Can they do that?” an ICE official wrote to a contracting officer in May 2017. The response reflects how deeply ICE had come to rely on McKinsey’s assistance. “Well it obviously isn’t ideal to have a contractor tell us what we want to ask them to do,” the contracting officer replied. But unless someone from the government could articulate the agency’s objectives, the officer added, “what other option is there?” ICE extended the contract.
Such practices used to be called “honest graft.” And let’s be clear, McKinsey’s services are very expensive. Back in August, I noted that McKinsey’s competitor, the Boston Consulting Group, charges the government $33,063.75/week for the time of a recent college grad to work as a contractor. Not to be outdone, McKinsey’s pricing is much much higher, with one McKinsey “business analyst” - someone with an undergraduate degree and no experience - lent to the government priced out at $56,707/week, or $2,948,764/year.
How does McKinsey do it? There are two answers. The first is simple. They cheat. McKinsey is far more expensive than its competition, and is able to get that pricing because of its unethical tactics. In fact, the situation is so dire that earlier this year the General Services Administration’s Inspector General recommended in a report that the GSA cancel McKinsey’s entire government-wide contract. Here’s what the IG showed McKinsey was eventually awarded.
The Inspector General illustrated straightforward corruption at the GSA, which is the agency that sets schedules for how much things cost for the entire U. S. government (and many states and localities, who also use GSA schedules).
What happened is fairly simple. McKinsey asked for 10-14% price hike for its already expensive IT professional services (which is a catch-all for anything). The government contracting officer said no, calling the proposal to update the firm’s contract schedule with much higher costs “ridiculous.” So McKinsey went to the officer’s boss, the Division Director. In 2016, a McKinsey representative sent the following email to the GSA Division Director.
We would really appreciate it if you could assist us with our Schedule 70 application. In particular, given that you understand our model, it would be enormously helpful if you could help the Schedule 70 Contracting Officer understand how it benefits the government.
The pestering worked. The GSA Division Director seems to have had the contract reassigned and granted the price increase McKinsey wanted. The director also seems to have been lying to the inspector general, as well as manipulating pricing data, breaking rules on sole source contracting, and pitching various other government agencies, like the National Oceanic and Atmospheric Administration, to buy McKinsey services. Eventually the director straight up said, “My only interest is helping out my contractor.”
From 2006 when McKinsey signed its original schedule price, to 2019, it received roughly $73.5 million/year, or $956.2 million in total revenue from the government. The inspector general estimated the scam from 2016 onward would cost $69 million in total overpayments. It’s a scandal. But still, something about it doesn’t quite make sense. Why would a government division director at the GSA seek to increase costs for the government? It’s not bribery, since the IG didn’t recommend firing or arresting the government official who pushed up costs (or at least that’s not in the IG report).
And this gets to the second reason why McKinsey can charge so much, which has to do less with McKinsey and more with an incentive to overpay more generally. It’s more likely something called the ‘Industrial Funding Fee,’ or IFF. The GSA’s Federal Acquisition Service gets a cut of whatever certain contractors spend using the GSA’s schedule, and this cut is the IFF. The IFF is priced at .75% of the total amount of a government contract. In the case of McKinsey, since 2006, “FAS has realized $7.2 million in Industrial Funding Fee revenue.”
In other words, the agency of the government in charge of bulk buying isn’t paid for saving money, but for spending too much of it. The IFF also incentivizes the GSA to get the government to outsource to contractors anything it can, simply to get more budget. The IFF has been creating problems like the McKinsey over-payment for a long time. In 2013, the GSA Inspector General traced a similar situation with different contractors. Managers at GSA overruled line contracting officers to raise prices taxpayer pay for contractors Carahsoft, Deloitte and Oracle. Government managers at GSA micro-managed and harassed their subordinates and damaged the careers of contracting officers trying to negotiate fair prices for the taxpayer.
How did the GSA get such a screwed up incentive as the Industrial Funding Fee? Well, in 1995, to get the government to become more entrepreneurial as part of its “Reinventing Government” initiative, Bill Clinton’s administration implemented the Industrial Funding Fee structure. It worked in generating money for the GSA. It worked so well that Congress’s investigative agency found in 2002 that the GSA stopped having to rely on Congressional appropriations. It had so much extra money that it started to spend lavishly on its “fleet program,” which is to say vehicle purchases. In other words, the GSA earned so much money by outsourcing the work of other government agencies to high-priced contractors that it just started buying fleets of extra cars.
By 2010, GSA had “sales” of $39 billion a year. While the GSA is supposed to remit extra revenue to the taxpayer, it often just stuffs the money into overfunded reserves. More fundamentally, the culture of the procurement agencies of government has been completely warped. The GSA’s entire reason for existing was to do better purchasing for the government, using both expertise and mass buying power to get value. But now officials try to generate revenue by getting the government to spend more money on overpriced contractors. Like McKinsey.
Does McKinsey do a good job? The answer is that it’s probably no better or worse than anyone else. I’m sure there are times when McKinsey is quite helpful, but it’s in all probability vastly overpriced for what it is, which is basically a group of smart people who know how to use powerpoint presentations and speak in soothing tones. You can just go through news clippings and find areas McKinsey did cookie cutter nonsense. For instance, McKinsey helped ruin an IT implementation for intelligence services. In the immigration story, MacDougall shows that the consulting firm encouraged ICE to give less food and medical care to detainees. That’s cruelty, not efficiency.
Still, it’s not all on McKinsey. The Industrial Funding Fee is one reason paying $3 million a year for a 23-year old McKinsey employee instead of hiring an experienced person directly to do IT management has some logic to a government procurement division head. The policy solution here is fairly simple - kill the IFF fee structure and finance government procurement agencies through Congressional appropriations directly. Also follow the IG’s recommendation and cancel McKinsey’s contracting schedule.
At any rate, at some point decades ago, we decided that most political and business institutions in America should be organized around cheating people. In this case, the warped and decrepit state of the GSA leads to McKinsey-ifying the entire government. Mr. Clinton, you took a fine government that basically worked, and ruined it. McKinsey sends its thanks.
Thanks for reading. And if you liked this essay, you can sign up here for more issues of BIG, a newsletter on how to restore fair commerce, innovation and democracy. If you want to really understand the secret history of monopoly power, buy my book, Goliath: The 100-Year War Between Monopoly Power and Democracy.
P. S. I’ll be giving book talks in D.C. and New York. Info is below.
December 10 (Tuesday)
Washington, D.C.
Book talk at Public Citizen at 5pm
1600 20th St., NW, Washington, DC 20009
Please RSVP to Aileen Walsh at awalsh@citizen.org.
December 18 (Wednesday)
Brooklyn, NY - Old Stone House from 6:30-8pm
A Conversation with Matt Stoller, author of “Goliath”, and Zephyr Teachout
336 3rd Street
Brooklyn, 11215
INFO
...
Read the original on mattstoller.substack.com »
Try it here: https://www.swiftlatex.com/oauth/login_oauth?type=sandbox
SwiftLaTeX is a Web-browser based editor to create PDF documents such as reports, term projects, slide decks, in the typesetting system LaTeX. In contrast to other web-based editors SwiftLaTeX is true WYSIWYG, What-you-see-is-what-you-get: You edit directly in a representation of the print output. You can import a LaTeX document at any stage of completeness into SwiftLaTeX. You can start a new document with SwiftLaTeX, or you can use SwiftLaTeX for final copy-editing. For advanced operation you can edit the so-called LaTeX source code, which gives you more fine-grained control. SwiftLaTeX is collaborative; you can share your project with others and work on it at the same time. SwiftLaTeX stores your data in the cloud under your account; currently it supports Google Drive and DropBox.
You are welcome to host SwiftLaTeX by yourself according to AGPL licence. And you can also use our web https://www.swiftlatex.com.
You first need to be a Google API Developer to retrieve a Google API Client ID and Secret. See here (https://developers.google.com/identity/protocols/OAuth2)
Edit config.py and put your Client ID and Secret Inside. (You can use environment variables instead.)
All packages are dynamically loaded from our file server and cached locally. Our file server has almost all the packages. If you want to host the file server by yourself, you can checkout another repo: https://github.com/elliott-wen/texlive-server
Currently, this engine is built atop pdftex. So no unicode supported. We are working to port xetex in future release. The engine source code is hosted in https://github.com/SwiftLaTeX/PdfTeXLite. It is unusable so far as we need more time to upload and tidy up the source codes. Stay tuned.
WYSIWYG
Formulas are absolute positioned, therefore, the correct display only comes after a compilation. Reductant spaces occurs between words.
Slow Upload to Google
Our system abstracts your cloud storage as a POSIX-like file system to simplify user interface implementation at the cost of a little bit performance. We are working hard to improve our implementation to reduce the network turn around time.
As an open source project SwiftLaTeX strongly benefits from an active community. It is a good idea to announce your plans on the issue list. So everybody knows what’s going on and there is no duplicate work.
The easiest way to help on the development with SwiftLaTeX is to use it! Furthermore, if you like SwiftLaTeX, tell all your friends and colleagues about it.
User feedback is highly welcome. If you wanna report bugs regarding some TeX documentations not compiling. Please attach the snippets so that we can look into it.
If you are sending PR requests, you own the copyright of your contribution, and that you must agree to give us a license to use it in both the open source version, and the version of SwiftLaTeX running at www.swiftlatex.com, which may include additional changes. For more details, you can see https://www.swiftlatex.com/contribute.html.
Thank you very much for your interest and support:) We are very happy to receive such a warm response. We are currently overwhelmed by our full-time jobs at uni. But we will try our best to monitor this repo and keep improving the code daily. Really appreciate your patience and wish you all a wonderful holiday season:)
If you are interested in reading tech jargons, you could have a look at https://dl.acm.org/citation.cfm?id=3209522&dl=ACM&coll=DL
(Though some stuff in the paper is outdated.)
...
Read the original on github.com »
The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers.
The two libraries were created by the same developer and mimicked other more popular libraries — using a technique called typosquatting to register similarly-looking names.
The first is “python3-dateutil,” which imitated the popular “dateutil” library. The second is “jeIlyfish” (the first L is an I), which mimicked the “jellyfish” library.
The two malicious clones were discovered on Sunday, December 1, by German software developer Lukas Martini. Both libraries were removed on the same day after Martini notified dateutil developers and the PyPI security team.
While the python3-dateutil was created and uploaded on PyPI two days before, on November 29, the jeIlyfish library had been available for nearly a year, since December 11, 2018.
According to Martini, the malicious code was present only in the jeIlyfish library. The python3-dateutil package didn’t contain malicious code of its own, but it did import the jeIlyfish library, meaning it was malicious by association.
The code downloaded and read a list of hashes stored in a GitLab repository. The nature and purpose of these hashes was initially unknown, as neither Martini or the PyPI team detailed the behavior in great depth before the library was promptly removed from PyPI.
ZDNet asked today Paul Ganssle, a member of the dateutil dev team, to take a closer look at the malicious code and put it in perspective for our readers.
“The code directly in the `jeIlyfish` library downloads a file called ‘hashsum’ that looks like nonsense from a gitlab repo, then decodes that into a Python file and executes it,” Ganssle told ZDNet.
“It looks like [this file] tries to exfiltrate SSH and GPG keys from a user’s computer and send them to this IP address: http://68.183.212.246:32258.”
“It also lists a bunch of directories, home directory, PyCharm Projects directory,” Ganssle added. “If I had to guess what the purpose of that is, I would say it’s to figure out what projects the credentials work for so that the attacker can compromise that person’s projects.”
Both of the malicious libraries were uploaded on PyPI by the same developer, who used the username of olgired2017 — also used for the GitLab account.
It is believed that olgired2017 created the dateutil clone in an attempt to capitalize on the original’s library popularity and increase the reach of the malicious code; however, this also brought more attention from more developers and eventually ended up in exposing his entire operation.
Excluding the malicious code, both typosquatted packages were identical copies of the original libraries, meaning they would have worked as the originals.
Developers who didn’t pay attention to the libraries they downloaded or imported into their projects should check to see if they’ve used the correct package names and did not accidentally use the typosquatted versions.
If they accidentally used any of the two, developers are advised to change the all SSH and GPG keys they’ve used over the past year.
This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository. Similar incidents have happened in September 2017 (ten libraries), October 2018 (12 libraries), and July 2019 (three libraries).
Article updated one hour after publication with Ganssle’s analysis.
...
Read the original on www.zdnet.com »
Google wants to automate us
Find an alternative to Google Chrome which respects your decision rights
Uninstall or disable Google Chrome on all your devices
Tell everyone you know to do the same — use the hashtag #NoToChrome
We can no longer pretend that Google is a positive force in the world.
There is a simple first step that every internet user can take to make things a little better. Seek out a better web browser to replace Google Chrome and tell everyone to do the same.
No to Chrome is designed as a starting point for anyone who uses the internet to send a message to Google that their relentless disregard for our rights, dignity, democracy and communities will not be tolerated.
There are many ways protest against Google ranging from Tweets to full boycotts but No to Chrome is designed to be for anyone who uses the internet to participate easily and immediately.
Have a look at our Google products pages to see the problems with other Google products and what you can do about them.
Use Apple products and don’t use Chrome? Ensure Google is not your default search engine in Safari.
...
Read the original on notochrome.org »
On 26 Nov 2019 at 14:55 UTC, I logged into my server that hosts my website to perform a simple maintenance activity. Merely three minutes later, at 14:58 UTC, the domain name susam.in used to host this website was transferred to another registrant without any authorization by me or without any notification sent to me. Since the DNS results for this domain name was cached on my system, I was unaware of this issue at that time. It would take me three days to realize that I had lost control of the domain name I had been using for my website for the last 12 years. This blog post documents when this happened, how this happened, and what it took to regain control of this domain name.
On 29 Nov 2019 at 19:00 UTC, when I visited my website hosted at https://susam.in/, I found that a zero-byte file was being served at this URL. My website was missing. In fact, the domain name resolved to an IPv4 address I was unfamiliar with. It did not resolve to the address of my Linode server anymore.
I checked the WHOIS records for this domain name. To my astonishment, I found that I was no longer the registrant of this domain. An entity named The Verden Public Prosecutor’s Office was the new registrant of this domain. The WHOIS records showed that the domain name was transferred to this organization on 26 Nov 2019 at 14:58 UTC, merely three minutes after I had performed my maintenance activity on the same day. Here is a snippet of the WHOIS records that I found:
Domain Name: susam.in
Registry Domain ID: D2514002-IN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2019-11-26T14:58:00Z
Creation Date: 2007-05-15T07:19:26Z
Registry Expiry Date: 2020-05-15T07:19:26Z
Registrar: NIXI Special Projects
Registrar IANA ID: 700066
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: serverRenewProhibited http://www.icann.org/epp#serverRenewProhibited
Domain Status: serverDeleteProhibited http://www.icann.org/epp#serverDeleteProhibited
Domain Status: serverUpdateProhibited http://www.icann.org/epp#serverUpdateProhibited
Domain Status: serverTransferProhibited http://www.icann.org/epp#serverTransferProhibited
Registry Registrant ID:
Registrant Name:
Registrant Organization: The Verden Public Prosecutor’s Office
Registrant Street:
Registrant Street:
Registrant Street:
Registrant City:
Registrant State/Province: Niedersachsen
Name Server: sc-c.sinkhole.shadowserver.org
Name Server: sc-d.sinkhole.shadowserver.org
Name Server: sc-a.sinkhole.shadowserver.org
Name Server: sc-b.sinkhole.shadowserver.org
The ellipsis denotes some records I have omitted for the sake of brevity. There were three things that stood out in these records:
The registrar was changed from eNom, Inc. to NIXI Special Projects.
The registrant was changed from Susam Pal to The Verden Public
Prosecutor’s Office.
The name servers were changed from Linode’s servers to
Shadowserver’s sinkholes.
On searching more about the new registrant on the web, I realized that it was a German criminal justice body that was involved in the takedown of the Avalanche
malware-hosting network. It took a four-year concerted effort by INTERPOL, Europol, the Shadowserver Foundation, Eurojust, the Luneberg Police, and several other international organizations to finally destroy the Avalanche botnet on 30 Nov 2016. In this list of organizations, one name caught my attention immediately: The Shadowserver Foundation. The WHOIS name server records pointed to Shadowserver’s sinkholes.
The fact that the domain name was transferred to another organization merely three minutes after I had performed a simple maintenance activity got me worried. Was the domain name hijacked? Did my maintenance activity on the server have anything to do with it? What kind of attack one might have pulled off to hijack the domain name? I checked all the logs and there was no evidence that anyone other than me had logged into the server or executed any commands or code on it. Further, a domain name transfer usually involves email notification and authorization. None of that had happened. It increasingly looked like that the three minute interval between the maintenance activity and the domain name transfer was merely a coincidence.
More questions sprang up as I thought about it. The Avalanche botnet was destroyed in 2016. What has that got to do with the domain name being transferred in 2019? Did my server somehow become part of the Avalanche botnet? My server ran a minimal installation of the latest Debian GNU/Linux system. It was always kept up-to-date to minimize the risk of malware infection or security breach. It hosted a static website composed of static HTML files served with Nginx. I found no evidence of unauthorized access of my server while inspecting the logs. I could not find any malware on the system.
The presence of Shadowserver sinkhole name servers in the WHOIS records was a good clue. Sinkholing of a domain name can be done both malicously as well as constructively. In this case, it looked like the Shadowserver Foundation intended to sinkhole the domain name constructively, so that any malware client trying to connect to my server nefariously would end up connecting to a sinkhole address instead. My domain name was sinkholed! The question now was: Why was it sinkholed?
On 29 Nov 2019 at 19:29 UTC, I submitted a support ticket to Namecheap to report this issue. At 21:05 UTC, I received a response from Namecheap support that they have contacted Enom, their upstream registrar, to discuss the issue. There was no estimate for when a resolution might be available.
At 21:21 UTC, I submitted a domain name
transfer complaint
to the Internet Corporation for Assigned Names and Numbers (ICANN). I was not expecting any response from ICANN because they do not have any contractual authority on a country code top-level domain (ccTLD).
At 21:23 UTC, I emailed National Internet Exchange of India (NIXI). NIXI is the ccTLD manager for .IN domain and they have authority on it. I found their contact details from the IANA Delegation
Record for .IN. Again, I was not expecting a response from NIXI because they do not have any contractual relationship directly with me. They have a contractual relationship with Namecheap, so any communication from them would be received by Namecheap and Namecheap would have to pass that on to me.
At 21:30 UTC, ICANN responded and said that I should contact the ccTLD manager directly. Like I explained in the previous paragraph, I had already done that, so there was nothing more for me to do except wait for Namecheap to provide an update after their investigation. By the way, NIXI never replied to my email.
On 30 Nov 2019 at 07:30 UTC, I shared this
issue on Twitter. I was hoping that someone who had been through a similar experience could offer some advice. In fact, soon after I posted the tweet, a kind person named Max from Germany generously offered to
help by writing a letter in German addressed to the new registrant which was a German organization. The reason for sinkholing my domain name was still unclear. I hoped that with enough number of retweets someone closer to the source of truth could shed some light on why and how this happened.
At 09:54 UTC, Richard Kirkendall, founder and CEO of Namecheap, responded
to my tweet and informed that they were contacting NIXI regarding the issue. This seemed like a good step towards resolution. After all, the domain name was no longer under their upstream registrar named Enom. The domain name was now with NIXI as evident from the WHOIS
records.
Several other users tweeted about my issue, added more information about what might have happened, and retweeted my tweet.
On 1 Dec 2019 at 11:48 UTC, Benedict Addis from the Shadowserver Foundation contacted me by email. He said that they had begun looking into this issue as soon as one of the tweets about this issue had referred to their organization. He explained in his email that my domain name was sinkholed accidentally as part of their Avalanche operation. Although it is now three years since the initial takedown of the botnet, they still see over 3.5 million unique IP addresses connecting to their sinkholes everyday. Unfortunately, their operation inadvertently flagged my domain name as one of the domain names to be sinkholed because it matched the pattern of command and control (C2) domain names generated by a malware family named Nymaim, one of the malware families hosted on Avalanche. Although, they had validity checks to avoid sinkholing false-positives, my domain name unfortunately slipped through those checks. Benedict mentioned that he had just raised this issue with NIXI and requested them to return the domain name to me as soon as possible.
On 2 Dec 2019 at 04:00 UTC, when I looked up the WHOIS records for the domain name, I found that it had been returned to me already. At 08:37 UTC, Namecheap support responded to my support ticket to say that they had been informed that NIXI had returned the domain name to its original state. At 09:55 UTC, Juliya Zinovjeva, Domains Product Manager of Namecheap, commented
on Twitter and confirmed the same thing.
Despite the successful resolution, it was still quite unsettling that a domain name could be transferred to another registrant and sinkholed for some perceived violation. I thought there would be more checks in place to confirm that a perceived violation was real before a domain name could be transferred. Losing a domain name I have been using actively for 12 years was an unpleasant experience. Losing a domain name accidentally should have been a lot harder than this. Benedict from the Shadowserver Foundation assured me that my domain name would be excluded from future sinkholing for this particular case. However, the possibility that this could happen again due to another unrelated operation by another organization in future is disconcerting.
I also wondered if a domain name under a country code top-level domain (ccTLD) like .in is more susceptible to this kind of sinkholing than a domain name under a generic top-level domain (gTLD) like .com. I asked Benedict if it is worth migrating my website from .in to .com. He replied that in his personal opinion, NIXI runs an excellent, clean registry, and are very responsive in resolving issues when they arise. He also added that domain generation algorithms (DGAs) of malware are equally, and possibly more, problematic for .com domains. He advised against migrating my website.
Thanks to everyone who retweeted my tweet on this issue. Also, thanks to Richard Kirkendall (CEO of Namecheap), Namecheap support team, and Benedict Addis from the Shadowserver Foundation for contacting NIXI to resolve this issue.
...
Read the original on susam.in »
Duet - Self hosted project management, invoicing and collaboration
Selfhost web apps, microservices and lambdas on your server. Advanced features enable service reuse and composition.
Updated 8 months ago
The most recent release v0.0.1 was published 1 year ago and has a status of stable
Updated 6 months ago
The most recent release v1.5.0 was published 1 year ago and has a status of stable
Updated 1 month ago
The most recent release 1.3.1 was published 6 years ago and has a status of stable
Automatically generate multiple natural language descriptions of your data varying in wording and structure.
Webbased, open source application for standardsbased archival description and access in a multilingual, multirepository environment.
Updated 6 days ago
The most recent release v1.3.2 was published 4 years ago and has a status of stable
Selfhosted analytics tool for those who care about privacy.
Updated 2 weeks ago
The most recent release v1.4.1 was published 3 weeks ago and has a status of stable
An intelligent process and workflow automation platform based on software agents.
Updated 1 month ago
The most recent release v0.9.5.1 was published 1 month ago and has a status of stable
Admidio is a free open source user management system for websites of organizations and groups. The system has a flexible role model so that it’s possible to reflect the structure and permissions of your organization.
Updated 2 days ago
The most recent release v3.3.11 was published 4 months ago and has a status of stable
Fast and easytouse webmail frontend for your existing IMAP mail server, Plesk or cPanel.
Updated 1 year ago
The most recent release 2.2.0 was published 2 years ago and has a status of stable
Opensource webbased media streamer and jukebox. A fork of Subsonic’s last opensource release, before it switched licenses.
Updated 6 days ago
The most recent release v10.5.0 was published 1 month ago and has a status of stable
Akaunting is a free, online and open source accounting software designed for small businesses and freelancers.
Updated 1 day ago
The most recent release 2.0.1 was published 2 weeks ago and has a status of stable
AlertHub is a simple tool to get alerted from GitHub releases.
Updated 3 months ago
The most recent release v1.2.1 was published 1 year ago and has a status of stable
Updated 3 days ago
The most recent release 2.0-M2 was published 1 month ago and has a status of stable
Web interface for , a program to download videos and audio from .
Updated 2 days ago
The most recent release 2019.11.28 was published 1 week ago and has a status of stable
Updated 4 weeks ago
The most recent release v2.1.18 was published 1 year ago and has a status of stable
Self hosted project management, invoicing, and collaboration. Duet provides ever
An open, extensible, wiki for your team built using React and Node.js.
...
Read the original on selfhostedsource.tech »
To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".
10HN is also available as an iOS App
If you visit 10HN only rarely, check out the the best articles from the past week.
If you like 10HN please leave feedback and share
Visit pancik.com for more.
