By EditorDavid from Slashdot's blaming-C department
"Most software, even critical system software, is insecure Swiss cheese held together with duct tape, bubble wrap, and bobby pins..." writes TechCrunch. An anonymous reader quotes their article:
Everything is terrible because the fundamental tools we use are, still, so flawed that when used they inevitably craft terrible things... Almost all software has been bug-ridden and insecure for so long that we have grown to think that this is the natural state of code. This learned helplessness is not correct. Everything does not have to be terrible...
Vast experience has shown us that it is unrealistic to expect programmers to write secure code in memory-unsafe languages...as an industry, let's at least set a trajectory. Let's move towards writing system code in better languages, first of all -- this should improve security and speed. Let's move towards formal specifications and verification of mission-critical code.
Their article calls for LangSec testing, and applauds the use of languages like Go and Rust over memory-unsafe languages like C. "Itâ(TM)s not just systemd, not just Linux, not just software; the whole industry is at fault."Read Replies (0)
By EditorDavid from Slashdot's send-in-the-clones department
Long-time Slashdot reader Ichijo
has a question about "(not quite) open source hardware":
One hardware project that calls itself "open source" doesn't want to make its hardware design source files publicly available because doing so would, in their words, "make it very trivial for e.g Chinese companies to start producing cheap clones... we'd be getting support requests for hardware we had no idea of the quality of." This answer was in response to a request by a user who wants to use the design in his own projects.
Have any other open source hardware projects run into support issues from people owning cheap "clones"? Have clones been produced even without the hardware design source files?
Leave your answers in the comments. Should an open source hardware project support clones?Read Replies (0)
By EditorDavid from Slashdot's see-media-for-pic department
"No matter how solid the system is, history reveals that false alarms -- of zombies, nuclear attacks, missing children -- are inevitable," warns an essay at Medium. An anonymous Slashdot reader summarizes the article: New York's police department is hailing emergency alerts as "the future" of government communications to citizens. But could the same system be used by scammers directing millions of people to a malware-installing site, or "a terrorist intent on causing mass panic (i.e., 'Tsunami imminent, evacuate immediately')... If the government can reach us at any time, who else can?"
The article runs through great moments in the history of false alerts -- including a 1971 incident where the national warning system mistakenly sent out the pre-nuclear attack warning, "normal broadcasting will cease immediately," and warnings in 2013 about zombie attacks in Montana, New Mexico, and Michigan. "To tell anybody that an agency is immune to these attacks would be a grave injustice," said the IT overseer at Iowa's Department of Public Safety.Read Replies (0)
By EditorDavid from Slashdot's peace-of-Pi department
"Today is one of the best days in Arduino history," announced Massimo Banzi, Co-Founder of Arduino LLC, calling it "a new beginning" for Ardunio. Slashdot reader ruhri reports:
Massimo Banzi and Federico Musto, co-founders of the Arduino Project, announced they have settled their differences that had resulted in the creation of Arduino LLC and Arduino SRL. A new, unified Arduino Holding and Arduino Foundation will be created.
"Massimo Banzi and Federico Musto took the stage today at the New York Maker Faire to announce the good news," reports a blog post at Arudino.cc. "At the end of 2016, the newly created 'Arduino Holding' will become the single point of contact for the wholesale distribution of all current and future products... In addition, Arduino will form a not-for-profit 'Arduino Foundation' responsible for maintaining the open source Arduino desktop IDE, and continuing to foster the open source movement by providing support for a variety of scholarships, community and developer initiatives."Read Replies (0)
By EditorDavid from Slashdot's just-ahead-of-in-time department
An anonymous Slashdot reader quotes InfoWorld:
Java applications will get faster startup times thanks to a formal proposal to include ahead-of-time compilation in the platform. The draft Java Development Kit proposal, authored by Vladimir Kozlov, principal technical staff member at Oracle, is targeted for inclusion in Java 9, which is expected to be available next summer. "We would love to see this make it into JDK 9, but that will of course depend on the outcome of the OpenJDK process for this JDK Enhancement Proposal," said Georges Saab, vice president of software development in the Java platform group at Oracle, on Thursday. Ahead-of-time compilation has been a stated goal for Java 9 to address the issue of slow startup...
The proposal summary notes that Java classes would be compiled to native code prior to launching the virtual machine. The ultimate goal is to improve the startup time of small or large Java applications while having "at most" a limited impact on peak performance and minimizing changes to the user workflow.
Tests indicates some applications perform better while some actually perform worse, so it's being proposed as an opt-in feature where dissatisfied users "can just rebuild a new JDK without ahead-of-time libraries."Read Replies (0)
By EditorDavid from Slashdot's sky-still-blue department
An anonymous Slashdot reader quotes ZDNet:
Microsoft rolled out this week the seventh Cumulative Update of fixes to Windows 10 Anniversary Update since the Anniversary version of Windows 10 began going to customers on August 2...causing installation issues for some users. I don't know how many are affected -- it's definitely nowhere near "all" -- but reports are coming in on Twitter and in Microsoft support forums from those who can't install the update, resulting (at least for some) in an endless loop of repeated attempts...
But a few of those affected have pointed out that when Microsoft first delivered this update to its "Release Preview" ring of Insider testers at the start of this week, some testers reported the installation failure/reboot issue. Despite those reports, Microsoft still pushed this update out to those not in the Insider program... Unsurprisingly, this issue is triggering a round of "What's the point of Insider testing?" questions. It looks to some like Microsoft is just ignoring Insider feedback...
Paul Thurrott reports that the problems are "widespread... Microsoft is pushing the idea that you should always patch your machine on the day the update is released as they often release security patches that fix vulnerabilities. But, until the company can get a handle on their quality control issues...it feels like every time you run Windows update you are rolling the dice."Read Replies (0)
By EditorDavid from Slashdot's see-you-in-court department
"Last December, the FAA rushed an arbitrary and ineffectual recreational drone-owners' registry into effect, mere days before Christmas and just in time to criminalize the flying of toys by thousands of children and hobbyists," argued The Daily Signal. Now Slashdot reader jenningsthecat reports on a promising legal challenge filed by a drone hobbyist who's also a lawyer, who is now "receiving financial help with his suit from the D.C. area Drone User Group (DC DUG).
In his Petitioner's Brief, John Taylor maintains that "(f)or the first century of American aviation and beyond, the federal government made no attempt whatsoever to regulate recreational model aircraft", and that "(t)he FAA seeks to revise history (PDF) when it argues its failure to register model aircraft, or otherwise treat them in any manner as 'aircraft,' in the past was the exercise of an 'enforcement discretion.'"
On a fund-raising page for the challenge, the group calls the federal registry "deeply concerning to users and prospective users of small unmanned aircraft."Read Replies (0)
By BeauHD from Slashdot's conservative-estimate department
An anonymous reader quotes a report from Business Insider: The actual tally of stolen user accounts from the hack Yahoo experienced could be much larger than 500 million, according to a former Yahoo executive familiar with its security practices. The former Yahoo insider says the architecture of Yahoo's back-end systems is organized in such a way that the type of breach that was reported would have exposed a much larger group of user account information. To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion. According to this executive, all of Yahoo's products use one main user database, or UDB, to authenticate users. So people who log into products such as Yahoo Mail, Finance, or Sports all enter their usernames and passwords, which then goes to this one central place to ensure they are legitimate, allowing them access. That database is huge, the executive said. At the time of the hack in 2014, inside were credentials for roughly 700 million to 1 billion active users accessing Yahoo products every month, along with many other inactive accounts that hadn't been deleted. In late 2013, Yahoo CEO Marissa Mayer said the company had 800 million monthly active users globally. It currently has more than 1 billion.Read Replies (0)
By BeauHD from Slashdot's something-smells-fishy department
An anonymous reader quotes a report from The Washington Post: The long-running feud between Elon Musk's space company and its fierce competitor United Launch Alliance took a bizarre twist this month when a SpaceX employee visited its facilities at Cape Canaveral, Fla., and asked for access to the roof of one of ULA's buildings. About two weeks earlier, one of SpaceX's rockets blew up on a launchpad while it was awaiting an engine test. As part of the investigation, SpaceX officials had come across something suspicious they wanted to check out, according to three industry officials with knowledge of the episode. SpaceX had still images from video that appeared to show an odd shadow, then a white spot on the roof of a nearby building belonging to ULA, a joint venture between Lockheed Martin and Boeing. The SpaceX representative explained to the ULA officials on site that it was trying to run down all possible leads in what was a cordial, not accusatory, encounter, according to the industry sources, who spoke on the condition of anonymity because of the ongoing investigation. The building, which had been used to refurbish rocket motors known as the SMARF, is just more than a mile away from the launchpad and has a clear line of sight to it. A representative from ULA ultimately denied the SpaceX employee access to the roof and instead called Air Force investigators, who inspected the roof and didn't find anything connecting it to the rocket explosion, the officials said. This week, ten members of Congress sent a four-page letter to several government agencies about the SpaceX explosion, raising the question as to whether or not SpaceX should be leading the investigation. Elon Musk said the investigation into what went wrong is the company's "absolute top priority." He added, "We've eliminated all of the obvious possibilities for what occurred there. So what remains are the less probable answers." SpaceX aims to resume flights in November.Read Replies (0)
By BeauHD from Slashdot's suspense-is-killing-me department
sciencehabit writes: It was an unusual grand finale. The crowded European Space Agency (ESA) operations center in Darmstadt, Germany, waited in silence and then the signal from the descending Rosetta mission simply stopped at 1.19 pm local time showing that the spacecraft had, presumably, landed on comet 67P/Churyumov-Gerasimenko some 40 minutes earlier, due to the time the signal takes to reach Earth. Mission controllers hugged each other; there was gentle applause from onlookers; and that was it. There were no last minute crises. Seven of Rosetta's instruments kept gathering data until the end. Holger Sierks, principal investigator of the 12-year mission's main camera, showed the gathered staff, officials, and journalists Rosetta's final picture: a rough gravelly surface with a few larger rocks covering an area 10 meters across. Earlier, it had snapped the interior of deep pits on the comet (shown above, from an altitude of 5.8 kilometers) that may show the building blocks it is made of. "It's very crude raw data but this will keep us busy," Sierks said. It is hoped that this last close-up data grab will help to clarify the many scientific questions raised by Rosetta.Read Replies (0)
By BeauHD from Slashdot's more-money-more-problems department
An anonymous reader quotes a report from Ars Technica: Over the nine or so years that Mylan, Inc. has been selling -- and hiking the price -- of EpiPens, the drug company has been misclassifying the life-saving device and stiffing Medicaid out of full rebate payments, federal regulators told Ars. Under the Medicaid Drug Rebate Program, drug manufacturers, such as Mylan, can get their products covered by Medicaid if they agree to offer rebates to the government to offset costs. With a brand-name drug such as the EpiPen, which currently has no generic versions and has patent protection, Mylan was supposed to classify the drug as a "single source," or brand name drug. That would mean Mylan is required to offer Medicaid a rebate of 23.1 percent of the costs, plus an "inflation rebate" any time Mylan raises the price of the brand-name drug at a rate higher than inflation. Mylan has opted for such price increases -- a lot. Since Mylan bought the rights to EpiPen in 2007, it has raised the price on 15 separate occasions, bringing the current list price to $608 for a two-pack up from about $50 a pen in 2007. That's an increase of more than 500 percent, which easily beats inflation. But instead of classifying EpiPen as a "single source" drug, Mylan told regulators that it's a "non-innovator multiple source," or generic drug. Under that classification, Mylan is only required to offer a rebate of 13 percent and no inflation rebates. It's unclear how much money Mylan has skipped out on paying in total to state and federal governments. But according to the state health department of Minnesota, as reported by CNBC, the misclassification cost that state $4.3 million this year alone.Read Replies (0)
By BeauHD from Slashdot's out-of-ink department
sciencehabit quotes a report from Science Magazine: If you shatter a bone in the future, a 3D printer and some special ink could be your best medicine. Researchers have created what they call "hyperelastic bone" that can be manufactured on demand and works almost as well as the real thing, at least in monkeys and rats. Though not ready to be implanted in humans, bioengineers are optimistic that the material could be a much-needed leap forward in quickly mending injuries ranging from bones wracked by cancer to broken skulls. Researchers at Northwestern University, Evanston, in Illinois are working on a hyperelastic bone, which is a type of scaffold made up of hydroxyapatite, a naturally occurring mineral that exists in our bones and teeth, and a biocompatible polymer called polycaprolactone, and a solvent. Hydroxyapatite provides strength and offers chemical cues to stem cells to create bone. The polycaprolactone polymer adds flexibility, and the solvent sticks the 3D-printed layers together as it evaporates during printing. The mixture is blended into an ink that is dispensed by the printer, layer by layer, into exact shapes matching the bone that needs to be replaced. The idea is, a patient would come in with a nasty broken bone -- say, a shattered jaw -- and instead of going through painful autograft surgeries or waiting for a custom scaffold to be manufactured, he or she could be x-rayed and a 3D-printed hyperelastic bone scaffold could be printed that same day.Read Replies (0)