By EditorDavid from Slashdot's return-addresses department
A new Intel security flaw has been discovered that potentially allows passwords to be stolen. An anonymous reader quotes Digital Journal:
As EE News reports, researchers said the new flaw enables an "inverse spectre attack". According to Giorgi Maisuradze and Professor Dr. Christian Rossow a ret2spec (return-to-speculation) vulnerability with the chips allows for would-be attackers to read data without authorization. According to Professor Rossow: "The security gap is caused by CPUs predicting a so-called return address for runtime optimization."
The implications of this are: "If an attacker can manipulate this prediction, he gains control over speculatively executed program code. It can read out data via side channels that should actually be protected from access." This means, in essence, that malicious web pages could interpret the memory of the web browser in order to access and copy critical data. Such data would include stored passwords.
"At least all Intel processors of the past ten years are affected by the vulnerabilities," reports EE News, adding "Similar attack mechanisms could probably also be derived for ARM and AMD processors...."
"Manufacturers were notified of the weaknesses in May 2018 and were granted 90 days to remedy them before the results were published. That deadline has now expired."Read Replies (0)
By EditorDavid from Slashdot's not-so-magic-internet-money department
An anonymous reader quotes CryptoCoinsNews:
Over the past 24 hours, the crypto market has recorded a loss of $18 billion, as major cryptocurrencies including Bitcoin, Ether, EOS, and Bitcoin Cash dropped by 4 to 13 percent. While Bitcoin ended the day with a 4 percent decline in its value, Ether, the native cryptocurrency of Ethereum, plummeted by 13 percent against the US dollar, becoming one of the worst performing major cryptocurrencies alongside NEO. Tokens recorded the steepest drop in their value on August 11, as most Ethereum-based tokens such as Theta Token, Aion, Pundi X, Aelf, DigixDAO, WanChain, and VeChain recorded a drop of around 14 to 18 percent For the first time in 2018, Bitcoin, the most dominant cryptocurrency in the global market, has obtained 50 percent of the market share, securing its year-to-date (YTD) high on the dominance index. The sudden increase in the dominance index of Bitcoin which coincided with the spike in the volume of Tether have demonstrated that investors have become reluctant towards taking high-risk and high-return trades, mostly due to the lack of confidence in the short-term trend of the market. Over the past few weeks, tokens have lost over 50 percent of their value against Bitcoin, which has also fallen by more than 20 percent since late July.
"During this 13-day stretch, the total market cap for all cryptocurrencies has fallen $70 billion," reports MarketPlace, in an article headlined "Bitcoin looks 'very sick' and the pain is not over, says analyst."Read Replies (0)
By EditorDavid from Slashdot's wanna-cry? department
A major virus infection forced the closure of Taiwan Semiconductor Manufacturing Company (TSMC) factories last weekend..." writes Slashdot reader Mark Wilson, noting that it's the largest semiconductor manufacturer in the world, selling chips to Apple, Nvidia, AMD, Qualcomm, and Broadcom, and "responsible for producing iPhone processors."
Now Network World reports:
The infection struck on Friday, August 3, and affected a number of unpatched Windows 7 computer systems and fab tools over two days. TSMC said it was all back to normal by Monday, August 6. TSMC did not say it was WannaCry, aka WannaCrypt, in its updates, but reportedly blamed WannaCry in follow-up conference calls with the press.... The company said this incident would cause shipment delays and additional costs estimated at 3 percent of third quarter revenue. The company had previously forecast revenues of $8.45 billion to $8.55 billion for its September quarter. A 3 percent loss would mean $250 million, though actual losses may come out lower than that. Still, that's a painful hit. TSMC also said no customer data was compromised....
TSMC isn't directly to blame here; someone [an infected production tool provided by an unidentified vendor] brought WannaCry into their offices and behind their firewall, but TSMC is still culpable because it left systems unpatched more than a year after WannaCry hit.Read Replies (0)
By EditorDavid from Slashdot's owning-a-boat department
"Six years after decommissioning USS Enterprise, the world's first nuclear-powered aircraft carrier, the U.S. Navy is still figuring out how to safely dismantle the ship," reports Popular Mechanics. schwit1 tipped us off to their report:
The General Accounting Office estimates the cost of taking apart the vessel and sending the reactors to a nuclear waste storage facility at up to $1.5 billion, or about one-eighth the cost of a brand-new aircraft carrier.
The USS Enterprise was commissioned in 1961 to be the centerpiece of a nuclear-powered carrier task force, Task Force One, that could sail around the world without refueling.... The Navy decommissioned Enterprise in 2012 and removed the fuel from the eight Westinghouse A2W nuclear reactors in 2013. The plan was to scrap the ship and remove the reactors, transporting them by barge from Puget Sound Naval Base down the Washington Coast and up the Columbia River, then trucking them to the Department of Energyâ(TM)s Hanford Site for permanent storage. However, after decommissioning the cost of disposing of the 93,000-ton ship soared from an estimated $500-$750 million to more than a billion dollars. This caused the Navy to put a pause on disposal while it sought out cheaper options. Today the stripped-down hull of the Enterprise sits in Newport News, Virginia awaiting its fate.
"Although the Navy believes disposing of the reactors will be fairly straightforward, no one has dismantled a nuclear-powered carrier before...
"Whatever the Navy ends up doing, this will only be the first of many nuclear-powered carrier disposals."Read Replies (0)
By EditorDavid from Slashdot's short-tempers department
An anonymous reader quotes the BBC:
Elon Musk's bombshell announcement that he is thinking of taking the electric car company Tesla private has landed him a lawsuit from unhappy investors.... His comments caused the share price to shoot up 11% to nearly $380, though it has since fallen back. Short-sellers, who bet on share price falls, allege he misled the market....
Short-sellers, who make a profit by borrowing shares, selling them and then buying them back at an expected lower price, claim to have lost millions thanks to Mr Musk's comments. Plaintiff Kalman Isaacs alleges the announcement was aimed at "completely decimating" short-sellers. His lawsuit, and another filed by William Chamberlain, accuse Mr Musk and Tesla of violating federal securities laws and artificially inflating Tesla's share price. Neither Mr Musk nor Tesla have commented on the lawsuit, which was filed in a federal court in San Francisco.
Tesla "is holding early discussions with banks about the feasibility and structure of a possible deal," Bloomberg reported yesterday -- and Ars Technica points out that if Mr. Isaacs had simply kept his short positions open through Friday, "he would be at least $60,000 richer."
But Isaacs' hopes to be the lead plaintiff for a class-action lawsuit "representing all Tesla shareholders who traded after Musk's tweet on Tuesday or at any time on Wednesday."Read Replies (0)
By EditorDavid from Slashdot's shades-of-Icarus department
An anonymous reader quotes the Los Angeles Times:
An airline worker stole an empty Alaska Airlines plane from Seattle-Tacoma International Airport in Washington on Friday night, and the National Guard scrambled two fighter jets to chase the aircraft, which crashed on a sparsely populated island in Puget Sound, officials said. No passengers were aboard the 76-seat Horizon Air Q400 turboprop plane, which was stolen by a 29-year-old Horizon Air ground service agent from Pierce County, according to airline and law enforcement officials.... The man was described as suicidal, and it appeared impossible that he could have survived the crash....
The plane made an unauthorized takeoff from the airport around 8 p.m. and crashed on Ketron Island, about five miles southwest of Tacoma, after the renegade pilot bantered erratically with air-traffic controllers who pleaded with him to land the plane, according to officials and dispatch audio. "This is probably jail time for life, huh?" said the man, identified on the radio as Rich, according to dispatch audio reviewed by the Seattle Times.... At another point, the employee said: "I'm gonna land it, in a safe kind of manner. I think I'm gonna try to do a barrel roll, and if that goes good, I'm just gonna nose down and call it a night...."
"Oh, my God! Oh, my God! He's OK? He's OK," one woman said in a video posted on Facebook, which showed at least one military jet in pursuit. Itâ(TM)s not clear how long afterward the plane crashed.Read Replies (0)
By EditorDavid from Slashdot's slow-processes department
An anonymous reader quotes InsideHPC:
Today Julia Computing announced the Julia 1.0 programming language release, "the most important Julia milestone since Julia was introduced in February 2012." As the first complete, reliable, stable and forward-compatible Julia release, version 1.0 is the fastest, simplest and most productive open-source programming language for scientific, numeric and mathematical computing. "With today's Julia 1.0 release, Julia now provides the language stability that commercial customers require together with the unique combination of lightning speed and high productivity that gives Julia its competitive advantage compared with Python, R, C++ and Java."
The Register reports:
Created by Jeff Bezanson, Stefan Karpinski, Viral Shah, and Alan Edelman, the language was designed to excel at data science, machine learning, and scientific computing.... Six years ago, Julia's creators framed their goals thus:
"We want a language that's open source, with a liberal license. We want the speed of C with the dynamism of Ruby. We want a language that's homoiconic, with true macros like Lisp, but with obvious, familiar mathematical notation like Matlab. We want something as usable for general programming as Python, as easy for statistics as R, as natural for string processing as Perl, as powerful for linear algebra as Matlab, as good at gluing programs together as the shell. Something that is dirt simple to learn, yet keeps the most serious hackers happy. We want it interactive and we want it compiled...."
In a julialang.org post announcing the milestone, the minders of the language claim to have achieved some of their goals.Read Replies (0)
By EditorDavid from Slashdot's look-what-I-found department
"Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU," Tom's Hardware reports, citing a presentation by security researcher Christopher Domas at the Black Hat Briefings conference in Las Vegas.
The command -- ".byte 0x0f, 0x3f" in Linux -- "isn't supposed to exist, doesn't have a name, and gives you root right away," Domas said, adding that he calls it "God Mode." The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces ("userland") run in ring 3, furthest from the kernel and with the least privileges. To put it simply, Domas' God Mode takes you from the outermost to the innermost ring in four bytes. "We have direct ring 3 to ring 0 hardware privilege escalation," Domas said. "This has never been done.... It's a secret, co-located core buried alongside the x86 chip. It has unrestricted access to the x86."
The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it's entirely possible that such hidden backdoors exist on many other chipsets. "These black boxes that we're trusting are things that we have no way to look into," he said. "These backdoors probably exist elsewhere." Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents.
"Some of the VIA C3 x86 processors have God Mode enabled by default," Domas adds. "You can reach it from userland. Antivirus software, ASLR and all the other security mitigations are useless."Read Replies (0)
By EditorDavid from Slashdot's beating-the-cheaters department
Recently the Palm Beach Post noted that 20% of the academic credit awarded at Florida Atlantic University is for online courses. So how can they stop cheaters?
Where once it was enough for a professor to roam the aisles of a classroom, checking for cheat sheets and keeping an eye out for students signaling one another, proctoring today's tests often requires web cams and biometric IDs. A field of more than a dozen test-proctoring services has emerged in the past decade. Typically, the company gets some sort of visual on the test taker via a web cam and then asks the student to show the camera his or her ID. Other security layers can include software that recognizes faces or even keystroking patterns.
The next step is to monitor the student during the test. In the online proctoring world, that is done in one of three ways:
* A remote but live proctor who watches in real time.
* A record-and-review method in which a proctor watches the testing session, but not in real time.
* An automated system, in which the software is programmed to spot abnormalities and flag them.
Honorlock -- one of the record-and-review outfits -- expected to proctor roughly 100,000 tests in the 2017-2018 school year, and promises schools that their solution also searches the web for copies of the test and automatically files takedown notices for any leaked copies, according to a link shared by Slashdot reader Presto Vivace. Besides filming students during tests, it also includes patented technology that "detects and prevents searching for test answers online from any secondary device." And it even verifies the identity of test takers using "any government issued" i.d. (like a driver's license or passport) or student ID which includes a photo.
< article continued at Slashdot's beating-the-cheaters department
>Read Replies (0)
By BeauHD from Slashdot's back-to-the-drawing-board department
An anonymous reader quotes a report from Phys.Org: In recent years, some physicists have been investigating the possibility that gravity is not actually a fundamental force, but rather an emergent phenomenon that arises from the collective motion of small bits of information encoded on spacetime surfaces called holographic screens. The theory, called emergent gravity, hinges on the existence of a close connection between gravity and thermodynamics. Emergent gravity has received its share of criticism, however, and a new paper adds to this by showing that the holographic screen surfaces described by the theory do not actually behave thermodynamically, undermining a key assumption of the theory.
In the new paper, the scientists tested whether different kinds of surfaces obey an analogue of the first law of thermodynamics, which is a special form of energy conservation. Their results reveal that, while surfaces near black holes (called stretched horizons) do obey the first law, ordinary surfaces -- including holographic screens -- generally do not. The only exception is that ordinary surfaces that are spherically symmetric do obey the first law. As the scientists explain, the finding that stretched horizons obey the first law is not surprising, since these surfaces inherit much of their behavior from the nearby horizons. Still, the scientists caution that the results do not necessarily imply that stretched horizons obey all of the laws of thermodynamics. On the other hand, the finding that ordinary surfaces do not obey the first law is more unexpected, especially as it is one of the key assumptions of emergent gravity. Going forward, researchers will work to understand what this means for the future of emergent gravity, as well as explore other possible implications.Read Replies (0)
By BeauHD from Slashdot's space-meetup department
Zorro shares a report from Space.com: The Japanese spacecraft Hayabusa2 has successfully rendezvoused with Ryugu, beginning an 18-month stay at the diamond-shaped asteroid. Launched by the Japan Aerospace Exploration Agency, JAXA, in 2014, the probe will poke, prod and even impact the asteroid, deploying a small lander and three rovers. It will then blast an artificial crater to analyze material below the asteroid's surface. After that, the probe will head back to Earth, arriving near the end of 2020 with samples in tow. Hayabusa2 automatically fired its thrusters this morning (June 27) at 9:35 a.m. local Japanese time (8:45 p.m. on June 26 EDT, or 1245 GMT), bringing the probe within a constant 12 miles (20 kilometers) of the asteroid, according to a statement from JAXA. The Hayabusa2 team will have to select the best place for the probe's lander and rovers based on the space rock's spinning-top-like shape and its rotation; the 3,000-foot-wide (900 meters) asteroid rotates perpendicular to its orbit, completing a full rotation every 7.5 hours.Read Replies (0)
By BeauHD from Slashdot's journey-to-the-sun department
In the early hours of Saturday morning, NASA is scheduled to launch the Parker Solar Probe for a seven-year mission to study the sun and its atmosphere. The spacecraft will take off from NASA's Kennedy Space Center in Florida, traveling up to 430,000 miles per hour towards the star -- that will make it the fastest spacecraft ever. Assuming you're reading this story around the time it's published, you still have time to watch the launch via NASA's livestream. The launch window for the Parker Solar Probe opens at 3:33 a.m. ET Saturday, but the exact launch time is unknown. The New York Times has published a story about Eugene N. Parker, the professor that the spacecraft was named after. It is the first time that NASA has named a mission for a living person. Here's an excerpt from the report: In a foundational paper published in The Astrophysical Journal, Dr. Parker described how charged particles streamed continuously from the sun, like the flow of water spreading outward from a circular fountain. Almost no one believed him. [...] Four years later, Dr. Parker was vindicated when Mariner 2, a NASA spacecraft en route to Venus, measured energetic particles streaming through interplanetary space -- exactly what Dr. Parker had predicted. Scientists now call that stream of particles the solar wind.Read Replies (0)
By BeauHD from Slashdot's policy-changes department
Yesterday, Facebook said it's banning websites that host and share blueprints of 3D-printed guns. "Sharing instructions on how to print firearms using 3D printers is not allowed under our Community Standards," said a spokesperson in an email statement. "In line with our policies, we are removing this content from Facebook." BuzzFeed was first to report the news: The move comes amid a rush by states to block these instructions from being posted. A July settlement between the State Department and Defense Distributed, an open-source organization that created the first completely 3D-printed gun, cleared the way for the group to publish the gun code. However, that was stalled when a federal judge on July 31 granted a temporary nationwide injunction that prevented Defense Distributed from uploading the plans. The injunction prevents Defense Distributed from publishing the plans. But the instructions are widely available online, on sites such as CodeIsFreeSpeech.com -- which hosts plans for parts of an AR-15, a Beretta, and Defense Distributed's Liberator. Attempts to post the site on a user's News Feed, through Facebook's Messenger app, or on Instagram (which Facebook owns) produce a variety of error messages. Other sites that host the files can still be posted through Facebook. Specifically, Facebook says that 3D-printed guns violate the regulated goods section of the social giant's community standards, which limits gun sales and exchanges to licensed dealers.Read Replies (0)
By BeauHD from Slashdot's gone-with-the-wind department
Google has removed the open-source Ahoy! extension from the Chrome store with little explanation. The tool facilitated access to more than 1,700 blocked sites in Portugal by routing traffic through its own proxies. TorrentFreak reports: After servicing 100,000 users last December, Ahoy! grew to almost 185,000 users this year. However, progress and indeed the project itself is now under threat after arbitrary action by Google. "Google decided to remove us from Chrome's Web Store without any justification," team member Henrique Mouta informs TF. "We always make sure our code is high quality, secure and 100% free (as in beer and as in freedom). All the source code is open source. And we're pretty sure we never broke any of the Google's marketplace rules."
Henrique says he's tried to reach out to Google but finding someone to help has proven impossible. Even re-submitting Ahoy! to Google from scratch hasn't helped the situation. "I tried and resubmitted the plugin but it was refused after a few hours and without any justification," Henrique says. "Google never reached us or notified us about the removal from Chrome Web Store. We never got a single email justifying what happened, why have we been removed from the store, or/and what are we breaching and how can we fix it." TorrentFreak reached out to Google asking why this anti-censorship tool has been removed from its Chrome store. Despite multiple requests, the search giant failed to respond to us or the Ahoy! team. Thankfully, the Ahoy! extension is still available on Firefox.Read Replies (0)
By BeauHD from Slashdot's let's-make-a-deal department
An anonymous reader quotes a report from Bloomberg: Qualcomm, the smartphone chipmaker fighting regulatory actions and lawsuits threatening its most profitable business, has reached a settlement with Taiwan's antitrust regulators that reverses most of a $773 million fine. As part of an agreement announced Friday by the Fair Trade Commission, the company will invest $700 million over the next five years and boost research activities in Taiwan, home to a clutch of important suppliers to global names such as Apple. In return, Qualcomm can stop paying fines and retains the right to charge manufacturers royalties on its technology. The commission said Friday it will keep NT$2.73 billion ($89 million) in fines that Qualcomm's already paid but waive the rest.
In an October decision, Taiwan's antitrust agency said Qualcomm had monopoly market status over key mobile phone standards and was violating local laws by not providing products to clients who didn't agree with its conditions. Besides the fine, the Fair Trade Commission told Qualcomm at the time to remove previously signed deals that forced competitors to provide price, customer names, shipment, model name and other sensitive information. Qualcomm appealed the decision. The company agreed to ensure fair negotiations with local licensees, and will support research and commercial projects in Taiwan, including collaborating on the development of fifth-generation wireless, Qualcomm said in a separate statement Friday.Read Replies (0)
By BeauHD from Slashdot's public-service-announcement department
New submitter rokahasch writes: Starting today, August 10th, most users of the Dropbox desktop app on Linux have been receiving notifications that their Dropbox will stop syncing starting November. Over at the Dropbox forums, Dropbox have declared that the only Linux filesystem supported for storage of the Dropbox sync folder starting the 7th of November will be on a clean ext4 file system. This basically means Dropbox drops Linux support completely, as almost all Linux distributions have other file systems as their standard installation defaults nowadays
-- not to mention encryption running on top of even an ext4 file system, which won't qualify as a clean ext4 file system for Dropbox (such as eCryptfs which is the default in, for example, Ubuntu for encrypted home folders). The thread is trending heavily on Dropbox' forums with the forum's most views since the thread started earlier today. The cries from a large amount of Linux users have so far remained unanswered from Dropbox, with most users finding the explanation given for this change unconvincing. The explanation given so far is that Dropbox requires a file system with support for Extended attributes/Xattrs. Extended attributes however are supported by all major Linux/Posix complaint file systems. Dropbox has, up until today, supported Linux platforms since their services began back in 2007. A number of users have taken to Twitter to protest the move. Twitter user troyvoy88 tweets: "Well, you just let the shitstorm loose @Dropbox dropping support for some linux FS like XFS and BTRFS. No way in hell im going to reformat my @fedora #development station and removing encryption no way!" Another user by the name of daltux wrote: "It will be time to say goodbye then, @Dropbox. I won't store any personal files on an unencrypted partition."Read Replies (0)