By EditorDavid from Slashdot's in-the-chips department
An anonymous reader quotes Ars Technica:
A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday... AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access [and] was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string -- or no text at all...
"Authentication still worked" even when the wrong hash was entered, Tenable Director of Reverse Engineering Carlos Perez wrote. "We had discovered a complete bypass of the authentication scheme." A separate technical analysis from Embedi, the security firm Intel credited with first disclosing the vulnerability, arrived at the same conclusion... Making matters worse, unauthorized accesses typically aren't logged by the PC because AMT has direct access to the computer's network hardware... The packets bypass the OS completely.
The article adds that Intel officials "said they expect PC makers to release a patch next week." And in the meantime? "Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers."
Saturday Ars Technica found more than 8,500 systems with an AMT interface exposed to the internet using the Shodan search engine -- over 2,000 in the United States -- adding that "many others may be accessible via organizational networks."Read Replies (0)
By EditorDavid from Slashdot's come-along-and-share-the-Stallman department
After our article about Richard Stallman's new video interview, Slashdot reader silverjacket shared this recent profile from Psychology Today that describes Richard Stallman's quest "to save us from a web of spyware -- and from ourselves."
By using proprietary software, Stallman believes, we are forfeiting control of our computers, and thus of our digital lives. In his denunciation of all nonfree software as inherently abusive and unethical, he has alienated many possible allies and followers. But he is not here to make friends. He is here to save us from a software industry he considers predatory in ways we've yet to recognize... for Stallman, moralism is the whole point. If you write or use free software only for practical reasons, you'll stop when it's inconvenient, and freedom will disappear.
Stallman collaborator Eben Moglen -- a law professor at Columbia, as well as the FSF's general counsel -- assesses Stallman's legacy by saying "the idea of copyleft and the proposition that social and political freedom can't happen in a society without technological freedom -- those are his long-term meanings. And humanity will be aware of those meanings for centuries, whatever it does about them." The article also includes quotes from Linus Torvalds and Eric S. Raymond -- along with some great artwork.
In addition to insisting the reporter refer to Linux as "GNU/Linux," Stallman also required that the article describe free software without using the term open source, a phrase he sees as "a way that people who disagree with me try to cause the ethical issues to be forgotten." And he ultimately got Psychology Today to tell its readers that "Nearly all the software on our phones and computers, as well as on other machines, is nonfree or 'proprietary' software and is riddled with spyware and back doors installed by Apple, Google, Microsoft, and the like."Read Replies (0)
By EditorDavid from Slashdot's France-has-spoken department
"France has voted for continuity," candidate Marine Le Pen said in the wake of her defeat in France's presidential election, conceding that Emmanuel Macron had a decisive lead. Reuters has ongoing coverage of Le Pen's concession phone call and reactions from world leaders. "France Rejects Far Right," read a headline at CNN, touting their own live updates and early results showing Macron with a 65.9% to 34.1% lead, "on course for a decisive win." Macron is schedule to speak at the Louvre museum (where the grounds were "briefly evacuated" this morning after discovery of a suspicious bag.) Quartz is calling 39-year-old Macron "the second Generation X president of a major world power" (after Canada's Justin Trudeau).
The election was closely watched after a 9-gigabyte trove of emails from Macron's campaign were leaked online. CNBC reports that "One of the most talked about emails makes reference to binge-watching Dr. Who and masturbating to the sound of running water. It sounds generally incoherent. It could be false, or maybe the person wrote it after a few too many." The New Yorker traces the leak to a right-leaning Canadian site, whose editor says he found the documents on 4chan. But Reuters is crediting WikiLeaks with providing "the largest boost of attention" to the leaked documents, according to an analysis pubished by the Digital Forensic Research Lab of the Atlantic Council, a D.C.-based think tank on international affairs. They tweeted about the leak 15 times, bragging to Reuters that "we were hours ahead of all other major outlets." On Friday WikiLeaks also disputed the Macron campaign's claim that the leak mixed real documents with fake ones. "We have not yet discovered fakes in #MacronLeaks & we are very skeptical that the Macron campaign is faster than us."
< article continued at Slashdot's France-has-spoken department
>Read Replies (0)
By EditorDavid from Slashdot's probing-the-planets department
NASA's Cassini spacecraft explored the inner edge of the rings of Saturn for the first time, and Phys.org reports that it made a surprising discovery: nothing. "Scientists have been surprised to find that not all that much -- not even space dust -- lies between Saturn's iconic rings." After the first pass, the NASA official managing the project described the the region between the rings and Saturn as "the big empty." An anonymous reader quotes the Pittsburgh Post-Gazette:
Cassini also beamed back pictures and other essential data as it maneuvered the 1,500-mile-wide space between the solar system's second largest planet and its icy rings. The images, which take 78 minutes to make the billion-mile trip back to Earth, reveal a blazing, mysterious process of alternating light and darkness in the rings that scientists will be working for years to understand. That seems only fair since it has already taken 20 years for Cassini to be in a position to do what it is doing so far.
Between now and September, Cassini will make 22 dives between Saturn's rings and the planet, clocking at an impressive 76,800 mph each time. The end result should be a treasure trove of stunning images of the planet and its diverse and mysterious rings, along with detailed maps of the gas giant's gravity, magnetic fields and atmospheric conditions. On Sept. 15, it will plunge into Saturn's atmosphere, streaming data back to Earth as it makes its descent of no return.Read Replies (0)
By EditorDavid from Slashdot's privates-into-programmers department
mirandakatz writes: David Molina was finishing up his 12-year time in the army when he started teaching himself to code, and started to think that he might like to pursue it professionally once his service was done. But with a wife and family, he couldn't dedicate the four years he'd need to get an undergraduate degree in computer science -- and the GI Bill, he learned, won't cover accelerated programs like code schools. So he started an organization dedicated to changing that. Operation Code is lobbying politicians to allow vets to attend code schools through the GI Bill and prepare themselves for the sorts of stable, middle-class jobs that have come to be called "blue-collar coding." Molina sees it as a serious failing that the GI Bill will cover myriad vocational programs, but not those that can prepare veterans for one of the fastest-growing industries in existence.
The issue seems to be quality. The group estimates there are already nine code schools in the U.S. which do accept GI Bill benefits -- but only "longer-standing ones that have made it through State Approving Agencies." Meanwhile, Course Report calculates 18,000 people finished coding bootcamps last year -- and that two thirds of them found a job within three months.
But I just liked how Molina described his introduction into the world of programmers. While stationed at Dover Air Force Base, he attended Baltimore's long-standing Meetup for Ruby on Rails, where "People taught me about open source. There was pizza, there was beer. They made me feel like I was at home."Read Replies (0)
By EditorDavid from Slashdot's dangerous-drone-designs department
Slashdot reader msm1267 quotes ThreatPost:
Drones, many readily available on ecommerce shops such as Amazon, are plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device. The United States Computer Emergency Readiness Team (US-CERT) published a warning about one model, the DBPOWER U818A WiFi quadcopter, last month, but according to the researcher who reported the vulnerabilities, multiple drone models -- manufactured by the same company but sold under different names -- are also vulnerable.
They contain two appealing attack vectors: an open access point and a misconfigured FTP server. If an attacker was within WiFi range of the drone they could easily obtain read and write permissions to the drone's filesystem and modify its root password... Like any attack dependent on Wi-Fi, an attacker would need to be in close proximity to the drone to carry out an attack, but an attacker could connect their computer to the drone access point, essentially treating it as a proxy to spy on the device's live feed or the drone's open ports.Read Replies (0)
By EditorDavid from Slashdot's news-for-nodes department
An anonymous reader writes:
The FBI issued a press release about the 30-year prison sentence for a 58-year-old Florida man running "the world's largest child pornography website, with more than 150,000 users around the world." But their investigation involved what Gizmodo describes as "a decision controversial to this day" -- taking over the child pornography site and running it "for almost two weeks while distributing malware designed to unmask its visitors." Thursday the FBI described it as "a court-approved network investigative technique" which led to more than 1,000 leads in the U.S. and "thousands more" for law enforcement partners in other countries, leading to arrests in the EU, Israel, Turkey, Peru, Malaysia, Chile, and the Ukraine. Those 1,000 U.S. leads led to "at least 350 U.S-based individuals arrested", as well as actual prosecutions of 25 producers of child pornography and 51 hands-on abusers, while 55 children were "identified or rescued" in America, and another 296 internationally who were sexually abused.
Though Motherboard describes it as hacking "over 8,000 computers in 120 countries based on one warrant," the FBI calls it their "most successful effort to date against users of Tor's hidden service sites," adding that the agency "has numerous investigations involving the dark web." Though they'd soon became aware of the site's existence, "given the nature of how Tor hidden services work, there was not much we could do about it" -- until a foreign law enforcement agency discovered the site had "slipped up" by revealing its actual IP address, and notified the U.S. investigators. The FBI also says the investigation "has opened new avenues for international cooperation in efforts to prosecute child abusers around the world."
The site's two other administrators -- both men in their 40s -- were also given 20-year prison sentences earlier this year.Read Replies (0)
By EditorDavid from Slashdot's les-tweets department
"The French media and public have been warned not to spread details about a hacking attack on presidential candidate Emmanuel Macron," writes Slashdot reader schwit1, with the election commission threatening criminal charges. But meanwhile, "the leaked documents have since spread like wildfire across social media, particularly on Twitter," reports Recode.
Nicole Perlroth, a cybersecurity reporter with the New York Times, pointed out that an overwhelming amount of the tweets shared about the Macron campaign hack appear to come from automated accounts, commonly referred to as bots. About 40% of the tweets using the hashtag #MacronGate, Perlroth noted, are actually coming from only 5% of accounts using the hashtag. One account tweeted 1,668 times in 24 hours, which is more than one tweet per minute with no sleep... Twitter appears not to have done anything to combat what is obviously a bot attack, despite the fact the social media company is well aware of the problem of bot accounts being used to falsely popularize political issues during high-profile campaigns to give the impression of a groundswell of grassroots support.
The Times reporter later tweeted "This could be @twitter's death knell. Algorithms exist to deal with this. Why aren't you using them?" And one Sunlight Foundation official called the discovery "statistics from the front lines of the disinformation wars," cc-ing both Twitter CEO Jack Dorsey and Mark Zuckerberg. In other news, the BBC reports France's president has promised to "respond" to the hacking incident, giving no further details, but saying he was aware of the risks because they'd "happened elsewhere"."Read Replies (0)
By EditorDavid from Slashdot's contentious-community-processes department
An anonymous reader quotes InfoWorld:
The next edition of standard Java had been proceeding toward its planned July 27 release after earlier bumps in the road over modularity. But now Red Hat and IBM have opposed the module plan. "JDK 9 might be held up by this," Oracle's Georges Saab, vice president of development for the Java platform, said late Wednesday afternoon. "As is the case for all major Java SE releases, feedback from the Java Community Process may affect the timeline..."
Red Hat's Scott Stark, vice president of architecture for the company's JBoss group, expressed a number of concerns about how applications would work with the module system and its potential impact on the planned Java Enterprise Edition 9. Stark also said the module system, which is featured in Java Specification Request 376 and Project Jigsaw, could result in two worlds of Java: one for Jigsaw and one for everything else, including Java SE classloaders and OSGI. Stark's analysis received input from others in the Java community, including Sonatype.
"The result will be a weakened Java ecosystem at a time when rapid change is occurring in the server space with increasing use of languages like Go," Stark wrote, also predicting major challenges for applications dealing with services and reflection. His critique adds that "In some cases the implementation...contradicts years of modular application deployment best practices that are already commonly employed by the ecosystem as a whole." And he ultimately concludes that this effort to modularize Java has limitations which "almost certainly prevent the possibility of Java EE 9 from being based on Jigsaw, as to do so would require existing Java EE vendors to completely throw out compatibility, interoperability, and feature parity with past versions of the Java EE specification."Read Replies (0)