By EditorDavid from Slashdot's virtually-private department
"A new attack named VORACLE can recover HTTP traffic sent via encrypted VPN connections under certain conditions," reports Bleeping Computer, citing research presented last week at the Black Hat and DEF CON security conferences. An anonymous reader writes:
The conditions are that the VPN service/client uses the OpenVPN protocol and that the VPN app compresses the HTTP traffic before it encrypts it using TLS. To make matters worse, the OpenVPN protocol compresses all data by default before sending it via the VPN tunnel. At least one VPN provider, TunnelBear, has now updated its client to turn off the compression. [UPDATE: ExpressVPN has since also disabled compression to prevent VORACLE attacks.]
HTTPS traffic is safe, and only HTTP data sent via the VPN under these conditions can be recovered. Users can also stay safe by switching to another VPN protocol if their VPN client suppports multiple tunneling technologies.
In response to the security researcher's report, the OpenVPN project "has decided to add a more explicit warning in its documentation regarding the dangers of using pre-encryption compression."Read Replies (0)
By EditorDavid from Slashdot's seeking-CVEs department
Long-time Slashdot reader Mike Bouma shares a paper (via OS News) making the case for "a small microkernel as the core of the trusted computing base, with OS services separated into mutually-protected components (servers) -- in contrast to 'monolithic' designs such as Linux, Windows or MacOS."
While intuitive, the benefits of the small trusted computing base have not been quantified to date. We address this by a study of critical Linux CVEs [PDF] where we examine whether they would be prevented or mitigated by a microkernel-based design. We find that almost all exploits are at least mitigated to less than critical severity, and 40% completely eliminated by an OS design based on a verified microkernel, such as seL4....
Our results provide very strong evidence that operating system structure has a strong effect on security. 96% of critical Linux exploits would not reach critical severity in a microkernel-based system, 57% would be reduced to low severity, the majority of which would be eliminated altogether if the system was based on a verified microkernel. Even without verification, a microkernel-based design alone would completely prevent 29% of exploits...
The conclusion is inevitable: From the security point of view, the monolithic OS design is flawed and a root cause of the majority of compromises. It is time for the world to move to an OS structure appropriate for 21st century security requirements.Read Replies (0)
By EditorDavid from Slashdot's not-shopping-locally department
"Even as the White House began cracking down on U.S. work visas, major Silicon Valley technology firms last year dramatically ramped up hiring of workers under the controversial H-1B visa program," reports the Mercury News.
Menlo Park-based Facebook in 2017 received 720 H-1B approvals, a 53 percent increase over 2016, according to the National Foundation for American Policy, which obtained federal government data. Mountain View's Google received 1,213 H-1B approvals, a 31 percent increase. The number of H-1B approvals at Intel in Santa Clara rose 19 percent and Cupertino-based Apple received 673, a 7 percent increase.... [E]xperts say the data doesn't show how many additional H-1B contractors tech companies may get from staffing agencies or outsourcing companies. In response to this news organization's inquiries, Facebook said it does not publicly discuss its use of H-1B workers or contractors. Google, Apple and Intel did not respond to requests for information about their use of H-1B workers or contractors....
Amazon chalked up the largest increase in H-1B approvals, with 2,515 in 2017, a 78 percent leap. Microsoft received 1,479 approvals, an increase of 29 percent. Neither company responded to a request for comment.
A distinguished fellow at Carnegie Mellon's School of Engineering at Silicon Valley believes that the threat of a U.S. crackdown on H-1B visas may simply have prompted companies to secure as many visas as possible while they could.Read Replies (0)
By EditorDavid from Slashdot's cloaking-cleartext department
The systems and database administrator for a Fortune 500 company notes that while NFS is "decades old and predating Linux...the most obvious feature missing from NFSv4 is native, standalone encryption." emil (Slashdot reader #695) summarizes this article from Linux Journal:
NFS is the most popular remote file system in the Linux, UNIX, and greater POSIX community. The NFS protocol pushes file traffic over cleartext connections in the default configuration, which is poison to sensitive information.
TLS can wrap this traffic, finally bringing wire security to files vulnerable to compromise in transit. Before using a cloud provider's toolset, review NFS usage and encrypt where necessary.
The article's author complains that Google Cloud "makes no mention of data security in its documented procedures," though "the performance penalty for tunneling NFS over stunnel is surprisingly small...."
"While the crusade against telnet may have been largely won, Linux and the greater UNIX community still have areas of willful blindness. NFS should have been secured long ago, and it is objectionable that a workaround with stunnel is even necessary."Read Replies (0)
By BeauHD from Slashdot's and-so-it-begins department
Netflix has confirmed that it will start airing video ads for other Netflix series between episodes. These ads will reportedly only be for Netflix content, not outside products or content, and will, at least for now, only appear for a "segment" of Netflix's user base. Ars Technica reports: The news emerged via user reports, particularly on the primary Netflix Reddit community, in which users claimed that ads for entirely different series would play between episodes of a given show's binging. One initial claim said that "unskippable" ads for the AMC series Better Call Saul appeared between episodes of Rick & Morty, and that this ad appeared while using Netflix's smart TV app on an LG set in the UK. Replies to that thread included an allegation that a video ad for I Am A Killer (a Netflix-produced true-crime series) appeared between episodes of the animated comedy Bob's Burgers.
In a statement given to Ars Technica, Netflix described the change as follows: "We are testing whether surfacing recommendations between episodes helps members discover stories they will enjoy faster." The reasoning, Netflix's statement says, comes from its last controversial decision: to add auto-playing videos, complete with unmuteable audio, while browsing through Netflix content. Netflix offered one major rebuttal to at least one Reddit claim, pointing out that the ads for Netflix content are entirely skippable.Read Replies (0)
By BeauHD from Slashdot's everything-in-moderation department
An anonymous reader quotes a report from the BBC: In the study, published in The Lancet Public Health, 15,400 people from the U.S. filled out questionnaires on the food and drink they consumed, along with portion sizes. From this, scientists estimated the proportion of calories they got from carbohydrates, fats, and protein. After following the group for an average of 25 years, researchers found that those who got 50-55% of their energy from carbohydrates (the moderate carb group) had a slightly lower risk of death compared with the low and high-carb groups. Researchers estimated that, from the age of 50, people in the moderate carb group were on average expected to live for another 33 years. This was: four years more than people who got 30% or less of their energy from carbs (extra-low-carb group); 2.3 years more than the 30%-40% (low-carb) group; and 1.1 years more than the 65% or more (high-carb) group.
The scientists then compared low-carb diets rich in animal proteins and fats with those that contained lots of plant-based protein and fat. They found that eating more beef, lamb, pork, chicken and cheese in place of carbs was linked with a slightly increased risk of death. But replacing carbohydrates with more plant-based proteins and fats, such as legumes and nuts, was actually found to slightly reduce the risk of mortality.Read Replies (0)
By BeauHD from Slashdot's fashion-over-function department
It's a well-documented, often criticized phenomenon that women's pockets are too small to fit a smartphone, but "there's been very little data to back up a wealth of anecdotal evidence," writes Megan Farokhmanesh via The Verge. Now, The Pudding has used scientific findings to fill this absence. From the report: According to The Pudding's findings, pockets in women's jeans are, on average, 48 percent shorter and 6.5 percent narrower than those of men's. To put this into a perspective we all care about, the site says that only 40 percent of women's front pockets can completely fit a iPhone X. The number only goes down for the Samsung Galaxy or Google Pixel (20 percent and 5 percent, respectively, though the report doesn't specify which model) of the flagships). As for men's pockets? The Pudding marks a 100 percent success rate for the iPhone X, 95 percent for the Samsung Galaxy, and 85 percent for the Google Pixel. "If you're thinking 'But men are bigger than women,' then sure, on average that's true," the site adds. "But here we measured 80 pairs of jeans that all boasted a 32 inch waistband, meaning that these jeans were all made to fit the same size person."Read Replies (0)
By BeauHD from Slashdot's numbers-don't-lie department
A new lawsuit claims that Facebook exaggerates how many people can see its ads, thereby defrauding advertisers. "In other words, it is alleged not quite as many eyeballs are seeing Facebook's ads as its salespeople charge for," writes Thomas Claburn via The Register. From the report: In a complaint filed on Wednesday in a US district court in Oakland, California, plaintiffs Danielle Singer and her company Project Therapy, LLC claim the Potential Reach and Estimated Daily Reach figures that Facebook provides to advertisers are wildly inflated. As an example, the complaint claims that Facebook's purported Potential Reach among 18-to-34-year-olds in each U.S. state is greater the actual population of 18-to-34-year-olds in each of those states.
"Based on a combination of publicly available research and Plaintiffs' own analysis, among 18-34 years-olds in Chicago, for example, Facebook asserted its Potential Reach was approximately 4 times (400 per cent) higher than the number of real 18-34 year-olds with Facebook accounts in Chicago," the complaint states. And in Kansas City, the complaint asserts, the number provided by Facebook was 200 per cent higher than the actual number of 18-to-54-year-olds with Facebook accounts in the area. What's more, the court filing contends that former Facebook employees, described as confidential witnesses, have acknowledged that Facebook is fine with inflated numbers. The attorneys representing Singer and her biz, which supposedly spent over $14,000 on Facebook ads, are seeking class-action certification in order to represent other affected Facebook advertisers. According to the complaint, "a former Facebook employee who worked in the infrastructure/mapping team stated that those who were responsible for ensuring the accuracy of the Potential Reach at Facebook were indifferent to the actual numbers and in fact 'did not give a sh--.'" They also said the "Potential Reach" statistic is "like a made-up PR number."Read Replies (0)
By BeauHD from Slashdot's kill-joy department
Motherboard's Matthew Gault provides another possibility for how OpenAI's bots managed to beat professional human players in two consecutive games of Data 2. Gault argues that "it was only possible thanks to significant guardrails and an inhuman advantage" -- not necessarily because the AI was more clever than the humans. From the report: The OpenAI Five bots consisted of algorithms known as neural networks, which loosely mimic the brain and "learn" to complete tasks after a process of training and feedback. The research company put its Dota 2-playing AI through 180 days worth of virtual training to prepare it for the match, and it showed. However, the bots had to play within some highly specific limitations. Dota 2 is a complicated game with more than 100 heroes. Some of them use quirky and game-changing abilities. For this exhibition, the hero pool was limited to just 18. That's an incredible handicap because so much of Dota 2 involves a team picking the proper group composition and reacting to what its opponents pick. Reducing the number of champions from more than 100 to 18 made things much simpler for the AI.
The OpenAI Five bots also played Dota 2 by reading the game's information directly from its application programming interface (API), which allows other programs to easily interface with Dota 2. This gives the AI instant knowledge about the game, whereas human players have to visually interpret a screen. If a human was able to do this in a competitive match against other humans, we'd probably call it cheating. Even with this AI advantage, Walsh and his team beat the bots in the third game, when the match organizers turned hero selection over to the crowd, which gave the AI a weak hero composition. Walsh thinks he and his team could eventually beat the AI in a fair right, even given the limited hero pool and other restrictions.Read Replies (0)
By BeauHD from Slashdot's price-corrections department
With the industry currently facing a very large surplus of NAND flash memory, analysts suggest we could see very significant price drops in SSD and even DRAM in 2019. They say to expect a price correction over the next several quarters. Techspot reports: Jim Handy, a market analyst with Objective Analysis, predicts that the flash memory industry is headed for a "downward pricing correction" in 2019, if not a full-on collapse. If prices crash, we could be looking at NAND prices as low as eight cents per gigabyte. At last week's Flash Memory Summit, Handy said that even without a full collapse, the downturn will be the biggest "price correction in the history of semiconductor products."
The Register reports that currently, NAND flash prices are hovering around $0.30/GB. A 66-percent dip would bring SSDs into a more competitive range to HDDs causing cannibalization leading to a downturn for some manufacturers like Seagate and Western Digital. Manufacturers could allocate more NAND to producing DRAM, but this, in turn, would result in an oversupply in that sector. If Handy's predictions pan out, the industry could be in for a 25-percent price reduction in NAND and a 75-percent drop for nearline/high-cap SSD's. This could result in significant stock valuation shifts for some manufacturers.Read Replies (0)
By msmash from Slashdot's tussle-continues department
Anonymous readers share a report: Sen. Bill Nelson, a Florida Democrat, has reaped the political whirlwind in the 10 days since he proclaimed that Russian hackers had "penetrated" some of his state's county voting systems. The governor of Florida, Rick Scott, a Republican who is running against Nelson for his U.S. Senate seat this fall, has blasted his claim as irresponsible. The top Florida elections official, also a Republican, said he had seen no indication it's true. And The Washington Post weighed in Friday with a 2,717-word fact check that all but accused Nelson -- without evidence -- of making it up. However, three people familiar with the intelligence tell NBC News that there is a classified basis for Nelson's assertion, which he made at a public event after being given information from the leaders of the Senate Intelligence Committee. The extent and seriousness of the threat remains unclear, shrouded for reasons of national security. [...] Through a spokesman, Nelson declined to comment. At a, Aug. 7 campaign event in Florida's capital, Nelson said Intelligence Committee leaders asked that he "let supervisors of elections in Florida know that Russians are inside our records." He added that Russian hackers "have already penetrated certain counties in the state and they now have free rein to move about." "Either Bill Nelson knows of crucial information the federal government is withholding from Florida election officials, or he is simply making things up," said Scott, who is seeking to take Nelson's Senate seat, which the senator has held since 2001. But Scott, who as governor has a security clearance, has not actually disputed Nelson's assertion. His spokesman said the governor had not personally called anyone at the Department of Homeland Security to seek a classified briefing to get to the bottom of the matter.Read Replies (0)