By msmash from Slashdot's how-random-is-random department
Cloudflare, along with a group of individual and academic partners, is forming a new coalition that will provide truly random, unpredictable numbers for a variety of applications, including election systems and lotteries. From a report: The problem of producing truly random numbers on a consistent basis has been a thorny one for cryptographers for many years. There have been plenty of efforts to establish sources of randomness, with some success, but one of the drawbacks is that any single randomness generator can be a target for abuse by privileged insiders or outside attackers. This is especially true in high-value applications that require random numbers, such as lottery or election systems. Also, if a given source of random numbers fails for any reason, the applications that rely on it can be crippled, as well.
To help address this problem, Cloudflare has teamed up with the University of Chile, the Ecole polytechnique federale de Lausanne, and several individual researchers to form a consortium of randomness beacons distributed around the world. The system is based on the drand randomness beacon developed by Nicholas Gailly, a researcher at Protocol Labs, a research lab for network protocols, and the aim is to have a distributed network of beacons that will always be available. "Our founding members are contributing their individual high-entropy sources to provide a more random and unpredictable beacon to generate publicly verifiable random values every sixty seconds. The fact that the drand beacon is decentralized and built using appropriate, provably-secure cryptographic primitives, increases our confidence that it possesses all the aforementioned properties," Dina Kozlov, a product manager at Cloudflare, said.
< article continued at Slashdot's how-random-is-random department
>Read Replies (0)
By msmash from Slashdot's for-what-it-is-worth department
Microsoft has released To-Do for Mac, finally giving Apple users access to the task management tool on their desktops. The Mac app will allow users to work offline, view their upcoming tasks under "My Day," share to-do lists with friends and colleagues and see flagged emails. From a report: "Today, we'd like to announce the arrival of a new family member -- that's right, the moment many of you have been waiting for is here -- say hello to the Mac app. If you've already been using our app on Android, iOS, Windows, or web, then the Mac app will feel very familiar. Sign in and all your tasks will be waiting for you, ready to be checked off. You can work offline, add tasks to My Day, see your flagged email in your Flagged email list, and share your lists with colleagues or friends and family. The Planner integration isn't available yet, but we're already working on bringing the Assigned to Me list to you," says Polly Davidson, Social Media Strategist, Microsoft.Read Replies (0)
By msmash from Slashdot's security-woes department
Over a quarter of all the major content management systems (CMSs) use the old and outdated MD5 hashing scheme as the default for securing and storing user passwords. From a report: Some of the projects that use MD5 as the default method for storing user passwords include WordPress, osCommerce, SuiteCRM, Simple Machines Forum, miniBB, MyBB, SugarCRM, CMS Made Simple, MantisBT, Phorum, Observium, X3cms, and Composr. The MD5 algorithm has been cracked for years now, meaning all passwords stored in this format can be reversed back to their plaintext version. This means that unless website owners changed these default settings by modifying the CMS source code, most websites built on top of these CMSs puts user passwords at risk in the case a hacker steals the site's database. This revelation is just one of the many observations that came out of an extensive academic research project at the University of Piraeus, in Greece. Academics examined 49 commonly used CMSs and 47 popular web application frameworks and looked at their default password storage mechanism, namely their password hashing schemes.Read Replies (0)
By msmash from Slashdot's closer-look department
In just three pages, a Russian mathematician has presented a better way to color certain types of networks than many experts thought possible. From a report:
A paper posted online last month has disproved a 53-year-old conjecture about the best way to assign colors to the nodes of a network. The paper shows, in a mere three pages, that there are better ways to color certain networks than many mathematicians had supposed possible. Network coloring problems, which were inspired by the question of how to color maps so that adjoining countries are different colors, have been a focus of study among mathematicians for nearly 200 years. The goal is to figure out how to color the nodes of some network (or graph, as mathematicians call them) so that no two connected nodes share the same color. Depending on the context, such a coloring can provide an effective way to seat guests at a wedding, schedule factory tasks for different time slots, or even solve a sudoku puzzle.
Graph coloring problems tend to be simple to state, but they are often enormously hard to solve. Even the question that launched the field -- Do four colors suffice to color any map? -- took more than a century to answer (the answer is yes, in case you were wondering). The problem tackled in the new paper seemed, until now, to be no exception to this rule. Unsolved for more than 50 years, it concerns tensor products -- graphs made by combining two different graphs (call them G and H) in a specific way. The tensor product of G and H is a new, larger graph in which each node represents a pair of nodes from the original graphs -- one from G and one from H -- and two nodes in the tensor product are connected if both their corresponding nodes in G and their corresponding nodes in H are connected.Read Replies (0)
By msmash from Slashdot's cook-says department
Apple CEO Tim Cook said Sunday in a commencement address at Stanford University that technology companies need to take responsibility for the "chaos" they create. From a report: He did not name specific companies in his speech, but referenced several reasons that tech firms, particularly social media platforms, have come under scrutiny in recent months. He also made an apparent reference to embattled health startup Theranos. "Lately it seems this industry is becoming better known for a less noble innovation -- the belief you can claim credit without accepting responsibility," Cook said, according to videos posted online of his speech. "We see it every day now with every data breach, every privacy violation, every blind eye turned to hate speech, fake news poisoning out national conversation, the false miracles in exchange for a single drop of your blood," he added. "Too many seem to think that good intentions excuse away harmful outcomes, but whether you like it or not, what you build and what you create define who you are. It feels a bit crazy that anyone should have to say this, but if you built a chaos factory, you can't dodge responsibility for the chaos."Read Replies (0)
By msmash from Slashdot's cost-of-ban department
China's Huawei has taken a harder-than-expected hit from a U.S. ban, the company's founder and CEO Ren Zhengfei said, and slashed revenue expectations for the year. From a report: Ren's downbeat assessment that the ban will hit revenue by $30 billion, the first time Huawei has quantified the impact of the U.S. action, comes as a surprise after weeks of defiant comments from company executives who maintained Huawei was technologically self-sufficient. [...] Huawei had not expected that U.S. determination to "crack" the company would be "so strong and so pervasive," Ren said, speaking at the company's Shenzhen headquarters on Monday. Two U.S. tech experts, George Gilder and Nicholas Negroponte, also joined the session. "We did not expect they would attack us on so many aspects," Ren said, adding he expects a revival in business in 2021.Read Replies (0)
By EditorDavid from Slashdot's data-on-developers department
The report surveyed about 7,000 developers worldwide, and revealed Python is the most studied programming language, the most loved language, and the third top primary programming language developers are using... The top use cases developers are using Python for include data analysis, web development, machine learning and writing automation scripts, according to the JetBrains report. More developers are also beginning to move over to Python 3, with 9 out of 10 developers using the current version.
The JetBrains report also found while Go is still a young language, it is the most promising programming language. "Go started out with a share of 8% in 2017 and now it has reached 18%. In addition, the biggest number of developers (13%) chose Go as a language they would like to adopt or migrate to," the report stated...
JetBrains (which designed Kotlin in 2011) also said that 60% of their survey's respondents identified themselves as professional web back-end developers (while 46% said they did web front-end, and 23% developed mobile applications). 41% said they hadn't contributed to open source projects "but I would like to," while 21% said they contributed "several times a year."
"16% of developers don't have any tests in their projects. Among fully-employed senior developers though, that statistic is just 8%. Like last year, about 30% of developers still don't have unit tests in their projects."
Other interesting statistics:
52% say they code in their dreams.
< article continued at Slashdot's data-on-developers department
>Read Replies (0)
By EditorDavid from Slashdot's long-live-the-king department
There's now a new $175 million remake of Godzilla: King of the Monsters. I loved it, Msmash walked out of it, and BeauHD didn't bother to go see it. The movie performed poorly at the box office, but I'm not the only person who still likes Godzilla. There's also a new anime version on Netflix. And critic Matt Zoller Seitz (once a finalist for the Pulitzer Prize in criticism) is calling the new film "a frequently astounding movie... its imperfections are compensated by magnificence."
For all its crash-and-bash action, this is a real science fiction movie that goes to the trouble of not merely creating a world, but thinking about the implications of its images and predicaments. It cares what the people in it must feel and think about their situation, and how it might weigh on them every day even when they aren't talking about it amongst themselves. It's also suffused with a spiritual or theological awareness, and takes it all as seriously as recent DC films took their comparisons of caped wonders to figures from the Old Testament and ancient mythology...
[A]t the level of image, sound and music, "Godzilla: King of the Monsters" is a frequently brilliant film that earnestly grapples with the material it presents... It deploys state-of-the-art moviemaking tools to try to return audiences to a stage of childlike terror and delight. Arthur C. Clarke famously observed that any sufficiently advanced technology is indistinguishable from magic. This movie is magic.
< article continued at Slashdot's long-live-the-king department
>Read Replies (0)
By EditorDavid from Slashdot's Microsoft-meets-IBM department
Every day 5.7 million people ride the subway in New York City -- and are subjected to both "the whims of the Metropolitan Transit Authority and the unheard-of reliability of a marginally successful operating system from the early 1990s."
martiniturbide shared this report from Tedium:
OS/2 and MTA consultant Neil Waldhauer said in an email, "For a few years, you could bet your career on OS/2." To understand why, you need to understand the timing. Waldhauer continues, "The design is from a time before either Linux or Windows was around. OS/2 would have seemed like a secure choice for the future." So for a lack of options, the MTA went with its best one. And it's worked out for decades, as one of the key software components of a quite complex system...
Despite the failure of OS/2 in the consumer market, it was hilariously robust, leading to a long life in industrial and enterprise systems -- with one other famous example being ATMs. Waldhauer said, "Thinking about all the operating systems in use [in the MTA], I'd have to say that OS/2 is probably the most robust part of the system, except for the mainframe." It's still in use in the NYC subway system in 2019. IBM had long given up on it, even allowing another company to maintain the software in 2001. (These days, a firm named Arca Noae sells an officially supported version of OS/2, ArcaOS, though most of its users are in similar situations to the MTA.)Read Replies (0)
By EditorDavid from Slashdot's just-like-Johnny-Mnemonic department
Bloomberg reports on a five-year, $77 million project by America's Department of Defense to create an implantable brain device that restores memory-generation capacity for people with traumatic brain injuries.
A device has now been developed by Michael Kahana, a professor of psychology at the University of Pennsylvania, and the medical technology company Medtronic Plc, and successfully tested with funding from America's Defense Advanced Research Projects Agency (Darpa).
Connected to the left temporal cortex, it monitors the brain's electrical activity and forecasts whether a lasting memory will be created. "Just like meteorologists predict the weather by putting sensors in the environment that measure humidity and wind speed and temperature, we put sensors in the brain and measure electrical signals," Kahana says. If brain activity is suboptimal, the device provides a small zap, undetectable to the patient, to strengthen the signal and increase the chance of memory formation.
In two separate studies, researchers found the prototype consistently boosted memory 15 per cent to 18 per cent. The second group performing human testing, a team from Wake Forest Baptist Medical Center in Winston-Salem, N.C., aided by colleagues at the University of Southern California, has a more finely tuned method. In a study published last year, their patients showed memory retention improvement of as much as 37 per cent. "We're looking at questions like, 'Where are my keys? Where did I park the car? Have I taken my pills?'â" says Robert Hampson, lead author of the 2018 study...
< article continued at Slashdot's just-like-Johnny-Mnemonic department
>Read Replies (0)
By EditorDavid from Slashdot's war-on-bots department
An anonymous reader quotes Bloomberg:
Twitch Interactive, the livestreaming platform owned by Amazon.com, has sued anonymous trolls who flooded the site last month with pornography, violent content and copyrighted movies and television shows...
Twitch says it works to remove offensive posts and ban the accounts of the users who post them, but that the videos quickly reappear, apparently posted by bots, while other bots work to drive users to the impermissible content. Twitch temporarily suspended new creators from streaming after a May 25 attack by trolls.
The company said that if it learns the identities of the anonymous streamers who have abused its terms of service -- named in the lawsuit as "John and Jane Does 1-100" -- it will ask the court to prohibit their using the platform and order them to pay restitution and damages.Read Replies (0)
Researchers from Austria's Graz University of Technology "have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware," reports The Register.
Long-time Slashdot reader Artem S. Tashkinov shared their report:
The Mozilla Developer Network documentation for Firefox, for example, covers 2,247 browser properties. The researchers were able to capture 15,709. Though not all of these are usable for fingerprinting and some represent duplicates, they say they found about 10,000 usable properties for all browsers.Read Replies (0)
By EditorDavid from Slashdot's peeking-on-payments department
Remember the outrage last year when a researcher discovered that for Venmo's 40 million users, all transactions are "public" by default and broadcast on Venmo's API?
More than a year later, computer science student Dan Salmon has demonstrated that it's still incredibly easy to download millions of transactions through Venmo's developer API without obtaining user permissions (without even using the Venmo app).
He proved this by downloading 7 million of them," TechCrunch reports:
Dan Salmon said he scraped the transactions during a cumulative six months to raise awareness and warn users to set their Venmo payments to private... Using that data, anyone can look at an entire user's public transaction history, who they shared money with, when, and in some cases for what reason -- including illicit goods and substances.
"There's truly no reason to have this API open to unauthenticated requests," he told TechCrunch. "The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that's your goal then you should require a token with each request to verify that the user is logged in."
He published the scraped data on his GitHub page.Read Replies (0)
By EditorDavid from Slashdot's whose-line-is-it-anyway department
"Genius.com says its traffic is dropping because, for the past several years, Google has been publishing lyrics on its own platform, with some of them lifted directly from the music site," reports the Wall Street Journal:
Google denies doing anything nefarious. Still, Genius's complaints offer a window into the challenges small tech companies can face when the unit of Alphabet Inc. starts offering competing services on its platform... Genius said it notified Google as far back as 2017, and again in an April letter, that copied transcriptions appear on Google's website. The April letter, a copy of which was viewed by the Journal, warned that reuse of Genius's transcriptions breaks the Genius.com terms of service and violates antitrust law.
"Over the last two years, we've shown Google irrefutable evidence again and again that they are displaying lyrics copied from Genius," said Ben Gross, Genius's chief strategy officer, in an email message.... Genius said it found more than 100 examples of songs on Google that came from its site. Starting around 2016, Genius made a subtle change to some of the songs on its website, alternating the lyrics' apostrophes between straight and curly single-quote marks in exactly the same sequence for every song. When the two types of apostrophes were converted to the dots and dashes used in Morse code, they spelled out the words "Red Handed."
Genius is a privately held company, and its investors include Andreessen Horowitz, Emagen Investment Group and the rapper Nas... Genius clients include the music streaming website Spotify Technology SA and Apple Inc.
The article also notes March study from web-analytics firm Jumpshot Inc. which found 62% of mobile searches on Google now don't result in the user clicking through to a non-Google web site.Read Replies (0)
By EditorDavid from Slashdot's swordfish department
After Apple announced a single sign-on tool last week, The Verge interviewed Google product management director Mark Risher. Though Google offers its own single sign-on tool, The Verge found him "surprisingly sunny about having a new button to compete with. While the login buttons are relatively simple, they're much more resistant to common attacks like phishing, making them much stronger than the average password -- provided you trust the network offering them."
RISHER: I honestly do think this technology will be better for the internet and will make people much, much safer. Even if they're clicking our competitor's button when they're logging into sites, that's still way better than typing in a bespoke username and password, or more commonly, a recycled username and password...
Usually with passwords they recommend the capital letters and symbols and all of that, which the majority of the planet believes is the best thing that they should do to improve their security. But it actually has no bearing on phishing, no bearing on password breaches, no bearing on password reuse. We think that it's much more important to reduce the total number of passwords out there...
People often push back against the federated model, saying we're putting all our eggs into one basket. It sort of rolls off the tongue, but I think it's the wrong metaphor. A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!Read Replies (0)
By EditorDavid from Slashdot's consuming-more-fiber department
Long-time Slashdot reader Proudrooster writes:
Fiber Internet is coming to Traverse City, Michigan in the hopes of attracting high tech startups and helping the city become a high-tech hub. Even in the face of intense lobbying by [commercial high-speed internet provider] Charter, The Mackinaw Center for Public Policy, and a barrage of pop up ads opposing it, the project is moving ahead into phase one.
It was more than apparent that Charter did everything it could to try and sow fear, uncertainty, and doubt to try and kill this project as other incumbent providers have done across the USA. [Citation needed -- though Traverse City officials did report high-powered anonymous lobbying.] Kudos to the board of Traverse City Light and Power and the residents of Traverse City for being brave and making this investment in their community. Even though the decision is not finalized, the network may be an open network, allowing customers to purchase from a variety of providers.
This project will undoubtedly be watched nationwide and possibly serve as a new model for other community fiber builds.Read Replies (0)
By EditorDavid from Slashdot's power-plays department
"The U.S. military's Cyber Command has gotten more aggressive than ever against Russia in the past year, placing 'potentially crippling malware' in systems that control the country's electrical grid," according to CNET, citing a report in the New York Times:
Made possible by little-noticed legal authority granted last summer by Congress, Cyber Command's strategy shift from a defensive to offensive posture is meant in part as a warning shot, but it's also designed to enable paralysing cyberattacks in the event of a conflict, The New York Times said Saturday, quoting unnamed officials... [T]he recent moves appear to have taken place under a military authorization bill Congress passed in 2018 that gives the go-ahead for "clandestine military activity" in cyberspace to "deter, safeguard or defend against attacks or malicious cyberactivities against the United States...."
The Times said Cyber Command is concerned Russia could trigger selective power outages in key states during the 2020 election and that it needs a way to discourage such attacks. But the agency and the U.S. have to consider their moves carefully in this international game of cyberchess. "The question now is whether placing the equivalent of land mines in a foreign power network is the right way to deter Russia," the Times report says. "While it parallels Cold War nuclear strategy, it also enshrines power grids as a legitimate target...."
In related news, Bloomberg reported Friday that a Russia-linked hacking group that shut down an oil and gas facility in Saudi Arabia in 2017 has been probing utilities in the U.S. since late last year.Read Replies (0)