By EditorDavid from Slashdot's package-mismanagement department
Since April, according to the company, npm users have run 50 million automatic scans and have deliberately invoked the command 3.1 million times. And they're running 3.4 million security audits a week. Across all audits, 51 per cent found at least one vulnerability and 11 per cent identified a critical vulnerability. In a phone interview with The Register, Adam Baldwin, head of security at NPM, said he didn't have data on how many people are choosing to fix flagged flaws. "But what we've seen from pull requests suggests it's gaining traction," he said.
Incidentally, npm's thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries. During a recent media briefing, GitHub's head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.
Baldwin said NPM might implement something similar, an intervention rather than a simple notification. "Currently it's not proactive policy enforcement," he said. "But it's something we're considering." That would appeal to NPM's growing enterprise constituency. "Enterprises for sure want the compliance and control," said Baldwin. "They want that ability to know the open source they're bringing in is safe or meets a certain set of criteria."
< article continued at Slashdot's package-mismanagement department
>Read Replies (0)
By EditorDavid from Slashdot's get-off-of-my-cloud department
SpzToid quotes Vanity Fair:
The controversy involves a plan to move all of the Defense Department's data -- classified and unclassified -- on to the cloud. The information is currently strewn across some 400 centers, and the Pentagon's top brass believes that consolidating it into one cloud-based system, the way the CIA did in 2013, will make it more secure and accessible. That's why, on July 26, the Defense Department issued a request for proposals called JEDI, short for Joint Enterprise Defense Infrastructure. Whoever winds up landing the winner-take-all contract will be awarded $10 billion -- instantly becoming one of America's biggest federal contractors.
But when JEDI was issued, on the day Congress recessed for the summer, the deal appeared to be rigged in favor of a single provider: Amazon. According to insiders familiar with the 1,375-page request for proposal, the language contains a host of technical stipulations that only Amazon can meet, making it hard for other leading cloud-services providers to win -- or even apply for -- the contract. One provision, for instance, stipulates that bidders must already generate more than $2 billion a year in commercial cloud revenues -- a "bigger is better" requirement that rules out all but a few of Amazon's rivals... Much of the language of JEDI, in fact, seems specifically tailored for Jeff Bezos. "Everybody immediately knew that it was for Amazon," says a rival bidder who asked not to be named. To even make a bid, a provider must maintain a distance of at least 150 miles between its data centers and provide "32 GB of RAM" -- specifications that few providers other than Amazon can meet.
< article continued at Slashdot's get-off-of-my-cloud department
>Read Replies (0)
By EditorDavid from Slashdot's science-fiction-in-San-Jose department
AmiMoJo quotes the Verge:
The 2018 Hugo Awards were held Sunday night at the World Science Fiction Convention in San Jose, California. The Hugo award, voted on by members of the fan community, is considered the highest honour for science fiction and fantasy literature... N.K. Jemisin took home the top honor for The Stone Sky, the third installment of her Broken Earth trilogy. Other winners include Martha Wells for her first Murderbot novella All Systems Red, Suzanne Palmer for her novelette "The Secret Life of Bots," and Rebecca Roanhorse for her short story "Welcome to your Authentic Indian Experience." [Those last two links apparently let you read the entire story online!] Roanhorse also took home the John W. Campbell Jr. Award for Best New Writer.
Ursula K. Le Guin also posthumously won an award for "Best Related Work" for her collection of blog posts No Time to Spare: Thinking About What Matters.
And Zack Snyder finally won something, when Blade Runner 2049 lost in the "Best Dramatic Presentation -- Long Form" category to Wonder Woman ("screenplay by Allan Heinberg, story by Zack Snyder & Allan Heinberg and Jason Fuch.")Read Replies (0)
By EditorDavid from Slashdot's surprise-endings department
Slashdot reader nolaguy quotes the New York Post:
Movie subscription service MoviePass has pulled the plug on annual subscriptions, telling those subscribers that they will have to adhere to the same terms as monthly subscribers. The service made the announcement Friday in an email to those members and offered them prorated refunds if they want to cancel their annual memberships.... Until Friday's announcement, subscribers to the $89 annual plans had been able to see a movie a day.
CNET reports that MoviePass "is now forcing you onto its monthly three-movie-a-month plan -- effective immediately...and you'll receive up to a $5.00 discount on any additional movie tickets purchased." They're plannning to apply the $89 annual fees toward the $9.95 monthly fees, but....
To add insult to injury, MoviePass says you'll only have until Aug. 31 -- a week from today -- if you want to get some of your money back in the form of a prorated refund, which you can only get by canceling your plan. And just to make things more ridiculous, MoviePass is preying on your FOMO by saying that if you do take the refund, you won't be able to sign up for MoviePass again for nine months.
CNET's article ends with a link to their list of "the 11 times that MoviePass altered the deal," adding "This is getting sad. And a little shady."Read Replies (0)
By EditorDavid from Slashdot's courtroom-drama department
Bruce Perens co-founded the Open Source Initiative with Eric Raymond -- and he's also Slashdot reader #3872. "The Electronic Frontier Foundation has filed an answering brief in defense of Bruce Perens in the merits appeal of the Open Source Security Inc./Bradley Spengler v. Bruce Perens lawsuit," reads his latest submission -- with more details at Perens.com:
Last year, Open Source Security and its CEO, Bradley Spengler, brought suit against me for defamation and related torts regarding this blog post and this Slashdot discussion. After the lower court ruled against them, I asked for my defense costs and was awarded about $260K for them by the court.
The plaintiffs brought two appeals, one on the merits of the lower court's ruling and one on the fees charged to them for my defense... The Electronic Frontier Foundation took on the merits appeal, pro-bono (for free, for the public good), with the pro-bono assistance of my attorneys at O'Melveny who handled the lower court case...
You can follow the court proceedings here
"Sorry I can't comment further on the case," Perens writes in a comment on Slashdot, adding "it's well-known legal hygiene that you don't do that." But he's willing to talk about other things.
"Valerie and I are doing well. I am doing a lot of travel for the Open Source Initiative as their Standards Chair, speaking with different standards groups and governments about standards in patents and making them compatible with Open Source."Read Replies (0)
By EditorDavid from Slashdot's ice-ice-baby department
Iwastheone quotes Phys.org:
First, according to Rice University engineers, get a nanotube hole. Then insert water. If the nanotube is just the right width, the water molecules will align into a square rod. Rice materials scientist Rouzbeh Shahsavari and his team used molecular models to demonstrate their theory that weak van der Waals forces between the inner surface of the nanotube and the water molecules are strong enough to snap the oxygen and hydrogen atoms into place. Shahsavari referred to the contents as two-dimensional "ice," because the molecules freeze regardless of the temperature.
He said the research provides valuable insight on ways to leverage atomic interactions between nanotubes and water molecules to fabricate nanochannels and energy-storing nanocapacitors... The researchers already knew that hydrogen atoms in tightly confined water take on interesting structural properties. Recent experiments by other labs showed strong evidence for the formation of nanotube ice and prompted the researchers to build density functional theory models to analyze the forces responsible... They discovered that nanotubes in the middle diameters had the most impact on the balance between molecular interactions and van der Waals pressure that prompted the transition from a square water tube to ice.
The paper describes "solid-like water nanotubes," and the head of the research team believes they could have practical applications, according to the article.
"Nanotube ice could find use in molecular machines or as nanoscale capillaries, or foster ways to deliver a few molecules of water or sequestered drugs to targeted cells, like a nanoscale syringe."Read Replies (0)
By EditorDavid from Slashdot's big-bangs-versus-whimpers department
"The Big Bang Theory is dead. If you need me, I'll be dancing on its grave," writes a TV columnist for the Guardian:
The inexplicably popular geek sitcom has announced that its 12th season will be its last. Its demise should come as a relief to everybody... Producers have promised an "epic creative close" when the series ends in May. After that, The Big Bang Theory will be dead, and nobody will be sad. Except, of course, they will. Because, inexplicably, The Big Bang Theory is still one of the most-watched shows on U.S. television. It regularly gets more than 15 million viewers an episode, and, statistically, not all of them can be incapacitated to the point of being unable to change channels whenever it comes on.
Nothing confuses me more than The Big Bang Theory's success. It has always been markedly less smart than it thought it was; the TV version of someone wearing a "GEEK" T-shirt because they liked a Facebook post about the moon once.... Watch any recent episode of The Big Bang Theory and you'll see that it is barely even a sitcom at this point. It has been going on for so long that the writing, presentation and performances are more or less autonomous. Everyone is just glumly going through the motions, stuck in the tracks they've carved out for themselves over the years. It's like watching a museum exhibit of a sitcom made with mannequins and miserable circus bears.
The actor who plays Sheldon will be 46 when the show ends, the columnist points out, adding that for 12 years he's been playing "a weirdly ageless man-boy trapped in a developmentally arrested closed-loop flatshare scenario more suited to somebody half his age." The Guardian titled their piece "Our Long Nightmare is Finally Over" -- but leave your own thoughts in the comments.
How do you feel about the ending of The Big Bang Theory?Read Replies (0)
By EditorDavid from Slashdot's thinking-of-the-children department
Russian trolls "seem to be using vaccination as a wedge issue, promoting discord in American society," according to a new study shared by long-time Slashdot reader skam240.
"The topic became another issue the Russian trolls seized upon to widen existing rifts in America and turn citizens against each other," reports NBC News.
But Fortune reports there's more to the story:
While the latest study highlights how Russian outfits have increasingly used social media to toy with people's emotions to influence their behavior, it's also notable for the fact that most Twitter users appeared to have ignored its anti-vaccine messages... Outside of the Russian trolls, virtually no real Twitter users actually responded to the messages, said the paper's author David Broniatowski, an assistant professor in at George Washington University's School of Engineering and Applied Science. Generally, Russian trolls try to exploit controversial topics like religion, and race and class division, but "sometimes they get it hilariously wrong," he said.
Broniatowski attributed the campaign's failure to the content of the tweets, which included: "VaccinateUS mandatory #vaccines infringe on constitutionally protected religious freedoms;" "Did you know there was a secret government database of #vaccine-damaged children? #VaccinateUS;" and "Dont get #vaccines. Iluminati are behind it. #VaccinateUS." The messages were so far-fetched that even people who believe in conspiracy theories chose to ignore them.Read Replies (0)
By EditorDavid from Slashdot's Clippy-not-included department
An anonymous reader quotes the Washington Examiner:
The Energy Department is participating in a major push with electric utility Southern and a company founded by Microsoft founder Bill Gates to develop small nuclear power reactors that are less expensive and more efficient than their much larger cousins. "Molten salt reactors are getting a reboot," the Energy Department tweeted late Wednesday, offering a schematic of a battery-like power plant module that "could power America's energy"... The Department of Energy linked to a detailed description of how its Oak Ridge National Laboratory and other federal labs are teaming up with Southern Company, a big coal utility with several nuclear plants, and Gates' TerraPower to test and develop a type of reactor that uses liquefied sodium "as both coolant and fuel."
These liquid-metal reactors are sometimes referred to as nuclear batteries because they are small, self-contained units, which theoretically can be deployed anywhere, although the version being tested at Oak Ridge appears to be one requiring a permanent structure and housing. TerraPower was awarded a $40 million award by the Energy Department in 2016 to pursue the project.
Currently it's in the "early design phase" to assess commercial viability, but testing will begin in 2019, "which will help validate the reactor's safety systems for license certification by the Nuclear Regulatory Commission."Read Replies (0)
By msmash from Slashdot's closer-look department
Headlines from Def Con, a hacking conference held this month in Las Vegas, might have left some thinking that infiltrating state election websites and affecting the 2018 midterm results would be child's play. Articles reported that teenage hackers at the event were able to "crash the upcoming midterm elections" and that it had taken "an 11-year-old hacker just 10 minutes to change election results." A first-person account by a 17-year-old in Politico Magazine described how he shut down a website that would tally votes in November, "bringing the election to a screeching halt." But now, elections experts are raising concerns that misunderstandings about the event -- many of them stoked by its organizers -- have left people with a distorted sense of its implications. From a report: In a website published before r00tz Asylum, the youth section of Def Con, organizers indicated that students would attempt to hack exact duplicates of state election websites, referring to them as "replicas" or "exact clones." (The language was scaled back after the conference to simply say "clones.") Instead, students were working with look-alikes created for the event that had vulnerabilities they were coached to find. Organizers provided them with cheat sheets, and adults walked the students through the challenges they would encounter. Josh Franklin, an elections expert formerly at the National Institute of Standards and Technology and a speaker at Def Con, called the websites "fake." "When I learned that they were not using exact copies and pains hadn't been taken to more properly replicate the underlying infrastructure, I was definitely saddened," Franklin said. Franklin and David Becker, the executive director of the Center for Election Innovation & Research, also pointed out that while state election websites report voting results, they do not actually tabulate votes. This information is kept separately and would not be affected if hackers got into sites that display vote totals.Read Replies (0)
By EditorDavid from Slashdot's tragic department
The San Diego Union-Tribune reports:
The 18-year-old who sped the wrong way down state Route 805 Thursday, crashing into a SUV and killing himself, a 12-year-old girl and her mother, was a YouTube star who had made a small fortune in video gaming gambling, according to authorities and hundreds of gaming fans on Twitter. The California Highway Patrol identified him Friday as Trevor Heitmann of San Diego. But the nearly 900,000 subscribers to his YouTube video channel and his Twitter followers knew him as "McSkillet"...
Kevin Hitt, editor in chief of VPesport.com online gaming news outlet, said Valve, under constraints from the state of Washington gambling commission, confiscated about $200,000 worth of McSkillet's skins and shut down his ability to acquire more.
Heitmann was one of the biggest names in Counter-Strike: Global Offensive (CSGO) skin trading when in late 2017, Valve, developers of CSGO, banned all of Heitmann's Steam platform accounts, shutting down his entire skin trading and collecting empire... The ban by Valve precluded Heitmann from being able to unbox, gamble, or trade skins which directly affected his ability to monetize his YouTube videos which saw viewer counts anywhere between 250,000 to 4.3 million. He hasn't posted a video since....
Before the fatal crash, Heitmann purposely drove his vehicle into the Ashley Falls Elementary School front gate that had a sign on the front that had the word "STEAM" printed on it in reference to a magnet program which supports science, technology, engineering, arts and mathematics. After breaking a window, he then drove onto the soccer field, spinning his car in circles a couple of times before leaving.
< article continued at Slashdot's tragic department
>Read Replies (0)
By msmash from Slashdot's change-of-heart department
Weeks after Tesla CEO Elon Musk expressed his intentions to take his company private, on late Friday, he said investors have convinced him that he shouldn't take the company private, so the firm will remain on the public stock markets. From a report: The eccentric and sometimes erratic CEO said in a statement late Friday that he made the decision based on feedback from shareholders, including institutional investors, who said they have internal rules limiting how much they can sink into a private company. Musk met with the electric car and solar panel company's board on Thursday to tell them he wanted to stay public and the board agreed, according to the statement. In a blog post, Mr. Musk shared the rationale behind his decision, to which he arrived after speaking with investors, both large and small, banks and others. He said: Given the feedback I've received, it's apparent that most of Tesla's existing shareholders believe we are better off as a public company. Additionally, a number of institutional shareholders have explained that they have internal compliance issues that limit how much they can invest in a private company. There is also no proven path for most retail investors to own shares if we were private. Although the majority of shareholders I spoke to said they would remain with Tesla if we went private, the sentiment, in a nutshell, was "please don't do this." I knew the process of going private would be challenging, but it's clear that it would be even more time-consuming and distracting than initially anticipated. This is a problem because we absolutely must stay focused on ramping Model 3 and becoming profitable. We will not achieve our mission of advancing sustainable energy unless we are also financially sustainable. That said, my belief that there is more than enough funding to take Tesla private was reinforced during this process.Read Replies (0)
Linux Turns 27
Posted by News Fetcher on August 24 '18 at 05:30 PM
By msmash from Slashdot's godspeed department
It's been 27 years since Linus Torvalds let a group of people know about his "hobby" OS. OMGUbuntu blog writes: Did you know that Linux, like Queen Elizabeth II, actually has two birthdays? Some FOSS fans consider the first public release of (prototype) code, which dropped on October 5, 1991, as more worthy of being the kernel's true anniversary date. Others, ourselves included, take today, August 25, as the "birth" date of the project. And for good reason. This is the day on which, back in 1991, a young Finnish college student named Linus Torvalds sat at his desk to let the folks on comp.os.minix newsgroup know about the "hobby" OS he was working on. The "hobby OS" that wouldn't, he cautioned, be anything "big" or "professional." Even as Linux continues to have lion's share in the enterprise world, it has only managed to capture a tiny fraction of the consumer space. Further reading: Ask Slashdot: Whatever Happened To the 'Year of Linux on Desktop'? Which Linux-based distro do you use? What changes, if any, would you like to see in it in the next three years?Read Replies (0)
By msmash from Slashdot's closer-look department
Earlier this week, the Food and Drug Administration (FDA) issued a statement that the homeopathic drug company King Bio is recalling 32 of its children's pain-relievers. According to the FDA, a "small percentage" of those products tested positive for bacterial contamination during regular, random testing by King Bio. From a report: The announcement does not provide any specifics about the contamination or potential risks. However, the North Carolina-based manufacturer behind the recall, King Bio, issued a similar announcement back in July. At that time, the company recalled three other products after an FDA inspection found batches contaminated with the bacteria Pseudomonas brenneri, Pseudomonas fluorescens, and Burkholderia multivorans. Pseudomonas brenneri is a bacterium recently found in natural mineral waters, and its clinical significance is murky. However, Pseudomonas fluorescens is known to be an opportunistic pathogen, causing blood infections, and Burkholderia multivorans can cause infections in people with compromised immune systems and cystic fibrosis. It was also recently found to be a rare but emerging cause of meningitis. King Bio did not respond to Ars' request for comment on the contamination, its potential source, or the company's actions to prevent further contamination. Homeopathic products, as Ars readers are likely familiar, are those based on a pseudoscientific belief that substances generating similar symptoms to an ailment can cure that ailment, aka the "law of similars." The potentially dangerous substances are generally safe to consume because homeopaths believe that "vigorous shaking" and excessive dilution -- often to the point where no atoms of the original substance remain -- make them more effective. As King Bio puts it, this preparation "potentizes" the substances. King Bio told the FDA that the items of concern were a group of various over-the-counter remedies produced between August 1, 2017 and April 2018.Read Replies (0)
By msmash from Slashdot's tussle-continues department
Airbnb has filed a lawsuit against the city of New York over a recent law the city passed, requiring the home-sharing site to hand over information about its hosts. From a report: The company is hoping to avoid millions in losses when the law, designed to police short-term home rentals, takes effect this winter. The New York City legislation, which passed with a 45-0 vote, would require Airbnb to share the names and addresses of its hosts with the city's Office of Special Enforcement. "The ordinance is an unlawful end-run around established restraints on governmental action and violates core constitutional rights," the company said in a claim filed in New York court on Friday. New York, which faces an affordable housing shortage, has struggled with how to enforce regulations to control Airbnb and other home-sharing services like Expedia's HomeAway. Regulators argue that short-term rentals, which can be more profitable than long-term leases, disrupt neighborhoods and drive up rents. The new legislation is designed to give officials enough information to catch Airbnb hosts who operate outside of strict home-sharing laws.Read Replies (0)
By msmash from Slashdot's holding-accountable department
Four US senators, members of the US Senate Select Committee on Intelligence, sent a letter on Wednesday to Election Systems and Software (ES&S), the largest voting machine vendor in the US, asking for clarifications on why the vendor is trying to discourage independent security reviews of its products. From a report: The four senators who signed the letter are Kamala D. Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME), and James Lankford (R-OK). The senators sent the letter to ES&S following the conclusion of the Voting Village at the DEF CON 26 security conference held in Las Vegas at the start of the month, where security researchers found several security vulnerabilities in the company's products. "We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic and that your company is not supportive of independent testing," the letter reads. "Many of the world's leading electronics and software companies have opened their arms to the research community, maintaining active presences at the largest security research conferences and inviting 'white hat' hackers to probe their products to identify how they can improve product security," the letter continued. At DEF CON, security researchers found vulnerabilities in the voting machines of other vendors. Only ES&S is mentioned in the senators' letter because of the company's dismissive approach to external security research.Read Replies (0)
By msmash from Slashdot's my-way-or-highway department
Google appears to have quietly purged its own user-generated review content from its search results. From a report: This is significant, critics of Google say, because it obscures the fact that Google's search engine judges the company's own reviews poorly. Google's search engine ranks content by relevance and quality, and Google's review content previously showed up deep into the search results, far from the first page of links that takes most of the clicks. A Google spokesperson disagreed that the review content was "de-indexed," simply noting that because Google reviews don't currently live on a web page, they are not displayed as web results. Given that reviews once showed up in regular Google search results and now do not, it follows that the reviews were moved from a web page to the Maps platform, whose code prevents search engines from crawling it. What was once searchable is now not searchable, something Google did not explain. As a result, Google reviews do not have to rank highly in search engines. Instead, the Google snippet -- the map and reviews box above the standard search result -- allows the company to capture clicks that would otherwise flow off the platform to whatever website had the best result in the algorithm made by the search team down the hall at Mountain View deemed as the best.Read Replies (0)