By BeauHD from Slashdot's heads-up department
An anonymous reader quotes a report from Bleeping Computer: Security researchers have found, on average, five security flaws in each cryptocurrency ICO held last year. Only one ICO held in 2017 did not contain any critical flaws. According to Positive.com, a security firm specialized in ICO security audits, most of the vulnerabilities they found, they discovered in the smart contracts at the base of the ICO itself.
"71% of tested projects contained vulnerabilities in smart contracts, the heart and soul of an ICO," the company said. "Once an ICO starts, the contract cannot be changed and is open to everyone, meaning anyone can view it and look for flaws. Typically, these would consist of non compliance with the ERC20 standard (the token interface for digital wallets and cryptocurrency exchanges), incorrect random number generation and incorrect scoping amongst others," Positive.com experts say. "Generally, these vulnerabilities occur due to lack of programmer expertise and insufficient source code testing." According to the researchers, all the mobile apps ICO organizers have launched in 2017 contained security flaws. "The most common flaws in mobile apps are the use of insecure data transfer methods, storage of user data in phone backups, and disclosure of session IDs that an attacker could capture and use against the user," reports Bleeping Computer. Security bugs were also found in the web apps.Read Replies (0)
By BeauHD from Slashdot's technical-difficulties department
The Russian-manufactured Proton rocket that has been traveling into space since before humans landed on the Moon will finally stop flying. "In an interview with a Russian publication, Roscosmos head Dmitry Rogozin said production of the Proton booster will cease as production shifts to the new Angara booster," reports Ars Technica. "No new Proton contracts are likely to be signed." From the report: First launched in 1965, the rocket was initially conceived of as a booster to fly two-person crews around the Moon, as the Soviet Union sought to beat NASA into deep space. Indeed, some of its earliest missions launched creatures, including two turtles, to the Moon and back.
The decision will bring down the curtain on one of the longest-used and most versatile rockets in world history. As the United States developed the space shuttle in the 1970s and began flying it in the 1980s, the Russian space agency saw the opportunity to commercialize the Proton rocket, and by the end of the 1990s, the booster became a major moneymaker for the Russian space industry. With a capacity of 22.8 tons to low-Earth orbit, it became a dominant player in the commercial market for heavier satellites. An increasing rate of failures, combined with the rise of SpaceX's cheaper Falcon 9 rockets, "have caused the number of Proton launches in a given year to dwindle from eight or so to just one or two," adds Ars. "This shrinking market has opened the door to the Angara rocket, which has the advantage of not using environmentally hazardous fuel for each of its stages..."Read Replies (0)
By BeauHD from Slashdot's privacy-matters department
Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.Read Replies (0)
By BeauHD from Slashdot's quality-of-data department
dcblogs writes: LinkedIn has developed a new analytics platform that should make it easier to poach job candidates. It will use its vast database of nearly 600 million profiles to help recruiters find pockets of talent, know the attrition rate and glean competitive data. The platform, due in September, was discussed at a recent HR conference. One attendee asked a LinkedIn official: "Does that set up an environment for poaching talent?" And then she immediately answered her own question. "I think the answer is yes. And so why would I sign off on that?" In response to the attendees' question, Eric Owski, the head of product for Talent Insights at LinkedIn, said there was nothing wrong with making this data available. The LinkedIn team concluded that "the world is becoming more transparent," and "very sophisticated teams at large companies were able to figure out a lot of the calculations that we're making available in this product," he said. "We think by packaging it up nicely, it levels the playing field," Owski said. "We feel like we're on safe ground."Read Replies (0)
By BeauHD from Slashdot's one-size-doesn't-fit-all department
Recompiling is unlikely to be a catch-all solution for a recently unveiled Intel CPU vulnerability known as TLBleed, the details of which were leaked on Friday, the head of the OpenBSD project Theo de Raadt says. iTWire reports: The details of TLBleed, which gets its name from the fact that the flaw targets the translation lookaside buffer, a CPU cache, were leaked to the British tech site, The Register; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs. Former NSA hacker Jake Williams said on Twitter that a fix would probably need changes to the core operating system and were likely to involve "a ton of work to mitigate (mostly app recompile)." But de Raadt was not so sanguine. "There are people saying you can change the kernel's process scheduler," he told iTWire on Monday. "(It's) not so easy."
He said that Williams was lacking all the details and not thinking it through. "They actually have sufficient detail to think it through: the article says the TLB is shared between hyperthreading CPUs, and it is unsafe to share between two different contexts. Basically you can measure evictions against your own mappings, which indicates the other process is touching memory (you can determine the aliasing factors)." De Raadt said he was still not prepared to say more, saying: "Please wait for the paper [which is due in August]."Read Replies (0)
By BeauHD from Slashdot's always-listening department
According to a new report from Bloomberg's Mark Gurman and Debby Wu, Apple is "planning higher-end AirPods, a new HomePod and studio-quality over-ear headphones for as early as next year." From the report: The Cupertino, California-based company is working on new AirPods with noise-cancellation and water resistance, the people said. Apple is trying to increase the range that AirPods can work away from an iPhone or iPad, one of the people said. You won't be swimming in them though: The water resistance is mainly to protect against rain and perspiration, the people said. Slated for 2019, the earbuds will likely cost more than the existing $159 pair, and that could push Apple to segment the product line like it does with iPhones, one of the people said. Apple is also working on a wireless charging case that's compatible with the upcoming AirPower charger.
There are over-ear headphones coming from Apple, too. Those will compete with pricey models from Bose Corp. and Sennheiser. They will use Apple branding and be a higher-end alternative to the company's Beats line. Apple originally intended to introduce the headphones by the end of 2018, but has faced development challenges, and is now targeting a launch as early as next year, the people said. A previous Bloomberg report was plugged, teasing a new version of the current AirPods that will feature a new chip and support for hands-free Siri activation. They are reportedly launching later this year.Read Replies (0)
By msmash from Slashdot's beware department
Tick bites can cause all sorts of nasty afflictions. And if you're bitten by a Lone Star tick, here's one more to add to the list: a red meat allergy. NPR reports: About 10 years ago, Dr. Scott Commins, an allergist and associate professor of medicine at the University of North Carolina, Chapel Hill, was among the first physicians to identify the allergy in patients with tick bites. Back then, there were just a few dozen known cases. That has increased dramatically. "We're confident the number is over 5,000 [cases], and that's in the U.S. alone," Commins says. There are also cases in Sweden, Germany and Australia -- likely linked to other species of ticks. In the U.S., the Lone Star tick has expanded its range beyond the Southeast, and there are documented cases of alpha gal meat allergies farther north -- including New York, Maine and Minnesota. "The range of the tick is expanding," says Commins. So is awareness about the red meat allergy it can cause. "We have a blood test, and the word is getting out."Read Replies (0)
By BeauHD from Slashdot's deal-or-no-deal department
An anonymous reader quotes a report from Bloomberg: Jane was working in Amazon's Seattle headquarters when she was asked to a meeting with her manager and a human resources representative. They gave her a document outlining concerns about her work performance and spelled out three choices. She could quit and receive severance pay, spend the next several weeks trying to keep her job by meeting certain performance goals, or square off with her manager in a videoconference version of the Thunderdome, pleading her case with a panel of co-workers while her boss argued against her. Jane, who asked that her real name not be used to discuss a personal matter, chose the last one.
Amazon is borrowing a page from union grievance processes that don't apply to most corporate employees. But only about 30 percent of those who appeal their manager's criticisms prevail, meaning they can keep their jobs or seek new ones within the company with different bosses, according to people familiar with the matter. Eighteen months after its debut, the hearing process has created resentment and raised questions about fairness, according to current and former workers as well as attorneys familiar with their situations. "It's a kangaroo court," says George Tamblyn, a Seattle employment lawyer who helped one former Amazon worker plan her appeal earlier this year. "My impression of the process is it's totally unfair." According to a person familiar with the process, the workers who fail to make their case and get their job back can still choose between severance pay or a performance-improvement plan. The program, called "Pivot," was started last year.
< article continued at Slashdot's deal-or-no-deal department
>Read Replies (0)
By msmash from Slashdot's major-development department
The U.S. Food and Drug Administration on Monday approved the first prescription drug derived from the marijuana plant, as a treatment for rare forms of epilepsy that primarily afflict children. From a report: The FDA said Monday that it cleared GW Pharmaceuticals's Epidiolex, also known as cannabidiol, to reduce seizures associated with forms of epilepsy known as Lennox-Gastaut syndrome and Dravet syndrome, in patients 2 years of age and older. Cannabidiol is derived from the cannabis plant, also known as marijuana. U.K.-based GW Pharmaceuticals says the solution, taken by mouth, is made from a proprietary strain of cannabis designed to maximize a therapeutic component while minimizing components that produce euphoria. GW Pharmaceuticals grows the plants in the U.K. The FDA said Monday that the drug doesn't cause the high that comes from the chemical tetrahydrocannabinol, or THC, which is the main psychoactive component of marijuana. FDA officials also said the drug doesn't appear to have abuse potential, citing minimal reports of euphoria in patients who took the drug in clinical studies. Further reading: StatNews, The Guardian, and FDA.Read Replies (0)
By msmash from Slashdot's step-in-the-right-direction department
Mark Wilson writes: When it comes to messaging tools, people have started to show greater interest in whether encryption is used for security, and the same for websites -- but not so much with email. Thanks to the work of the Electronic Frontier Foundation, however, email security is being placed at the top of the agenda. The privacy group today announces STARTTLS Everywhere, its new initiative to improve the security of the email ecosystem. STARTTLS is an addition to SMTP, and while it does not add end-to-end encryption, it does provide hop-to-hop encryption, which is very much a step in the right direction. In a blog post, EFF elaborates SMARTTLS for the uninitiated, and outlines how it worked around some of the tech's underlying challenges: There are two primary security models for email transmission: end-to-end, and hop-to-hop. Solutions like PGP and S/MIME were developed as end-to-end solutions for encrypted email, which ensure that only the intended recipient can decrypt and read a particular message. Unlike PGP and S/MIME, STARTTLS provides hop-to-hop encryption (TLS for email), not end-to-end. Without requiring configuration on the end-user's part, a mailserver with STARTTLS support can protect email from passive network eavesdroppers. For instance, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won't be able to see the contents of messages, and will need more targeted, low-volume methods. In addition, if you are using PGP or S/MIME to encrypt your emails, STARTTLS prevents metadata leakage (like the "Subject" line, which is often not encrypted by either standard) and can negotiate forward secrecy for your emails.Read Replies (0)
By msmash from Slashdot's marching-forward department
OpenAI said on Monday that its newest AI bots can hold their own as a team of five against human gamers at Dota 2, a multiplayer game popular in e-sports for its complexity and necessity for teamwork. The AI research lab is looking to take the bots to Dota 2 championship matches in August to compete against the pros. From a report: Dota 2 is a challenging game for AI to master simply because of the amount of decisions that the players have to juggle. While chess can end in fewer than 40 moves, and Go fewer than 150, OpenAI's Dota 2 bots make 20,000 moves over the course of a 45 minute game. While OpenAI showed last year that the bots could go one on one against a human professional in a curated snippet of the game, the company wasn't entirely sure that they could scale up to five against five. But the research team doesn't credit this breakthrough to a new technique or a lightbulb moment, rather a simple idea. "As long as the AI can explore, it will learn, given enough time," Greg Brockman, OpenAI's chief technology officer, told Quartz. The bots learn from self-play, meaning two bots playing each other and learning from each side's successes and failures. By using a huge stack of 256 graphics processing units (GPUs) with 128,000 processing cores, the researchers were able to speed up the AI's gameplay so that they learned from the equivalent of 180 years of gameplay for every day it trained.Read Replies (0)
By msmash from Slashdot's how-about-that department
Brian Brackeen, chief executive officer of the facial recognition software developer Kairos, writes in an op-ed: Recent news of Amazon's engagement with law enforcement to provide facial recognition surveillance (branded "Rekognition"), along with the almost unbelievable news of China's use of the technology, means that the technology industry needs to address the darker, more offensive side of some of its more spectacular advancements. Facial recognition technologies, used in the identification of suspects, negatively affects people of color. To deny this fact would be a lie. And clearly, facial recognition-powered government surveillance is an extraordinary invasion of the privacy of all citizens -- and a slippery slope to losing control of our identities altogether. There's really no "nice" way to acknowledge these things. I've been pretty clear about the potential dangers associated with current racial biases in face recognition, and open in my opposition to the use of the technology in law enforcement. [...] To be truly effective, the algorithms powering facial recognition software require a massive amount of information. The more images of people of color it sees, the more likely it is to properly identify them. The problem is, existing software has not been exposed to enough images of people of color to be confidently relied upon to identify them.Read Replies (0)
By msmash from Slashdot's closer-look department
Last month IBM, which has staked much of its future on its flagship AI Watson, announced a major round of layoffs in the division. Now the engineers who had been let go allege that the move shows that difficulties IBM is facing in turning its AI into a profitable business. A report on IEEE Spectrum says: "IBM Watson has great AI," one engineer said, who asked to remain anonymous so he wouldn't lose his severance package. "It's like having great shoes, but not knowing how to walk -- they have to figure out how to use it." The layoffs at the end of May cut a swath through the Watson Health division. According to anonymous accounts submitted to the site Watching IBM, the cuts primarily affecting workers from three acquired companies: Phytel, Explorys, and Truven. These companies, acquired between 2015 and 2016, brought with them hefty troves of healthcare data, proprietary analytics systems to mine the data for insights, as well as their customers. The report adds: Two laid-off engineers from Phytel spoke to IEEE Spectrum in depth. They allege that IBM's leadership mismanaged their company since its acquisition, and say the problems at Phytel are emblematic of IBM's struggles to make Watson profitable. Several other Phytel employees corroborated the basic facts of their accounts. Both engineers worked for Phytel since before its 2015 acquisition, and say they were excited to become part of Big Blue. "Everyone expected that we would join IBM and be propelled by their support, that it would be the beginning of great things," says the first engineer.Read Replies (0)
By msmash from Slashdot's hidden-in-plain-sight department
News outlet The Intercept on Monday published a report that reveals eight AT&T-owned locations: two in California, one in Washington, another in Washington, D.C., one in New York, one in Texas, one in Illinois, and one in Georgia, that serve as backbone or "peering" facilities that the NSA has secretly been using for eavesdropping purposes. Spokespeople of AT&T, which refers to the aforementioned peering sites as "Service Node Routing Complexes", and NSA, could neither confirm or deny the report's findings. From the report: The NSA considers AT&T to be one of its most trusted partners and has lauded the company's "extreme willingness to help." It is a collaboration that dates back decades. Little known, however, is that its scope is not restricted to AT&T's customers. According to the NSA's documents, it values AT&T not only because it "has access to information that transits the nation," but also because it maintains unique relationships with other phone and internet providers. The NSA exploits these relationships for surveillance purposes, commandeering AT&T's massive infrastructure and using it as a platform to covertly tap into communications processed by other companies. [...] While network operators would usually prefer to send data through their own networks, often a more direct and cost-efficient path is provided by other providers' infrastructure. If one network in a specific area of the country is overloaded with data traffic, another operator with capacity to spare can sell or exchange bandwidth, reducing the strain on the congested region. This exchange of traffic is called "peering" and is an essential feature of the internet. Because of AT&T's position as one of the U.S.'s leading telecommunications companies, it has a large network that is frequently used by other providers to transport their customers' data. Companies that "peer" with AT&T include the American telecommunications giants Sprint, Cogent Communications, and Level 3, as well as foreign companies such as Sweden's Telia, India's Tata Communications, Italy's Telecom Italia, and Germany's Deutsche Telekom.Read Replies (0)
By msmash from Slashdot's up-next department
An anonymous reader shares a report: Privacy and government affairs officers from a number of the largest tech companies plan to convene in San Francisco on Wednesday to discuss how to tackle growing questions and concerns about consumer privacy online. The Information Technology Industry Council, a Washington trade group that represents major tech companies, organized an all-day meeting to jump-start the conversations. Members include Facebook, Google, Apple, Salesforce, IBM, Microsoft, Intel, Qualcomm, Samsung, Dropbox, and others. ITI expects the meeting to be attended by companies across the industry's sectors, including hardware, software and device makers -- but declined to say which companies would be there.Read Replies (0)