By EditorDavid from Slashdot's Apocalypse-.Net department
"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes:
The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers. Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects.
Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.Read Replies (0)
By EditorDavid from Slashdot's art-of-the-open-source-fugue department
Slashdot reader DevNull127 writes: Robert Douglass's Kickstarter campaigns have resulted in free fan-funded open source recordings of Bach's Goldberg Variations and the 48 pieces in his Well-Tempered Clavier, Book 1. "Even Richard Stallman found these recordings, and he promptly wrote an email encouraging us to drop the word 'Open' in favor of 'Free' or 'Libre'," Douglas tells BoingBoing (adding "when RMS writes you telling you to change the name of your music project, you change the name of your music project.")
Now Douglass is crowdfunding a libre recording of Bach's last masterpiece, 20 fugues developed from a single theme called "the Art of the Fugue". "He wanted to culminate in a final fugue that literally spells his name, B-A-C-H, in musical notation," remembers Douglass, but "unfortunately, Bach died before completing that work, and it has remained a musical mystery (and tragedy) for hundreds of years." Fortunately Kimiko Ishizaka completed the work in 2016, "based on the music that Bach left us... This new composition will also be released under a Creative Commons license as part of the new OpenScore.cc project... Kimiko is eminently grateful to her fans and supporters of free culture for allowing her to focus all of her energies on growing the public domain and bringing the music of J.S. Bach to a far broader audience than ever imagined."
They're also rewarding supporters with tickets to two live performances -- one at Carnegie Hall in New York City and one in Hamburg's new Elbphilharmonie.Read Replies (0)
By EditorDavid from Slashdot's back-to-the-future department
In 1989 Mondo 2000 magazine ran an editorial promising they'd cover "the leading edge in hyperculture...the latest in human/technological interactive mutational forms as they happen." 28 years later, they're now heckling that editorial as they relaunch into a web site. Slashdot reader DevNull127 quotes Motherboard's interview with R.U. Sirius, the founder of Mondo 2000 (as well as its predecessors High Frontiers and Reality Hackers):
"It was my idea to merge psychedelics and emerging technologies, and the culture around technology," Sirius said, citing Timothy Leary, writer Robert Anton Wilson and counterculture magazine The Whole Earth Catalog among his inspirations... "I kind of found my way into that particular stream of bohemian culture. It was probably a minority, but there had always been that idea of letting robots replace human work." Soon High Frontiers evolved into a glossy magazine, Reality Hackers ("Some distributors at the time thought it was about hacking people up, and put it on the shelf next to murder mystery magazines"), and later Mondo 2000, which ran from 1989 till 1998...
"We really had to work to convince people that technology was defining the future. Nobody really got it. Doug Rushkoff wrote his book Cyberia, and his first book company cancelled its publication because they said the internet was a fad and that it would be over by the time the book came out"... While he uses Facebook and Twitter, Sirius is critical of their role in colonising what was once a more democratic and open space. "People are being herded into little buildings -- or huge ones -- in what was supposed to be a wide open space in which everybody created their own sites. It's a complete corporate takeover of the net, Facebook in particular... It's definitely not what we were expecting."
< article continued at Slashdot's back-to-the-future department
>Read Replies (0)
By EditorDavid from Slashdot's ghost-of-distros-past department
An anonymous reader quotes OpenSource.com:
A unique trait of open source is that it's never truly EOL (End of Life). The disc images mostly remain online, and their licenses don't expire, so going back and installing an old version of Linux in a virtual machine and getting a precise picture of what progress Linux has made over the years is relatively simple... Whether you're new to Linux, or whether you're such an old hand that most of these screenshots have been more biographical than historical, it's good to be able to look back at how one of the largest open source projects in the world has developed. More importantly, it's exciting to think of where Linux is headed and how we can all be a part of that, starting now, and for years to come.
The article looks at seven distros -- Slackware 1.01 (1993), Debian 0.91 (1994), Jurix/S.u.S.E. (1996), SUSE 5.1 (1998), Red Hat 6.0 (1999), Mandrake 8.0 (2001), and Fedora 1 (2003). Click through for some of the highlights.Read Replies (0)
By EditorDavid from Slashdot's when-I-get-all-steamed-up department
Status Code 418 states that "Any attempt to brew coffee with a teapot should result in the error code '418 I'm a teapot'. The resulting entity body MAY be short and stout." An anonymous reader quotes Gizmodo: An anonymous reader quotes Gizmodo:
It started back in 1998 as an April Fool's Day gag. Written up by Larry Masinter of the Internet Engineering Task Force (IETF), error code 418 -- "I'm a teapot" -- was nothing more than a poke at the "many bad HTTP extensions that had been proposed". Despite its existence as a joke, a number of major software projects, including Node.js, ASP.NET and Google's Go language, implemented it as an Easter egg. A recent attempt to excise the fictitious code from these projects ended up doing the opposite, cementing it as a "reserved" error by the IETF...
The Save 418 site argued that "the application of such an status code is boundless. Its utility, quite simply, is astonishingly unparalleled. It's a reminder that the underlying processes of computers are still made by humans. It'd be a real shame to see 418 go."Read Replies (0)
By EditorDavid from Slashdot's myth-unbusters department
Ars Technica reports on a study suggesting that "Striking at a myth with facts may only shore it up." Applehu Akbar writes:
Researchers at the University of Edinburgh studied public attitudes toward vaccination in a group whose opinions on the subject were polled before and after being shown three different kinds of explanatory material that used settled scientific facts about vaccines to explain the pro-vaccination side of the debate. Not only was the anti-vax cohort not convinced by any of the three campaigns, but their attitudes hardened when another poll was taken a week later.
What seems to have happened was that the pro-vax campaign was taken by anti-vaxers as just another attempt to lie to them, and as reinforcement for their already made-up minds on the subject. A previous study at Dartmouth College in 2014 used similar methodology and except for the 'hardening' effect elicited similar results. What's really scary about this is that while the Dartmouth subjects were taken from a large general population, the Edinburgh subjects were college students.
"The researchers speculate that the mere repetition of a myth during the process of debunking may be enough to entrench the myth in a believerâ(TM)s mind," writes Ars Technica, with one of the study's authors attributing this to the "illusory truth" effect.
"People tend to mistake repetition for truth."Read Replies (0)
By EditorDavid from Slashdot's first-they-came-for-the-videogamers department
An anonymous reader quotes the Verge:
Tonight during Valve's yearly Dota 2 tournament, a surprise segment introduced what could be the best new player in the world -- a bot from Elon Musk-backed startup OpenAI. Engineers from the nonprofit say the bot learned enough to beat Dota 2 pros in just two weeks of real-time learning, though in that training period they say it amassed "lifetimes" of experience, likely using a neural network judging by the company's prior efforts. Musk is hailing the achievement as the first time artificial intelligence has been able to beat pros in competitive e-sports... Elon Musk founded OpenAI as a nonprofit venture to prevent AI from destroying the world -- something Musk has been beating the drum about for years.
"Nobody likes being regulated," Musk wrote on Twitter Friday, "but everything (cars, planes, food, drugs, etc) that's a danger to the public is regulated. AI should be too."
Musk also thanked Microsoft on Twitter "for use of their Azure cloud computing platform. This required massive processing power."Read Replies (0)
By EditorDavid from Slashdot's network-affect department
neutrino38 warns that iOS 10 includes a significant change "overlooked by the general public":
It deprecates an API that is crucial for VoIP and other instant messaging applications that enable keeping one socket active despite the fact that the application would run in the background. As a replacement, developers need to use PushKit: when an incoming call is to be forwarded to an iOS VoIP client, the VoIP infrastructure needs to:
- withold the call
- contact Apple push infrastructure using a proprietary protocol to wake up the client app remotely
- wait for the application to reconnect to the infrastructure and release the call when it is ready
This "I know better than you" approach is meant to further optimize battery life on iOS devices by avoiding the use of resources by apps running in background. It has also the positive effect of forcing developers to switch to a push model and remove all periodic pollings that ultimately use mobile data and clog the Internet. However, the decision to use an Apple infrastructure has many consequences for VoIP providers:
- the reliability of serving incoming calls is directly bound to Apple service
- Apple may revoke the PushKit certificate. It thus has life and death decision power over third-party communication infrastructures
- organizations wanting to setup IPBX and use iOS client have no option but to open access for the push services of Apple in their firewall
- It is not possible to have iOS VoIP or communication clients in network disconnected from the Internet
- Pure standard SIP clients are now broken on iOS
The original submission argues that Apple is creating "the perfect walled garden," adding that "Ironically, the only VoIP 'app' that is not affected is the (future?) VoLTE client that will be added to iOS one day."Read Replies (0)
The 2017 Hugo Awards
Posted by News Fetcher on August 12 '17 at 11:21 AM
By EditorDavid from Slashdot's reading-lists department
Dave Knott writes: The Hugo Awards, the most prestigious awards in science fiction, had their 2017 ceremony today, at WorldCon 75 in Helsinki, Finland.
The winners are:
Best Novel: The Obelisk Gate by N.K. Jemisin
Best Novella: "Every Heart a Doorway" by Seanan McGuire
Best Novelette: "The Tomato Thief" by Ursula Vernon
Best Short Story: "Seasons of Glass and Iron", by Amal El-Mohtar
Best Related Work: Words Are My Matter: Writings About Life and Books, 2000-2016 by Ursula K Le Guin
Best Graphic Story: Monstress, Volume 1: Awakening , written by Marjorie Liu, illustrated by Sana Takeda
Best Dramatic Presentation (Long Form): Arrival , screenplay by Eric Heisserer based on a short story by Ted Chiang, directed by Denis Villeneuve
Best Dramatic Presentation (Short Form): The Expanse: Leviathan Wakes , written by Mark Fergus and Hawk Ostby, directed by Terry McDonough
Best Series: The Vorkosigan Saga, by Lois McMaster Bujold (Baen)
John W Campbell Award for Best New Writer: Ada Palmer
This year's slate of nominees, unlike the drama surrounding the 2016 and 2015 Hugos, was less impacted by the ballot-stuffing tactics of the "Rabid Puppies", thanks to a change in the way nominees were voted for this year (including the fact no work could appear in more than one category) in an attempt to avoid tactical slate picks.Read Replies (0)
By EditorDavid from Slashdot's delivering-a-desktop department
BrianFagioli quotes BetaNews: On August 24 and 25, the Ubuntu Desktop team will be holding a "Fit and Finish Sprint," where they will aggressively test GNOME. Canonical is also asking the Ubuntu community to help with this process. In other words, you might be able to assist with making Artful Aardvark even better.
What makes this particularly cool, however, is that Canonical will be selecting some community members to visit its London office on August 24 between 4 pm and 9 pm. "Over the two days we'll be scrutinizing the new GNOME Shell desktop experience, looking for anything jarring/glitchy or out of place," says Alan Pope, Community Manager. "We'll be working on the GTK, GDM and desktop theme alike, to fix inconsistencies, performance, behavioral or visual issues. We'll also be looking at the default key bindings, panel color schemes and anything else we discover along the way."
A few caveats: Canonical won't pay anyone's travel expenses to London, and "Ideally we're looking for people who are experienced in identifying (and fixing) theme issues, CSS experts and GNOME Shell / GTK themers."Read Replies (0)
By BeauHD from Slashdot's targets-of-interest department
An anonymous reader quotes a report from Ars Technica: A Russian government-sponsored group accused of hacking the Democratic National Committee last year has likely been infecting other targets of interest with the help of a potent Windows exploit developed by, and later stolen from, the National Security Agency, researchers said Friday. Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June. Now, researchers at security firm FireEye say they're moderately confident the Russian hacking group known as Fancy Bear, APT 28, and other names has also used Eternal Blue, this time in a campaign that targeted people of interest as they connected to hotel Wi-Fi networks. In July, the campaign started using Eternal Blue to spread from computer to computer inside various staff and guest networks, company researchers Lindsay Smith and Ben Read wrote in a blog post. While the researchers didn't directly observe those attacks being used to infect guest computers connected to the network, they said a related campaign from last year used the control of hotel Wi-Fi services to obtain login credentials from guest devices.Read Replies (0)
By BeauHD from Slashdot's cause-and-effect department
A new study from the University of Michigan Transportation Research Institute has shed light on what may turn out to be a growing trend: lower car ownership in cities where ride-sharing services are available. SlashGear reports: While Uber and Lyft have both deployed in a number of cities, they have, at times, had to abandon those cities due to local governments driving them out for one reason or another. That's what happened in Austin, Texas, opening the door for an interesting study on personal car ownership. Did the sudden absence of these two services cause increased car usage and/or ownership, or did things remain unaffected? The result, according to the study, was a big increase in personal car usage and a statistically significant increase in car ownership. The researchers surveyed a total of 1,200 people from the Austin region, and found that 41-percent of them started using their own car more often to make up for the lack of Uber and Lyft rides. As well, a total of 9-percent of those surveyed bought their own personal car to make up for the services' absences.Read Replies (0)
By BeauHD from Slashdot's back-from-the-dead department
Big Hairy Ian shares a report from New Atlas: When the first manned mission to Mars sets out, it may be on the tail of an atomic rocket engine. The Space Race vintage technology could have a renaissance at NASA after the space agency's Marshall Space Flight Center in Huntsville, Alabama signed a contract with BWXT Nuclear Energy to develop updated Nuclear Thermal Propulsion (NTP) concepts and new fuel elements to power them. Today, with NASA once again considering the challenges of sending astronauts to Mars, the nuclear option is back on the table as part of the agency's Game Changing Development program. Under this, NASA has awarded BMXT, which supplies nuclear fuel to the U.S. Navy, a $18.8-million contract running through September 30, 2019 to look into the possibility of developing a new engine using a new type of fuel. Unlike previous designs using highly enriched uranium, BMXT will study the use of Low-Enriched Uranium (LEU), which has less than 20 percent of fissile uranium 235. This will provide a number of advantages. Not only is it safer than the highly enriched fuel, but the security arrangements are less burdensome, and the handling regulations are the same as those of a university research reactor. If NASA determines next month that the LEU engine is feasible, the project will conduct testing and refine the manufacturing process of the Cermet fuel elements over the course of a year, with testing of the full-length Cermet fuel rods to be conducted at Marshall.
Slashdot reader Big Hairy Ian adds: "At the very least it looks much more feasible than Project Orion."Read Replies (0)
By BeauHD from Slashdot's fake-transactions department
An anonymous reader quotes a report from The Verge: Islamic State allegedly used PayPal and fake eBay transactions to channel money to an operative in the U.S., The Wall Street Journal reports. The man who allegedly received the money was American citizen Mohamed Elshinawy, who was arrested last year in Maryland. The FBI claims that Elshinawy, in his early 30s, sold computer printers on eBay as a front in order to receive the payments through PayPal. The details have come to light because of a recently unsealed FBI affidavit, which alleges Elshinawy was part of a worldwide network that used such channels to fund ISIS. Elshinawy received $8,700 from ISIS, including five PayPal payments from senior ISIS official Siful Sujan through his technology company. Those funds were used to buy a laptop, a cellphone, and a VPN to communicate with IS, according to the affidavit. Sujan was killed in a drone strike in 2015. eBay told The Wall Street Journal it "has zero tolerance for criminal activities taking place on our marketplace." Meanwhile, a spokeswoman for PayPal said it "invests significant time and resources in working to prevent terrorist activity on our platform. We proactively report suspicious activities and respond quickly to lawful requests to support law enforcement agencies in their investigations."Read Replies (0)