An anonymous reader shares a report: FreeNAS is a free and open source operating system designed for network-attached storage (NAS) devices. For much of the past decade, the project has been led by the folks at iXsystems, which has also produced an enterprise version of the software called TrueNAS. Now iXsystems has announced that FreeNAS and TrueNAS are merging. Moving forward there will be a single operating system called TrueNAS rather than two different, but closely related operating systems. According to the company, the latest versions of the operating systems (FreeNAS 11.3 and TrueNAS 11.3) already share about 95-percent of the same source code. Starting with TrueNAS 12, there will only be a single OS image. But the company will offer two editions:
TrueNAS CORE: open source edition
TrueNAS Enterprise: commercial version with enterprise management and support.

The CEO of the RISC-V Foundation (a former IBM executive) touted the open-source CPU architecture at this year's HiPEAC conference, arguing there's "a growing demand for custom processors purpose-built to meet the power and performance requirements of specific applications..." As I've been travelling across the globe to promote the benefits of RISC-V at events and meet with our member companies, it's really stuck me how the level of commitment to drive the mainstream adoption of RISC-V is like nothing I've seen before. It's exhilarating to witness our community collaborate across industries and geographies with the shared goal of accelerating the RISC-V ecosystem...With more than 420 organizations, individuals and universities that are members of the RISC-V Foundation, there is a really vibrant community collaborating together to drive the progression of ratified specs, compliance suites and other technical deliverables for the RISC-V ecosystem.

While RISC-V has a BSD open source license, designers are welcome to develop proprietary implementations for commercial use as they see fit. RISC-V offers a variety of commercial benefits, enabling companies to accelerate development time while also reducing strategic risk and overall costs. Thanks to these design and cost benefits, I'm confident that members will continue to actively contribute to the RISC-V ecosystem to not only drive innovation forward, but also benefit their bottom line... I don't have a favorite project, but rather I love the amazing spectrum that RISC-V is engaged in — from a wearable health monitor to scaled out cloud data centres, from universities in Pakistan to the University of Bologna in Italy or Barcelona Supercomputing Center in Spain, from design tools to foundries, from the most renowned global tech companies to entrepreneurs raising their first round of capital. Our community is broad, deep, growing and energized...

The RISC-V ecosystem is poised to significantly grow over the next five years. Semico Research predicts that the market will consume a total of 62.4 billion RISC-V central processing unit (CPU) cores by 2025! By that time I look forward to seeing many new types of RISC-V implementations including innovative consumer devices, industrial applications, high performance computing applications and much more... Unlike legacy instruction set architectures (ISAs) which are decades old and are not designed to handle the latest workloads, RISC-V has a variety of advantages including its openness, simplicity, clean-slate design, modularity, extensibility and stability. Thanks to these benefits, RISC-V is ushering in a new era of silicon design and processor innovation.
They also highlighted a major advantage. RISC-V "provides the flexibility to create thousands of possible custom processors. Since implementation is not defined at the ISA level, but rather by the composition of the system-on-chip and other design attributes, engineers can choose to go big, small, powerful or lightweight with their designs."

The Linux Foundation's Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH) have revealed -- in "Vulnerabilities in the Core, a preliminary report and Census II of open-source software" -- the most frequently used components and the vulnerabilities they share. From a report: This Census II analysis and report is the first major study of its kind but isn't a final analysis. It takes important first steps and lays out a methodology for understanding and addressing open-source software structural and security complexities. Specifically, it also identifies the most commonly used free and open-source software (FOSS) components in production applications and examines them for potential vulnerabilities. To create this work, CII and LISH partnered with Software Composition Analysis (SCAs) and application security companies such as Snyk and Synopsys Cybersecurity Research Center. They combined private usage data with publicly available datasets for identifying over 200 of the most used open-source software projects.

These are not the programs -- Apache, MySQL, Linux -- that probably spring to your mind. For all their foundational importance, it's the small building block programs that are most widely used. They may be small, sometimes less than a hundred lines of code (LoC), but they're vital. As Frank Nagle, a professor at Harvard Business School and co-director of the Census II project, said: "FOSS was long seen as the domain of hobbyists and tinkerers. However, it has now become an integral component of the modern economy and is a fundamental building block of everyday technologies like smart phones, cars, the Internet of Things, and numerous pieces of critical infrastructure. Understanding which components are most widely used and most vulnerable will allow us to help ensure the continued health of the ecosystem and the digital economy."

Long-time Slashdot reader lkcl writes: Michael Larabel, of Phoronix, writes that the OpenPower Foundation has released a license agreement for Hardware Vendors to implement the Power ISA RISC instruction set in their processors. Hugh Blemings, the Director of OpenPower, was responsible for ensuring that the EULA is favourable and friendly towards Libre and Open Hardware projects and businesses.

Of particular interest is that IBM's massive patent portfolio is automatically granted, royalty-free as long as two conditions apply: firstly, the hardware must be fully and properly Power ISA compliant, and secondly, the implementor must not "try it on" as a patent troll.

Innovation in the RISC space just got a little more interesting.
"Amidst the fully free and open RISC-V ISA making headway into the computing market, and ARM feeling pressured to loosen up its licensing, it seems they figured that it's best to join the party early," argues Hackaday.

Slashdot reader golden_donkey quotes Forbes: Are you booting up your Windows 10 machine and discovering you can't log in to your profile? It appears you're not alone. Reports are increasing across Twitter and Microsoft forums that following the most recent Patch Tuesday update (KB4532693), users are complaining that their profiles and desktop files are missing, and that custom icons and wallpaper have all been reset to their default state...

The KB4532693 update is allegedly causing much more serious headaches for some users. A newer report by Windows Latest cites multiple users in their comments section complaining that the data is nowhere to be found and allegedly not recoverable.
Microsoft has now "yanked KB4524244 from its update servers..." reports ZDNet, "after acknowledging reports of 'an issue affecting a sub-set of devices.'" Microsoft says customers who have successfully installed the update don't need to take any further steps. Those who have configured PCs to defer installation of updates by at least four days should also be unaffected.

For those who are experiencing issues related to this update, Microsoft recommends uninstalling the update.
Forbes also shared a video "on a related note." Its title? "How To Choose A Linux Distro That's Right For You..."

b-dayyy quotes Linux Security: As AI becomes more and more ingrained in our daily lives through consumer products, we can't help but be concerned that proprietary software will comprise the market. And we are not talking about a million-dollar market, but a bigger one that may reach US$118.6 billion by 2025. Many industries and end-users would thus benefit from more open-source AI projects and tools for developers' use. That would save tons of individuals and companies money to build their own AI-powered apps.

In this post, we explore five open-source AI projects or tools that are compatible with Linux and delve into the pros and cons of open-source AI and AI in general.
The list includes TensorFlow by Google's AI research team, as well as Microsoft Cognitive Toolkit. The article points out that open-source AI "is also being explored in developing hardware, specifically microprocessors that are more secure," and suggests some other possible transformative uses (including smart farming technologies "that aid in livestock and crop monitoring, irrigation, weather forecasting, and overall farm management... [H]ealthcare becomes more factual than intuitive, increases in revenue can be seen more clearly in marketing efforts, and food security becomes a reality rather than a dream.

"However, we should not discount the fact that AI can also be weaponized, empowering the wrong people. Cybersecurity systems must also be upgraded to counter AI-powered cyberattacks. And when developing AI-powered machines, it is critical to ensure that they are not vulnerable to attacks."

In 2017 Elementary OS built a pay-what-you-want app store -- funded with $10,000 raised on IndieGogo. Now they're trying to raise another $10,000 for a one-week, in-person sprint in Denver, Colorado, Forbes reports, to upgrade the store while bringing an even grander concept to reality: That concept comprises 4 main goals:

- Enable open source developers to monetize their apps on every other Linux distribution

- Empower developers to ship apps with cutting-edge technologies

- Improve privacy, security, and stability

- Streamline the payments process

On the technical side of things, the team plans to rebuild AppCenter's backend from the ground up to enable newer technologies developers are asking for, and they're rallying behind the Flatpak packaging format to get it done. They've already been collaborating with the FlatHub team, and plan to bring in developers from Endless and GNOME to ensure that "our solution can be reused and improved by other Flatpak stores and the greater open source desktop ecosystem."
For a donation of $10, "you'll have your name immortalized in the AppCenter code on GitHub," explains a promotional video. (There's already 70 backers who have claimed this perk.) In fact, "Less than 8 hours ago we launched #AppCenterForEveryone, and we're 50% funded," announced an update Friday on Twitter. The campaign's web page shared this note of appreciation.

"With your support, we'll be able to accelerate the timeline on adopting cutting edge technology and making an even more competitive Open Source operating system and a compelling foundation for all Flatpak stores."

"The WireGuard VPN protocol will be included into the next Linux kernel as Linus Torvalds has merged it into his source tree for version 5.6," reports TechRadar:
While there are many popular VPN protocols such as OpenVPN, WireGuard has made a name for itself by being easy to configure and deploy as SSH... The WireGuard protocol is a project from security researcher and kernel developer Jason Donenfeld who created it as an alternative to both IPsec and OpenVPN. Since the protocol consists of around just 4,000 lines of code as opposed to the 100,000 lines of code that make up OpenVPN, it is much easier for security experts to review and audit for vulnerabilities.

While WireGuard was initially released for the Linux kernel, the protocol is now cross-platform and can be deployed on Windows, macOS, BSD, iOS and Android.
Ars Technica notes that with Linus having merged WireGuard into the source tree, "the likelihood that it will disappear between now and 5.6's final release (expected sometime in May or early June) is vanishingly small." WireGuard's Jason Donenfeld is also contributing AVX crypto optimizations to the kernel outside the WireGuard project itself. Specifically, Donenfeld has optimized the Poly1305 cipher to take advantage of instruction sets present in modern CPUs. Poly1305 is used for WireGuard's own message authentication but can be used outside the project as well — for example, chacha20-poly1305 is one of the highest-performing SSH ciphers, particularly on CPUs without AES-NI hardware acceleration.

Other interesting features new to the 5.6 kernel will include USB4 support, multipath TCP, AMD and Intel power management improvements, and more.

CERN, the European Organization for Nuclear Research, is moving away from Facebook Workplace to instead make use of more open-source software packages. Phoronix reports: Facebook Workplace is Facebook's corporate-focused product for internal real-time communication and related communication needs within organizations. CERN had been making use of Facebook Workplace and in addition to data privacy concerns, they were recently confronted with either paying Facebook or losing administrative rights, no more single sign-on access, and Facebook having access to their internal data. But now they have assembled their own set of software packages to fill the void by abandoning Facebook Workplace.

CERN is now using the Mattermost open-source software for online chat and Discourse for further information exchange. CERN's IT department is working on filling the gaps further left by getting rid of Facebook Workplace. [CERN has published a post with more details about the move.] ZDNet points out that this latest announcement "ends a nearly four-year trial with Facebook Workplace and means CERN will remove its presence from the platform on January 31, 2020."

jrepin writes: Linus Torvalds has announced Linux 5.5 release, codenamed as Kleptomaniac Octopus.The latest version of the open source operating system kernel brings RAID1 with 3- and 4- copies to btrfs filesystem, ext4 gets direct I/O via iomap together with fscrypt supporting smaller block sizes, and you can now use SMB as root filesystem. AMD OverDrive overclocking is now supported on Navi GPUS, wake-on-voice on newer Google Chromebooks is now supported. Added was a Logitech keyboard driver. KUnit is a new unit testing framework for the kernel. There are many more new features which you can read about on Kernel Newbies changelog page. For downloads visit The Linux Kernel Archives.

ProtonVPN open sourced its code this week, ZDNet reports: On Tuesday, the virtual private network (VPN) provider, also known for the ProtonMail secure email service, said that the code backing ProtonVPN applications on every system -- Microsoft Windows, Apple macOS, Android, and iOS -- is now publicly available for review in what Switzerland-based ProtonVPN calls "natural" progression.

"There is a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like GDPR," the company says. "Making all of our applications open source is, therefore, a natural next step." Each application has also undergone a security audit by SEC Consult, which ProtonVPN says builds upon a previous partnership with Mozilla...

The source code for each app is now available on GitHub (Windows, macOS, Android, iOS). "As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible," ProtonVPN says.

"Going open source helps us to do that and serve you better at the same time."
They're also publishing the results of an independent security audit for each app. "As former CERN scientists, publication and peer review are a core part of our ethos..." the company wrote in a blog post. They also point out that Switzerland has some of the world's strongest privacy laws -- and that ProtonVPN observes a strict no-logs policy.

But how do they feel about their competition? "Studies have found that over one-third of Android VPNs actually contain malware, many VPNs suffered from major security lapses, and many free VPN services that claimed to protect privacy are secretly selling user data to third parties."

Electronic component distributor Digi-Key will be producing a small manufacturing run of the "open hardware" ereader from the Open Book Project, reports Gizmodo: The raw hardware isn't as sleek or pretty as devices like the Kindle, but at the same time there's a certain appeal to the exposed circuit board which features brief descriptions of various components, ports, and connections etched right onto the board itself for those looking to tinker or upgrade the hardware. Users are encouraged to design their own enclosures for the Open Book if they prefer, either through 3D-printed cases made of plastic, or rustic wooden enclosures created using laser cutting machines. With a resolution of just 400x300 pixels on its monochromatic E Ink display, text on the Open Book won't look as pretty as it does on the Amazon Kindle Oasis which boasts a resolution of 1,680x1,264 pixels, but it should barely sip power from its built-in lithium-polymer rechargeable battery -- a key benefit of using electronic paper.

The open source ereader -- powered by an ARM Cortex M4 processor -- will also include a headphone jack for listening to audio books, a dedicated flash chip for storing language files with specific character sets, and even a microphone that leverages a TensorFlow-trained AI model to intelligently process voice commands so you can quietly mutter "next!" to turn the page instead of reaching for one of the ereader's physical buttons like a neanderthal. It can also be upgraded with additional functionality such as Bluetooth or wifi using Adafruit Feather expansion boards, but the most important feature is simply a microSD card slot allowing users to load whatever electronic text and ebook files they want. They won't have to be limited by what a giant corporation approves for its online book store, or be subject to price-fixing schemes which, for some reason, have still resulted in electronic files costing more than printed books.

The maintainer of the popular Rust web framework Actix has quit the project -- though he's backed off threats to make its code private and delete its repository, instead appointing a new maintainer. "Be a maintainer of large open source project is not a fun task," he'd complained last week on GitHub. "You alway face with rude and hate, everyone knows better how to build software, nobody wants to do home work and read docs and think a bit and very few provide any help...

"You felt betrayed after you put so much effort and then to hear all this shit comments, even if you understand that that is usual internet behavior.... Nowadays supporting actix project is not fun, and be[ing] part of rust community is not fun as well."

The Register reports: Actix Web was developed by Nikolay Kim, who is also a senior software engineer at Microsoft, though the Actix project is not an official Microsoft project. Actix Web is based on Actix, a framework for Rust based on the Actor model, also developed by Kim. The web framework is important to the Rust community partly because it addresses a common use case (development web applications) and partly because of its outstanding performance. For some tests, Actix tops the Techempower benchmarks.

The project is open source and while it is popular, there has been some unhappiness among users about its use of "unsafe" code... Safe code is protected from common bugs (and more importantly, security vulnerabilities) arising from issues like variables which point to uninitialized memory, or variables which are used after the memory allocated to them has been freed, or attempting to write data to a variable which exceeds the memory allocated. Code in Rust is safe by default, but the language also supports unsafe code, which can be useful for interoperability or to improve performance.

There is extensive use of unsafe code in Actix, leading to debate about what should be fixed. Kim was not always receptive to proposed changes... Kim said that he did not ignore or delete issues arbitrarily, but only because he felt he had a better or more creative solution than the one proposed -- while also acknowledging that the "removing issue was a stupid idea." He also threatened to "make [Actix] repos private and then delete them...." Since then, matters have improved. The Github repository was restored and Kim said, "I realized, a lot of people depend on actix. And it would be unfair to just delete repos... I hope new community of developers emerge. And good luck!"
The developer news site DevClass wrote that "The apparent 'ragequit' has prompted questions about the dynamics within the open source community." Over 120 GitHub users have now signed a sympathetic letter to Nikolay from "users, contributors, and followers of your work in the Rust community," saying "We are extremely disappointed at the level of abuse directed towards you."

"Working on open source projects should be rewarding, and your work has empowered thousands of developers across the world to build web services with Rust. It's incredibly tragic for someone who has contributed so much to the community, to be made to feel so unwelcome that they feel that they have no other choice than to leave. This is not the kind of community we want."

Bruce Perens (Slashdot reader #3872) co-founded the Open Source Initiative with Eric Raymond in 1998. (And then left it this January 2nd.)

But in 2017 Perens was also sued partly over comments made in a Slashdot discussion. He's just shared a video from the 9th Circuit Appeals Court hearing -- along with this update: Open Source Security Inc. and their CEO, Mr. Bradley Spengler, sued me for 3 Million dollars for defamation, because I wrote this blog post, in which I explained why I thought they were in violation of the GPL. They lost in the lower court, and had to file this $300,000 bond to pay for my defense, which will be awarded to my attorneys if the appeals court upholds the lower court's finding.

Because OSS/Spengler are in Pensylvania and I am in California, this was tried before a Magistrate in Federal court, with the laws of California and the evidentiary rules of the Federal Court. Thus, I am now in the 9th Circuit for appeal.

The first attorney to appear is for OSS/Spengler. The second works for EFF, and the third for O'Melveny. In my opinion EFF and O'Melveny did a great job.

If you are interested in the case, I have a partial archive of the case documents from PACER, and a link to PACER where the rest can be found, here.

An anonymous reader quotes a report from BleepingComputer: Wine 5.0 has been released today and contains over 7,400 bug fixes and numerous audio and graphics improvements that will increase performance in gaming on Linux. With the release of Wine 5.0, WineHQ hopes to resolve many of these issues, with the main improvements being:

-Builtin modules in PE format: To make games think Wine is a real Windows environment, most Wine 5.0 modules have been converted into the PE format rather than ELF binaries. It is hoped that this will allow copy-protection and anti-cheat programs to not flag games running under Wine as being modified.
-Multi-monitor support: Multiple displays adapters and multi-monitor configurations are now supported under Wine.
-XAudio2 reimplementation: XAudio2 libraries have been added back to Wine and will use the FAudio library for better compatibility.
-Vulkan 1.1 support: "The Vulkan driver supports up to version 1.1.126 of the Vulkan spec." Here are the release notes, download locations for the binary packages (when available) and source.

Ars Technica recently ran a rebuttal by author, podcaster, coder, and "mercenary sysadmin" Jim Salter to some comments Linus Torvalds made last week about ZFS.

While it's reasonable for Torvalds to oppose integrating the CDDL-licensed ZFS into the kernel, Salter argues, he believes Torvalds' characterization of the filesystem was "inaccurate and damaging."
Torvalds dips into his own impressions of ZFS itself, both as a project and a filesystem. This is where things go badly off the rails, as Torvalds states, "Don't use ZFS. It's that simple. It was always more of a buzzword than anything else, I feel... [the] benchmarks I've seen do not make ZFS look all that great. And as far as I can tell, it has no real maintenance behind it any more..."

This jaw-dropping statement makes me wonder whether Torvalds has ever actually used or seriously investigated ZFS. Keep in mind, he's not merely making this statement about ZFS now, he's making it about ZFS for the last 15 years -- and is relegating everything from atomic snapshots to rapid replication to on-disk compression to per-block checksumming to automatic data repair and more to the status of "just buzzwords."

[The 2,300-word article goes on to describe ZFS features like per-block checksumming, automatic data repair, rapid replication and atomic snapshots -- as well as "performance wins" including its Adaptive Replacement caching algorithm and its inline compression (which allows datasets to be live-compressed with algorithms.]

The TL;DR here is that it's not really accurate to make blanket statements about ZFS performance, absent a very particular, well-understood workload to measure that performance on. But more importantly, quibbling about the fastest possible benchmark rather loses the main point of ZFS. This filesystem is meant to provide an eminently scalable filesystem that's extremely resistant to data loss; those are points Torvalds notably never so much as touches on....

Meanwhile, OpenZFS is actively consumed, developed, and in some cases commercially supported by organizations ranging from the Lawrence Livermore National Laboratory (where OpenZFS is the underpinning of some of the world's largest supercomputers) through Datto, Delphix, Joyent, ixSystems, Proxmox, Canonical, and more...

It's possible to not have a personal need for ZFS. But to write it off as "more of a buzzword than anything else" seems to expose massive ignorance on the subject... Torvalds' status within the Linux community grants his words an impact that can be entirely out of proportion to Torvalds' own knowledge of a given topic -- and this was clearly one of those topics.

Slashdot reader northar writes:
Subtitling project Amara closes its repository as focus is shifting... Amara was AGPL up until going private.

While future improvements to the code base from the Participatory Culture Foundation (PCF) will not be public, a copy of the last public code base has been preserved at Gitlab, should anyone be interested in the work done up until now. Note that no support is given from PCF for this code
From Amara's official statement on the move: The Participatory Culture Foundation began as a nonprofit in 2006 with a focus on creating open source software to ensure that emerging video technologies were accessible to all.... For an organization like PCF, which relies on revenue generated from sustainability initiatives to fund social impact work, we believe the risk to these initiatives outweighs the potential or perceived public benefit from maintaining open code.

Releasing software as open source unfortunately does not provide protection against well-funded technology firms that are driven by profit... Without the proper market position and resources, a smaller organization that relies on revenue from software they build can be outmaneuvered or overpowered with the very technology they created (assuming their code is open source). This is not only a threat to smaller organizations, but has also become a bigger debate that much larger companies are also hashing out. For venture-funded or publicly traded firms, the open source approach can be a calculated risk that makes business sense. But for less-capitalized organizations or nonprofits, like PCF, who lack significant market power, making software open source puts other more well-resourced players in position to leverage the technology in ways that may undermine the sustainability and/or the values of the original developer.

With these shifts in the computing landscape, PCF has not seen individuals or communities as the primary beneficiary of releasing Amara code as open source. Instead, we have unfortunately had firsthand experience with a venture-funded organization deploying code we created and using it in ways that we did not think aligned well with our values....

As we undertake this shift in 2020, we are aware that the computing landscape will continue to change and thus we remain open to newer and better strategies for making source code available in the long-term. Future strategies might include data trusts and/or new licenses that better align with our sustainability initiatives and mission.

Tuxedo Computers "has teamed up with Manjaro to tease not one, not two, but several" Linux laptops, Forbes reports:
The Tuxedo Computers InfinityBook Pro 15...can be loaded with up to 64GB of RAM, a 10th-generation Intel Core i7 CPU, and as high as a 2TB Samsung EVO Plus NVMe drive. You can also purchase up to a 5-year warranty, and user-installed upgrades will not void the warranty...

Manjaro Lead Project Developer Philip Müller also teased a forthcoming AMD Ryzen laptop [on Forbes' "Linux For Everyone" podcast]. "Yes, we are currently evaluating which models we want to use because the industry is screaming for that," Müller says. "In the upcoming weeks we might get some of those for internal testing. Once they're certified and the drivers are ready, we'll see when we can launch those." Müller also tells me they're prepping what he describes as a "Dell XPS 13 killer."

"It's 10th-generation Intel based, we will have it in 14-inch with a 180-degree lid, so you can lay it flat on your desk if you like," he says.
The Manjaro/Tuxedo Computers partnership will also offer some intense customization options, Forbes adds.

"Want your company logo laser-etched on the lid? OK. Want to swap out the Manjaro logo with your logo on the Super key? Sure, no problem. Want to show off your knowledge of fictional alien races? Why not get a 100% Klingon keyboard?"

An anonymous reader quotes a report from VentureBeat: The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes' codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it's significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.

Open-source intelligence proved vital in the investigation into Ukraine Airlines flight PS752. Then Iranian officials had to admit the truth. From a report: [...] In the days after the Ukraine Airlines plane crashed into the ground outside Tehran, Bellingcat and The New York Times have blown a hole in the supposition that the downing of the aircraft was an engine failure. The pressure -- and the weight of public evidence -- compelled Iranian officials to admit overnight on January 10 that the country had shot down the plane "in error." So how do they do it? "You can think of OSINT as a puzzle. To get the complete picture, you need to find the missing pieces and put everything together," says Lorand Bodo, an OSINT analyst at Tech versus Terrorism, a campaign group. The team at Bellingcat and other open-source investigators pore over publicly available material. Thanks to our propensity to reach for our cameraphones at the sight of any newsworthy incident, video and photos are often available, posted to social media in the immediate aftermath of events. "Open source investigations essentially involve the collection, preservation, verification, and analysis of evidence that is available in the public domain to build a picture of what happened," says Yvonne McDermott Rees, a lecturer at Swansea University.

Some of the clips in this incident surfaced on Telegram, the encrypted messaging app popular in the Middle East, while others were sent directly to Bellingcat. "Because Bellingcat is known for our open source work on MH17, people immediately thought of us. People started sending us links they'd found," says Eliot Higgins of Bellingcat. "It was involuntary crowdsourcing." OSINT investigators then utilise metadata, including EXIF data -- which is automatically inserted into videos and photos, showing everything from the type of camera used to take the images to the precise latitude and longitude of where the taker was standing -- to validify that the footage is legitimate. They'll also try and identify who took the footage, and whether it's practical for them to have been where they claim to have been at the time. However, for this instance, they couldn't use EXIF data. "People would share photos and videos on Telegram which strip the metadata, and then someone else would find that and share it on Twitter," says Higgins. "We were really getting a second-hand or third-hand version of these images. All we have to go on is what's visible in the photograph." So instead they moved onto the next step.