By EditorDavid from Slashdot's threads-about-HyperThreading department
MojoKid writes: A new flaw has been discovered that impacts Intel 6th and 7th Generation Skylake and Kaby Lake-based processors that support HyperThreading. The issue affects all OS types and is detailed by Intel errata documentation and points out that under complex micro-architectural conditions, short loops of less than 64 instructions that use AH, BH, CH or DH registers, as well as their corresponding wider register (e.g. RAX, EAX or AX for AH), may cause unpredictable system behavior, including crashes and potential data loss. The OCaml toolchain community first began investigating processors with these malfunctions back in January and found reports stemming back to at least the first half of 2016. The OCaml team was able pinpoint the issue to Skylake's HyperThreading implementation and notified Intel. While Intel reportedly did not respond directly, it has issued some microcode fixes since then. That's not the end of the story, however, as the microcode fixes need to be implemented into BIOS/UEFI updates as well and it is not clear at this time if all major vendors have included these changes in their latest revisions.Read Replies (0)
By EditorDavid from Slashdot's seeing-you-in-court department
An anonymous reader quotes CNET:
Anthem, the largest health insurance company in the U.S., has agreed to settle a class action lawsuit over a 2015 data breach for a record $115 million, according to lawyers for the plaintiffs. The settlement still has to be approved by US District Court Judge Lucy Koh, who is scheduled to hear the case on August 17 in San Jose, California. And Anthem, which didn't immediately respond to a request for confirmation and comment, isn't admitting any admitting any wrongdoing, according to a statement it made to CyberScoop acknowledging the settlement.
But if approved, it would be the largest data breach settlement in history, according to the plaintiffs' lawyers, who announced the agreement Friday. The funds would be used to provide victims of the data breach at least two years of credit monitoring and to reimburse customers for breach-related expenses. The settlement would also guarantee a certain level of funding for "information security to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls," the plaintiff attorneys said.
The breach compromised data for 80 million people, including their social security numbers, birthdays, street addresses (and email addresses) as well as income data. The $115 million settlement averages out to $1.43 for every person who was affected.Read Replies (0)
By EditorDavid from Slashdot's lost-and-fund department
An anonymous reader writes:
"The price of ethereum crashed as low as 10 cents from around $319 in about a second on the GDAX cryptocurrency exchange on Wednesday," reports CNBC, calling it "a move that is being blamed on a 'multimillion dollar market sell' order... As the price continued to fall, another 800 stop loss orders and margin funding liquidations caused ethereum to trade as low as 10 cents." An executive for the exchange said "Our matching engine operated as intended throughout this event and trading with advanced features like margin always carries inherent risk."
Though some users complained they lost money, the price rebounded to $325 -- and according to a report on one trading site, "one person had an order in for just over 3,800 ethereum if the price fell to 10 cents on the GDAX exchange," reports CNBC. "Theoretically this person would have spent $380 to buy these coins, and when the price shot up above $300 again, the trader would be sitting on over $1 million." Yet the currency exchange announced Friday that they're honoring everyone's gains, while also reimbursing customers who suffered losses. "We view this as an opportunity to demonstrate our long-term commitment to our customers and belief in the future of this industry."Read Replies (0)
By EditorDavid from Slashdot's big-bangs-theory department
An anonymous reader quotes Business Insider:
In more than 90 cities across the US, including New York, microphones placed strategically around high-crime areas pick up the sounds of gunfire and alert police to the shooting's location via dots on a city map... ShotSpotter also sends alerts to apps on cops' phones. "We've gone to the dot and found the casings 11 feet from where the dot was, according to the GPS coordinates," Capt. David Salazar of the Milwaukee Police Dept. told Business Insider. "So it's incredibly helpful. We've saved a lot of people's lives."
When three microphones pick up a gunshot, ShotSpotter figures out where the sound comes from. Human analysts in the Newark, California, headquarters confirm the noise came from a gun (not a firecracker or some other source). The police can then locate the gunshot on a map and investigate the scene. The whole process happens "much faster" than dialing 911, Salazar said, though he wouldn't disclose the exact time.
The company's CEO argues their technology deters crime by demonstrating to bad neighborhoods that police will respond quickly to gunshots. (Although last year Forbes discovered that in 30% to 70% of cases, "police found no evidence of a gunshot when they arrived.") And in a neighborhood where ShotSpotter is installed, one 60-year-old man is already complaining, "I don't like Big Brother being in all my business."Read Replies (0)
By EditorDavid from Slashdot's post-mortems department
troublemaker_23 quotes ITWire:
A developer who worked with the Ubuntu Phone project has outlined the reasons for its failure, painting a picture of confusion, poor communication and lack of technical and marketing foresight. Simon Raffeiner stopped working with the project in mid-2016, about 10 months before Canonical owner Mark Shuttleworth announced that development of the phone and the tablet were being stopped.
Raffeiner says, for example, that "despite so many bugs being present, developers were not concentrating on fixing them, but rather on adding support for more devices." But he says he doesn't regret the time he spent on the project -- though now he spends his free time "traveling the world, taking photographs and creating bad card games, bad comics and bad games."
"Please note that this post does not apply to the UBPorts project, which continues to work on the phone operating system, Unity 8 and other components."Read Replies (0)
By EditorDavid from Slashdot's thinking-globally department
Long-time Slashdot reader quotes Ars Technica:
The Justice Department on Friday petitioned the US Supreme Court to step into an international legal thicket, one that asks whether US search warrants extend to data stored on foreign servers. The US government says it has the legal right, with a valid court warrant, to reach into the world's servers with the assistance of the tech sector, no matter where the data is stored.
The request for Supreme Court intervention concerns a 4-year-old legal battle between Microsoft and the US government over data stored on Dublin, Ireland servers. The US government has a valid warrant for the e-mail as part of a drug investigation. Microsoft balked at the warrant, and convinced a federal appeals court that US law does not apply to foreign data.
According to the article, the U.S. government told the court that national security was at risk.Read Replies (0)
By EditorDavid from Slashdot's three-factor-authentication department
"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security:
The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.Read Replies (0)
By EditorDavid from Slashdot's Linus-on-Linux department
Linus Torvalds appeared in a new "fireside chat" with VMware Head of Open Source Dirk Hohndel. An anonymous reader writes:
Linus explained what still surprises him about Linux development. "Code that I thought was stable continually gets improved. There are things we haven't touched for many years, then someone comes along and improves them or makes bug reports in something I thought no one used. We have new hardware, new features that are developed, but after 25 years, we still have old, very basic things that people care about and still improve... Our processes have not only worked for 25 years, we still have a very strong maintainer group... And as these maintainers get older and fatter, we have new people coming in."
Linus also says he's surprised by the widespread popularity of Git. "I expected it to be limited mostly to the kernel -- as it's tailored to what we do... In certain circles, Git is more well known than Linux." And he also shares advice if you want to get started as an open source developer. "I'm not sure my example is the right thing for people to follow. There are a ton of open source projects and, if you are a beginning programmer, find something you're interested in that you can follow for more than just a few weeks... If you can be part of a community and set up patches, it's not just about the coding, but about the social aspect of open source. You make connections and improve yourself as a programmer."
Linus also says that "I really like what I'm doing. I like waking up and having a job that is technically interesting and challenging without being too stressful so I can do it for long stretches; something where I feel I am making a real difference and doing something meaningful not just for me."Read Replies (0)
By EditorDavid from Slashdot's life-of-Pi department
DeviceGuru writes: Results from LinuxGizmos.com's annual hacker-friendly single board computer survey are in, and not surprisingly, the Raspberry Pi 3 is the most desired maker SBC by a 4-to-1 margin. In other trends: x86 SBCs and Linux/Arduino hybrids have trended upwards. The site's popular hacker SBC survey polled 1,705 survey respondents and asked for their first, second, and third favorite SBCs from a curated list of 98 community oriented, Linux- and Android-capable boards. Spreadsheets comparing all 98 SBCs' specs and listing their survey vote tallies are available in freely downloadable Google Docs.
Other interesting findings:
"A Raspberry Pi SBC has won in all four of our annual surveys, but never by such a high margin."The second-highest ranked board -- behind the Raspberry Pi 3 -- was the Raspberry Pi Zero W."The Raspberry Pi's success came despite the fact that it offers some of the weakest open source hardware support in terms of open specifications. This, however, matches up with our survey responses about buying criteria, which ranks open source software support and community over open hardware support.""Despite the accelerating Raspberry Pi juggernaut, there's still plenty of experimentation going on with new board models, and to a lesser extent, new board projects."Read Replies (0)
By EditorDavid from Slashdot's process-of-processes department
Walmart Canada claims that it was microservices that allowed them to replace hardware with virtual servers, reducing costs by somewhere between 20 and 50 percent. Now Slashdot reader snydeq shares an article by a senior systems automation engineer arguing that a microservices approach "offers increased modularity, making applications easier to develop, test, deploy, and, more importantly, change and maintain."
The article touts things like cost savings and flexibility for multiple device types, suggesting microservices offer increased resilience and improved scalabiity (not to mention easier debugging and a faster time to market with an incremental development model). But it also warns that organizations need the resources to deploy the new microservices quicky (and the necessary server) -- along with the ability to test and monitor them for database errors, network latency, caching issues and ongoing availability. "You must embrace devops culture," argues the article, adding that "designing for failure is essential... In a traditional setting, developers are focused on features and functionalities, and the operations team is on the hook for production challenges. In devops, everyone is responsible for service provisioning -- and failure."
The original submission ends with a question for Slashdot reader. "What cautions do you have to offer for folks considering tapping microservices for their next application?"Read Replies (0)
By EditorDavid from Slashdot's bug-hunt department
"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes:
Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future." Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."Read Replies (0)
By EditorDavid from Slashdot's PWs-for-PMs department
An anonymous reader quotes the Guardian:
Parliament has been hit by a "sustained and determined" cyber-attack by hackers attempting to gain access to MPs' and their staffers' email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords... The estate's digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails...
The international trade secretary, Liam Fox, told ITV News the attack was a "warning to everyone we need more security and better passwords. You wouldn't leave your door open at night." In an interview with the BBC, he added: "We know that there are regular attacks by hackers attempting to get passwords. We have seen reports in the last few days of even Cabinet ministers' passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails."
One member of Parliament posted on Twitter "Sorry, no parliamentary email access today â" we're under cyber-attack from Kim Jong-un, Putin or a kid in his mom's basement or something." He added later, "I'm off to the pub."Read Replies (0)
By EditorDavid from Slashdot's escalating-privileges department
msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon. The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.Read Replies (0)