By EditorDavid from Slashdot's secret-ballot-machines department
An anonymous reader quotes The Hill:
Hackers at at a competition in Las Vegas were able to successfully breach the software of U.S. voting machines in just 90 minutes on Friday, illuminating glaring security deficiencies in America's election infrastructure. Tech minds at the annual "DEF CON" in Las Vegas were given physical voting machines and remote access, with the instructions of gaining access to the software. According to a Register report, within minutes, hackers exposed glaring physical and software vulnerabilities across multiple U.S. voting machine companies' products. Some devices were found to have physical ports that could be used to attach devices containing malicious software. Others had insecure Wi-Fi connections, or were running outdated software with security vulnerabilities like Windows XP.
Though some of the machines were out of date, they were all from "major U.S. voting machine companies" like Diebold Nixorf, Sequoia Voting Systems, and WinVote -- and were purchased on eBay or at government auctions. One of the machines apparently still had voter registration data stored in plain text in an SQLite database from a 2008 election, according to event's official Twitter feed.
By Saturday night they were tweeting video of a WinVote machine playing Rick Astley's "Never Gonna Give You Up."Read Replies (0)
By EditorDavid from Slashdot's mass-producing-with-metal department
Big Hairy Ian shares an article from New Atlas: Desktop Metal -- remember the name. This Massachussetts company is preparing to turn manufacturing on its head, with a 3D metal printing system that's so much faster, safer and cheaper than existing systems that it's going to compete with traditional mass manufacturing processes... Plenty of design studios and even home users run desktop printers, but the only affordable printing materials are cheap ABS plastics. And at the other end of the market, while organizations like NASA and Boeing are getting valuable use out of laser-melted metal printing, it's a very slow and expensive process that doesn't seem to scale well.
But a very exciting company out of Massachusetts, headed by some of the guys who came up with the idea of additive manufacture in the first place, believes it's got the technology and the machinery to boost 3D printing into the big time, for real. Desktop Metal is an engineering-driven startup whose founders include several MIT professors, and Emanuel Sachs, who has patents in 3D printing dating back to the dawn of the field in 1989. The company has raised a ton of money in the last few months, including some US$115 million in a recent Series D round that brings total equity investments up over US$210 million. That money has come from big players, too, including Google Ventures... And if Desktop Metal delivers on its promises -- that it can make reliable metal printing up to 100 times faster, with 10 times cheaper initial costs and 20 times cheaper materials costs than existing laser technologies, using a much wider range of alloys -- these machines might be the tipping point for large scale 3D manufacturing.Read Replies (0)
By EditorDavid from Slashdot's don't-be-an-evil-app department
An anonymous reader quotes Ars Technica:
Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users' e-mail, text messages, locations, voice calls, and other sensitive data. The apps, which made their way onto about 100 phones, exploited known vulnerabilities to root devices running older versions of Android.... As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit... To conceal their surveillance capabilities, the apps posed as utilities for cleaning unwanted files or backing up data.
Google reports that the malicious apps also had these functions:
Call recordingVOIP recordingRecording from the device microphoneLocation monitoringTaking screenshotsTaking photos with the device camera(s)Fetching device information and filesFetching user information (contacts, call logs, SMS, application-specific data)
12 hours later an antivirus provider reported two more Google Play apps could surreptitiously steal text messages by downloading a malicious plugin -- and that the apps had already been downloaded at least 100,000 times.Read Replies (0)
By EditorDavid from Slashdot's have-you-now-or-have-you-ever-used department
An anonymous reader quotes Reuters:
A U.S. congressional panel this week asked 22 government agencies to share documents on Moscow-based cyber firm Kaspersky Lab, saying its products could be used to carry out "nefarious activities against the United States," according to letters seen by Reuters. The requests made on Thursday by the U.S. House of Representatives Committee on Science, Space and Technology are the latest blow to the antivirus company, which has been countering accusations by U.S. officials that it may be vulnerable to Russian government influence... The committee "is concerned that Kaspersky Lab is susceptible to manipulation by the Russian government, and that its products could be used as a tool for espionage, sabotage, or other nefarious activities against the United States," wrote the panel's Republican chairman, Lamar Smith, in the letters... A committee aide told Reuters the survey was a "first step" designed to canvas the U.S. government and that more action may follow depending on the results.
Agencies contacted include both the Deparatment of Homeland Security and NASA. The committee wants to see internal risk assessments, plus a list of all systems using Kaspersky products and the names of government contractors using the software.Read Replies (0)
By EditorDavid from Slashdot's init-to-win-it department
Long-time Slashdot reader darkpixel2k shares a highlight from the Black Hat USA security conference. The Register reports:
The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas... The gongs are divided into categories, and nominations in each section are voted on by the hacker community... The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers...
And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.Read Replies (0)
By EditorDavid from Slashdot's C-u-later department
An anonymous reader quotes InfoWorld:
Proponents of Rust, the language engineered by Mozilla to give developers both speed and memory safety, are stumping for the language as a long-term replacement for C and C++. But replacing software written in these languages can be a difficult, long-term project. One place where Rust could supplant C in the short term is in the traditionally C libraries used in other languages... [A] new spate of projects are making it easier to develop Rust libraries with convenient bindings to Python -- and to deploy Python packages that have Rust binaries.
The article specifically highlights these four new projects:
Rust-CPython - a set of bindings in Rust for the CPython runtime PyO3 - a basic way to write Rust software with bindings to Python in both directions. Snaek - lets developers create Rust libraries that are loaded dynamically into Python as needed, but don't rely on being linked statically against Python's runtime. Cookiecutter PyPackage Rust Cross-Platform Publish - simplifies the process of bundling Rust binaries with a Python library.Read Replies (0)
OpenMoko: Ten Years After
Posted by News Fetcher on July 29 '17 at 05:52 AM
By msmash from Slashdot's inside-story department
Michael Lauer, member of the core team at OpenMoko, a project that sought to create a family of open source mobile phones -- which included the hardware specs and the Linux-based OS -- has shared the inside story of what the project wanted to do and why it failed. From his blog post: For the 10th anniversary since the legendary OpenMoko announcement at the "Open Source in Mobile" (7th of November 2006 in Amsterdam), I've been meaning to write an anthology or -- as Paul Fertser suggested on #openmoko-cdevel -- an obituary. I've been thinking about objectively describing the motivation, the momentum, how it all began and -- sadly -- ended. I did even plan to include interviews with Sean, Harald, Werner, and some of the other veterans. But as with oh so many projects of (too) wide scope this would probably never be completed. As November 2016 passed without any progress, I decided to do something different instead. Something way more limited in scope, but something I can actually finish. My subjective view of the project, my participation, and what I think is left behind: My story, as OpenMoko employee #2. On top of that you will see a bunch of previously unreleased photos (bear with me, I'm not a good photographer and the camera sucked as well). [....] Right now my main occupation is writing software for Apple's platforms -- and while it's nice to work on apps using a massive set of luxury frameworks and APIs, you're locked and sandboxed within the software layers Apple allows you. I'd love to be able to work on an open source Linux-based middleware again. However, the sad truth is that it looks like there is no business case anymore for a truly open platform based on custom-designed hardware, since people refuse to spend extra money for tweakability, freedom, and security. Despite us living in times where privacy is massively endangered.Read Replies (0)
By msmash from Slashdot's gotcha department
An anonymous reader writes: Dutch Police is aggressively going after Dark Web vendors using data they collected from the recently seized Hansa Market. According to reports, police is using the Hansa login credentials to authenticate on other Dark Web portals, such as Dream. If vendors reused passwords, police take over the accounts and set up traps or map the sales of illegal products. Other crooks noticed the account hijacks because Dutch Police changed the PGP key for the hijacked accounts with their own, which was accidentally signed with the name "Dutch Police." The second method of operation spotted by the Dark Web community involves so-called "locktime" files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20. Under normal circumstances a locktime file is a simple log of a vendor's market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa's signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale's conclusion, or if the market was down due to technical reasons. Before the market went down, these locktime files were replaced with Excel files that contained a hidden image that would beacon back to police servers, exposing the vendor's real location. Dutch Police was able to do this because they took over Hansa servers on June 20 and operated the market for one more month, collecting data on vendors.Read Replies (0)
By msmash from Slashdot's what-would-you-say department
Even though you would assume that people would know better, an anonymous reader writes, in my experience, I have found many who think installing more than one antivirus program on their computer is the right way to go about it. Some have installed as many as three third-party security suites, which among other things, takes a toll on the performance. This week the New York Times' tech tip section addresses the matter. From the article, which could be paywalled, but you don't have to read it in entirety anyway: Installing more than one program to constantly scan and monitor your PC for viruses and other security threats can create problems, because the two applications will likely interfere with each other's work. Clashing antivirus programs can cause the computer to behave erratically and run more slowly as the applications battle for system resources. Microsoft advises against running its Windows Defender security software on the same system with another installed third-party antivirus program. Likewise, antivirus software companies also warn against using other system security products when you are using theirs; Bitdefender, Kaspersky Lab and
Symantec all have articles on their sites explaining the potential problems in detail. Programs that do not constantly patrol your operating system, like mail scanners, may not be an issue. What do you folks recommend to people who are not as tech-savvy?Read Replies (0)
By msmash from Slashdot's shape-of-things-to-come department
From a WSJ report: If President Donald Trump sticks to what he has said, Americans earning between $149,400 and $307,900 are most likely to see an increase in their taxes as a result of tax reform (Editor's note: the link could be paywalled). Those figures come from a recent study by the Tax Policy Center, a nonpartisan group in Washington, and are based on Mr. Trump's statements and proposals. The study concludes that nearly one-third of about 19 million households in that income range could see tax increases averaging from $3,000 to $4,000 a year. By contrast, less than 10% of households earning the least or the most -- below $25,000 or above $733,000 -- would owe more after a tax overhaul. Over all, the study found that about 20% of taxpayers would owe more after tax reform than before it. The issue of tax reform's winners and losers has resurfaced after top congressional Republicans and the Trump administration released a set of broad principles for tax policy on Thursday containing few details.Read Replies (0)
By msmash from Slashdot's meet-the-new-Tesla department
An anonymous reader shares a WSJ article: A first peek inside Tesla's new Model 3 compact car revealed a starker, cozier interior than the more spacious and luxurious Model S. But as the sedan sped off, the experience felt similar. On Friday, the Silicon Valley auto maker showed off details of the all-electric sedan's interior for the first time (Editor's note: the link could be paywalled; alternative source), allowing brief test rides with a roughly 10-minute spin around the factory. The Model 3 represents a milestone for Chief Executive Elon Musk, who has long wanted to create an electric car for the masses. He's betting the new vehicle can help fuel massive growth for his 14-year-old company, projecting Tesla will produce a half-million cars next year, after delivering about 76,000 Model S sedans and Model X sport-utility vehicles last year. The Model 3's exterior was revealed in March last year, but details about the interior have been scarce. The $35,000 sedan is noticeably bare bones inside -- gone are the displays and instrument panel behind the steering wheel and the numerous switches and buttons found in the cockpit of traditional cars. Instead, the Model 3 makes greater use of a video screen in the center dash that controls most of the car's functions.Read Replies (0)