By msmash from Slashdot's security-woes department
Synthetic events remain a big security hole for macOS in spite of Apple's recent efforts to prevent malicious applications from abusing this feature. From a report: Speaking at the second edition of the Objective by the Sea security conference that was held in Monaco over the weekend, Patrick Wardle, a well-known Apple security expert, has revealed a zero-day impacting Apple's macOS operating system, including the new version launched today. The zero-day is a bypass of the security protections that Apple has put in place to prevent unauthorized access to synthetic events. Synthetic events are a macOS mechanism that allows applications to automate mouse clicks and keyboard input. It was created for the sake of automation and can be used via either the Core Graphics framework or the AppleScript scripting language. [...]
For almost two years now, Wardle has been looking at Apple's countermeasures aimed to prevent the abuse of synthetic events. He previously showed two methods[1, 2] of bypassing Apple's synthetic events protections, so much so that Apple decided last year to block access to synthetic events by default. But over the weekend, Wardle disclosed a new way of bypassing these latest protections, once again. "It's the gift that keeps giving," Wardle told ZDNet via email. "And actually gets more and more valuable as Apple adds more protections (privacy and security mechanisms) that can be 'allowed' by a single synthetic click." The new technique is possible because of the Transparency Consent and Control (TCC) system. Wardle says the TCC contains a compatibility database in the form of a file named AllowApplications.plist. This file lists apps and app versions that are allowed to access various privacy and security features, including synthetic events.Read Replies (0)
By EditorDavid from Slashdot's no-more-secrets department
"What would happen, or what should happen, if tomorrow a trivial method was discovered for Prime Factorization?" asks Slashdot reader medv4380:
By trivial I mean an algorithm that runs in relatively constant time that could factor a number like 2737631357921793461914298938174501291 relatively instantly on most modern hardware today. And that even increasing the bit length wouldn't slow it down much. How much chaos would result if such a method were revealed tomorrow with little warning?
Keeping it a secret only means that others may have long ago exploited the method at the expense of others. Should proof be presented without revealing the method, to reduce the impact, and who should be told first if at all?
Slashdot reader Shikaku sees a real possibility of this actually happening when quantum computers are developed, adding that quantum-resistant encryption "is an ongoing experiment."
But if development lags -- what would happen if all encryption could be broken?Read Replies (0)
By EditorDavid from Slashdot's unstigmatized-flying-objects department
dryriver writes: Vice/Motherboard writes that since the U.S. Navy admitted that its pilots encounter unidentified flying objects all the time, and mainstream news outlets like the New York Times have devoted coverage to Navy Pilots' UFO encounter stories, old UFO hunters around the world feel vindicated, and many new younger people are taking an interest in the phenomenon.
For decades people who believe in UFOs, UFO lore and take UFO sightings and UFO encounters seriously have been widely ridiculed as stupid, uneducated, gullible, deluded or crazy. Now that highly trained military pilots are talking about encountering UFOs all the time and mainstream media doesn't ridicule UFO sightings anymore — this only took a few decades — a fundamental taboo appears to have been broken. UFO sightings are suddenly real, not a product of overactive imaginations, people mistaking clouds for aliens or people spreading fake news to sell books, seminars and videos.
The question is, why, for so long, did mainstream media systematically ignore and ridicule a phenomenon just about everybody around the world has some knowledge of and had some exposure to? And if UFOs are "officially not crazy" now, what else that still is ridiculed by the MSM may also turn out to be "officially not crazy" in the future?
As a counterpoint, long-time Slashdot reader Martin S. argues that "UFO's are real, they are unidentified flying objects. There is absolutely no evidence that they are Aliens.
"If people continue to equate them with little green men then they can still expect to be ridiculed."Read Replies (0)
By EditorDavid from Slashdot's who's-laughing-now department
CNET reports on the prison sentence given to "the YouTuber who reportedly filmed himself tricking a homeless man into eating Oreos filled with toothpaste."
Barcelona prankster Kanghua Ren, 21, known to his followers as ReSet, was sentenced on Friday to 15 months in prison for his crime against the "moral integrity" of the homeless man, according to El Pais newspaper. The court also reportedly ordered Ren's YouTube and other social media channels to be shut down for five years and said he must give the victim 20,000 euros ($22,305) in compensation....
Ren was 19 when he filmed the prank in early 2017 after being challenged by one of his 1.2 million followers, according to the Times. He also gave the homeless man a 20 euro bill. Ren called the video just a bad joke, but the judge noted that he earned more than 2,000 euros in ad revenue generated from the video, the Times said.
It's unlikely Ren will actually serve time behind bars, The New York Times reports, because Spanish law usually suspends sentences under two years for first-time offenders.Read Replies (0)
By EditorDavid from Slashdot's updates-for-aircraft department
"Boeing on Sunday said some of its 737 planes, including many 737 Max aircraft, may have faulty parts on their wings," reports CNN.
Working with the Federal Aviation Administration, Boeing said it has reached out to airlines that fly 737 planes, advising them to inspect their slat track assemblies on Max and NG aircraft. The 737 NG series includes the 737-600, -700, -800 and -900 planes. Leading edge slats are an aerodynamic control surface that extend from the front of the wing. Some the tracks may not meet manufacturing standards and may need to be replaced, Boeing and the FAA said. They said if the parts are found to be defective, airlines should replace them before returning the planes to service.
The faulty parts could fail prematurely or crack. The FAA said a part failure would not bring down a plane, it could damage an aircraft while in flight. Boeing has sent out a service bulletin and the FAA will issue an airworthiness directive requiring airlines to inspect and repair its slat track assemblies within 10 days.
The company discovered the problem Friday, when Boeing was meeting with the parts supplier. Boeing employees noticed some of the parts were not heat treated, which led them to believe there might be a safety issue.
CNBC reminds readers that the Boeing 737 Max have already been grounded worldwide after two fatal crashes, with airlines cancelling thousands of flights through August.
"Boeing's CEO, Dennis Muilenburg, last week said the company had to regain the public's trust...."Read Replies (0)
By EditorDavid from Slashdot's containing-your-excitement department
Long-time Slashdot reader Qbertino is your typical Linux/Apache/MySQL/PHP (LAMP) developer, and writes that "in recent years Docker has been the hottest thing since sliced bread."
You are expected to "dockerize" your setups and be able to launch a whole string of processes to boot up various containers with databases and your primary PHP monolith with the launch of a single script. All fine and dandy this far.
However, I can't shake the notion that much of this -- especially in the context of LAMP -- seems overkill. If Apache, MariaDB/MySQL and PHP are running, getting your project or multiple projects to run is trivial. The benefits of having Docker seem negilible, especially having each project lug its own setup along. Yes, you can have your entire compiler and Continuous Integration stack with SASS, Gulp, Babel, Webpack and whatnot in one neat bundle, but that doesn't seem to dimish the usual problems with the recent bloat in frontend tooling, to the contrary....
But shouldn't tooling be standardised anyway? And shouldn't Docker then just be an option, who couldn't be bothered to have (L)AMP on their bare metal? I'm still skeptical of this Dockerization fad. I get it makes sense if you need to scale microsevices easy and fast in production, but for 'traditional' development and traditional setups, it just doesn't seem to fit all that well.
What are your experiences with using Docker in a development environment? Is Dockerization a fad or something really useful? And should I put up with the effort to make Docker a standard for my development and deployment setups?
The original submission ends with "Educated Slashdot opinions requested." So leave your best answers in the comments.
Is Dockerization a fad?Read Replies (0)
By EditorDavid from Slashdot's direct-withdrawals department
Ars Technica documents "a new breed of digital fraudsters" using a complicated scam to prey on white-collar job-seekers.
It involves setting up a fake job interview process and the promises of high-paying work:
Like most successful cons, this one involved gaining the willing consent of its victim through some combination of greed, fear, or desperation... The recruiter was responding to the application I had submitted a day earlier for a remote-work tech writer position at a biotech firm... The following day, I logged onto Google Hangouts, properly dressed and groomed for the video chat I'd been preparing for. To my surprise, I learned that the interview would be conducted using Hangouts' text messaging service... After a long briefing about the company, its research, and the oncology treatments it was developing, Mark began the formal part of the interview by introducing himself as the assistant chief human resources officer of the company and describing the duties I'd be expected to fulfill...
But there were two questions that seemed out of place. They wanted to know which bank I used and whether it supported electronic deposits, a process in which you deposit checks by taking pictures of them with your Smartphone. It seemed like an odd thing to ask, but I told them that my bank did accept electronic deposits and moved on to the next question... Within a few minutes of submitting my answers, Mark informed me that I'd passed the interview and would receive a formal offer to work from my home as a copywriter/proofreader. My pay would be $45/hour during my one-week training and evaluation period, stepping up to $50/hour when I became an employee.
< article continued at Slashdot's direct-withdrawals department
>Read Replies (0)
By EditorDavid from Slashdot's time's-up department
In his TechCrunch column, software engineer/journalist Jon Evans writes that last month "marked a victory for sanity and pragmatism over irrational paranoia."
I'm talking about Microsoft finally -- finally! but credit to them for doing this nonetheless! -- removing the password expiration policies from their Windows 10 security baseline... Many enterprise-scale organizations (including TechCrunch's owner Verizon) require their users to change their passwords regularly. This is a spectacularly counterproductive policy.
To quote Microsoft: "Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives... If a password is never stolen, there's no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem... If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven't implemented modern mitigations, how much protection will they really gain from password expiration...?"
Perfect security doesn't exist. World-class security is hard. But decent security is generally quite accessible, if you faithfully follow some basic rules. In order to do so, it's best to keep those rules to a minimum, and get rid of the ones that don't make sense. Password expiration is one of those. Goodbye to it, and good riddance.
Instead the column recommends password managing software to avoid password re-use across sites, as well as two-factor authentication. "And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos."
< article continued at Slashdot's time's-up department
>Read Replies (0)
By EditorDavid from Slashdot's achievement-unlocked department
John Romero has finally released Sigil, his unofficial fifth episode of Doom with nine new single-player levels and nine deathmatch levels. It's available for free on Romero's web site (though you'll also need the original Doom to play it). Hot Hardware reports:
If you want to know what Sigil is about, Romero explains it best. He wrote, "After killing the Spiderdemon at the end of E4M8 (Unto the Cruel), your next stop is Earth -- you must save it from hellspawn that is causing unimaginable carnage. But Baphomet glitched the final teleporter with his hidden Sigil whose eldritch power brings you to even darker shores of Hell. You fight through this stygian pocket of evil to confront the ultimate harbingers of Satan, then finally return to become Earth's savior. In summary, rip and tear!"
Kotaku calls it "some of the most punishing and devious Doom I've ever played... I've been playing it all day, and it owns..."
What makes Romero's designs work so well is how unabashedly excited he seems to be about them. Levels are teeming with enemies, including many tougher ones such as the beefy, energy hurling Barons of Hell. Each new maze is punctuated with fights that mix and match Doom's precisely-designed enemies... There's a real giddiness here, a sense that a master is excitedly returning to his favourite tools... The default difficulty is tricky; higher levels feel like borderline trolling. Screw it, let's just toss a few cyberdemons at the start of this level. You know how to dodge, right?
In the old days, we used to call all first-person shooters "Doom clones". But there's nothing else like Doom. There's a particular, nearly impossible to describe playfulness that even the 2016 reboot sometimes misses. A single run through Romero's new levels feels positively joyous, a chance to see fantastic level design in action and observe a master at play.Read Replies (0)
By EditorDavid from Slashdot's taking-a-RISC department
The NLNet Foundation is a non-profit supporting privacy, security, and the "open internet". Now the group has approved funding for the hybrid Libre RISC-V CPU/VPU/GPU, which will "pay for full-time engineering work to be carried out over the next year, and to pay for bounty-style tasks."
Long-time Slashdot reader lkcl explains why that's significant:
High security software is irrelevant if the hardware is fundamentally compromised, for example with the Intel spying backdoor co-processor known as the Management Engine. The Libre RISCV SoC was begun as a way for users to regain trust and ownership of the hardware that they legitimately purchase.
This processor will be the first of its kind, as the first commercial SoC designed to give users the hardware and software source code of the 3D GPU, Video Decoder, main processor, boot process and the OS.
Shockingly, in the year 2019, whilst there are dozens of SoCs with full source code that are missing either a VPU or a GPU (such as the TI OMAP Series and Xilinx ZYNQ7000s), there does not exist a single commercial embedded SoC which has full source code for the bootloader, CPU, VPU and GPU. The iMX6 for example has etnaviv support for its GPU however the VPU is proprietary, and all of Rockchip and Allwinner's offerings use either MALI or PowerVR yet their VPUs have full source (reverse engineered in the case of Allwinner).
This processor, which will be quad core dual issue 800mhz RV64GC and capable of running full GNU/Linux SMP OSes, with 720p video playback and embedded level 25fps 3D performance in around 2.5 watts at 28nm, is designed to address that imbalance. Links and details on the Libre RISC-V SoC wiki.
The real question is: why is this project the only one of its kind, and why has no well funded existing Fabless Semiconductor Company tried something like this before? The benefits to businesses of having full source code are already well-known.Read Replies (0)
By EditorDavid from Slashdot's one-plug-to-rule-them-all department
harrymcc shares a Fast Company article about "the generally gnarly process once required to hook up peripherals" in the late 1990s -- and one Intel engineer who saw the need for "one plug to rule them all."
In the olden days, plugging something into your computer -- a mouse, a printer, a hard drive -- required a zoo of cables. Maybe you needed a PS/2 connector or a serial port, the Apple Desktop Bus, or a DIN connector; maybe a parallel port or SCSI or Firewire cable. If you've never heard of those things, and if you have, thank USB.
When it was first released in 1996, the idea was right there in the first phrase: Universal Serial Bus. And to be universal, it had to just work. "The technology that we were replacing, like serial ports, parallel ports, the mouse and keyboard ports, they all required a fair amount of software support, and any time you installed a device, it required multiple reboots and sometimes even opening the box," says Ajay Bhatt, who retired from Intel in 2016. "Our goal was that when you get a device, you plug it in, and it works."
It was at Intel in Oregon where engineers made it work, at Intel where they drummed up the support of an industry that was eager to make PCs easier to use and ship more of them. But it was an initial skeptic that first popularized the standard: in a shock to many geeks in 1998, the Steve Jobs-led Apple released the groundbreaking first iMac as a USB-only machine. The faster speeds of USB 2.0 gave way to new easy-to-use peripherals too, like the flash drive, which helped kill the floppy disk and the Zip drive and CD-Rs. What followed was a parade of stuff you could plug in: disco balls, head massagers, security keys, an infinity of mobile phone chargers. There are now by one count six billion USB devices in the world.
< article continued at Slashdot's one-plug-to-rule-them-all department
>Read Replies (0)
By EditorDavid from Slashdot's shape-of-things-to-come department
Slashdot reader Lasrick tipped us off to the first installment in a new series at the New York Times called "Op-Eds From the Future."
Science fiction authors, futurists, philosophers and scientists write op-eds that they imagine we might read 10, 20 or even 100 years in the future. The challenges they predict are imaginary -- for now -- but their arguments illuminate the urgent questions of today.
The first one is by science fiction writer Ted Chiang (best known for the short story which became the Hugo-winning movie Arrival). Apparently riffing on the college admissions scandal, Chiang writes that "It's 2059, and the Rich Kids Are Still Winning. DNA tweaks won't fix our problems..." His op-ed complains that a "philanthropic effort to bring genetic cognitive enhancements to low-income communities" has failed to get most of them into elite colleges or into jobs with good salaries and prospects for advancement.
"With the results in hand, it is time for us to re-examine the efficacy and desirability of genetic engineering...."Read Replies (0)
By EditorDavid from Slashdot's besides-his-arrest department
Slashdot reader Nicola Hahn argues that at first, Edward Snowden's revelations six years ago "put mass surveillance and state sponsored hacking center stage," leading to other revelations like the ANT Catalogue, the Equation Group tools, and the Vault 7 leaks:
In the wake of these developments a number of high-ranking officials scrambled to justify clandestine programs. Executives likewise recalibrated their stance toward the government and lawmakers worked to defend our civil liberties. Yet despite the tumult of the post-Snowden era and the debates that ensued, has it actually changed anything? Or did society merely offer a collective shrug to the looming threat of pervasive monitoring, surrendering to the convenience of mobile devices?
One observer who has warily followed the aftermath of the Snowden affair believes that most people followed the latter path and that it does not bode well for civilization.
That observer is Bill Blunden, who asks this question in an essay at Counterpunch.
"After all the breathless headlines, Hollywood movies, book deals, Pulitzer prizes, and glossy primetime biopics. What, pray tell, has come of it?"Read Replies (0)
By EditorDavid from Slashdot's internet-for-dummies department
Researchers at the Catholic University of the Sacred Heart in Milan have discovered that Twitter-based classes actually hurts academic performance, according to the Washington Post:
The finding by a team of Italian researchers is not necessarily that the crush of hashtags, likes and retweets destroys brain cells; that's a question for neuroscientists, they said. Rather, Twitter not only fails to enhance intellectual attainment but substantially undermines it, the economists said in a working paper published this month by the economics and finance department at the Catholic University of the Sacred Heart in Milan...
The investigation drew on a sample of roughly 1,500 students attending 70 Italian high schools during the 2016-17 academic year. Half of the students used Twitter to analyse The Late Mattia Pascal, the 1904 novel by Italian Nobel laureate Luigi Pirandello, which satirises issues of self-knowledge and self-destruction. They posted quotes and their own reflections, commenting on tweets written by their classmates. Teachers weighed in to stimulate the online discussion. The other half relied on traditional classroom teaching methods. Performance was assessed based on a test measuring understanding, comprehension and memorisation of the book. Using Twitter reduced performance on the test by about 25 to 40 per cent of a standard deviation from the average result, as the paper explains. Jeff Hancock, the founding director of the Stanford Social Media Lab, described these as "pretty big effects".
< article continued at Slashdot's internet-for-dummies department
>Read Replies (0)
By EditorDavid from Slashdot's status-updates department
Horst Seehofer, Germany's federal interior minister, wants to require encryption companies to provide the government with plain text transcripts. One security expert says Facebook is already working on a way to make it happen.
An anonymous reader quotes his remarks in Forbes:
The reality is that at its annual conference earlier this month, Facebook previewed all of the necessary infrastructure to make Germany's vision a reality and even alluded to the very issue of how Facebook's own business needs present it with the need to be able to covertly access content directly from users' devices that have been protected through end-to-end encryption...
While it was little noticed at the time, Facebook's presentation on its work towards moving AI-powered content moderation from its data centers directly onto users' phones presents a perfect blueprint for Seehofer's vision. Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users' messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook's acceptable speech guidelines. This would actually allow a government like Germany to proactively prevent unauthorized speech before it is ever uttered, by using court orders to force Facebook to expand its censorship list for German users of its platform.
< article continued at Slashdot's status-updates department
>Read Replies (0)
By EditorDavid from Slashdot's fugitive-for-43-years department
"You gotta be kidding me," said a Wisconsin man, when police arrested his 82-year-old next-door neighbor "old Ray" -- the guy who would occasionally come over to fix his lawnmower.
An anonymous reader quotes the Associated Press:
Ray Vannieuwenhoven was his next-door neighbor -- a helpful, 82-year-old handyman with a gravelly voice and a loud, distinctive laugh, the kind of guy who always waved from his car. The widower and father of five grown children had lived quietly for two decades among the 800 residents of Lakewood, a northern Wisconsin town surrounded by forests and small lakes. Now authorities were saying this man was a cold-blooded killer. They had used genetic genealogy to crack a cold case that stretched back well into the 20th century -- a double murder 25 miles southwest of Lakewood. For nearly 43 years, Vannieuwenoven had lived in plain sight, yet outside detectives' radar....
DNA profiling in the '90s brought new hope, but detectives got no matches... Last year, detectives contacted Virginia-based Parabon NanoLabs, a DNA technology company whose work with genetic genealogy analysis has helped police identify 55 suspects in cold cases nationwide since May 2018, according to the company. Parabon uploads DNA from crime scenes to GEDmatch, a free, public genealogy database with about 1.2 million profiles, all voluntarily submitted by people who've used consumer genealogy sites like Ancestry.com and 23andMe. California law enforcement used GEDmatch to capture the Golden State Killer last year by finding distant relatives and reverse-engineering his family tree.
< article continued at Slashdot's fugitive-for-43-years department
>Read Replies (0)
By EditorDavid from Slashdot's one-factor-authentication department
Long-time Slashdot reader rastos1 works for a mid-size software company that for many decades has been developing CAD-CAM software for the textile industry. But last weekend their code-signing certificate was revoked -- and they're looking for advice.
On Monday morning we woke up to phones ringing from confused customers unable to launch our software. This has hit mostly Java applications launched from a web page because JRE checks the signature by default using OCSP. But traditional executables and shared libraries also would report invalid signature upon checking.
We reached out, but for half a day we could not get any feedback. Later we got information that some malware was signed with our certificate. Two days and many e-mails and phone calls later, we understand that this is what happened: someone submitted one of our executables to virustotal.com -- a site that runs ~70 antivirus programs on submitted files and reports back whether they flag the uploaded file. Five of their antivirus packages flagged our executable. We tracked down the version and we positively know it was a false positive.
There is random guy that wrote a tool that creates a monthly report of files flagged at Virustotal. Sectigo found the report, and, according to their statement, revoked all certificates used to sign executables -- causing major disruption to us and downtime for our customers... There was no attempt to contact us and clarify the situation.
How do you prepare and deal with such scenario? Did you know how little it takes to get your certificate revoked?
They'd bought their certs from the same seller for more than a decade -- and their story has already drawn some interesting comments from long-time Slashdot readers. "False positives are way too common in the anti-virus world today..." argues Z00L00K, adding "you have to cut down all unnecessary players in the chain to a minimum, so the dependency on an external CA is worth reconsidering."
< article continued at Slashdot's one-factor-authentication department
>Read Replies (0)