By EditorDavid from Slashdot's chip-vs-RFID department
It's easy to pontificate about the best security practices -- but the real test is what we do with our own money. Long-time Slashdot reader Keybounce writes:
So, like most of you, I recently got a new credit card with a chip in it. I was not worried about that -- I know the chips are harder to copy and counterfeit. But I recently discovered that the card is also a radio card -- swiping it near the screen caused an message to show up on the reader. In this case, it told me to use the chip reader instead, but this means it has an active radio signal, and could be "hacked" -- stolen by someone with the right device.
How can I prevent this? Is there anything I can do that will disable the radio signal and still leave the chip functioning?
At least 200 million RFID credit cards were in circulation by 2012, even though their signals could be easily intercepted, prompting the introduction of RFID-blocking wallets and sleeves. But what's the alternative? A recent article in Quartz argued that America's transition to chip cards has been an utter disaster (since the banks dispensed with PIN numbers altogether and now validate with only an electronic signature). Is the answer to just use a mobile wallet like Apple Pay or Android Pay -- or to always pay with cash?
So leave your own answer in the the comments. How are you keeping your own credit card secure?Read Replies (0)
By EditorDavid from Slashdot's goodbye,-Hello department
Firefox's voice and videoconferencing add-on was described as "the first global communications system built directly into a browser" -- but things change. An anonymous Slashdot reader writes: An entry on Mozilla's issue tracker opened on July 17 reveals ongoing efforts from Mozilla engineers to remove the Hello system add-on from default Firefox installations starting with version 49, set for public release on September 13, 2016. Mozilla added Hello to Firefox in version 34, released on December 1, 2014, and from the beginning, it was part of the browser's core code, but was moved in December 2015 into a separate add-on, one that came pre-installed with Firefox, making Hello its first ever system add-on. Mozilla plans to remove Hello from the codebases of Firefox Beta 49, Firefox Developer Edition 50, and Firefox Nightly 51. Based on the currently available information, the deadline for the Hello code removal operations is for this Monday, August 1, after which the first Firefox builds with no Hello integration will be available for testing, and will ship out in the fall with the stable release.
The article suggests this may have been a space-saving measure, "since Mozilla is focused on rebuilding Firefox's code from scratch to keep up with speedier competitors like Chrome, Opera, and Vivaldi."Read Replies (0)
By EditorDavid from Slashdot's rewriting-the-rankings department
An anonymous reader quotes Network World:
Python ranked #4 on RedMonk's list, while the survey found a three-way tie for fifth place between Ruby, C#, and C++, with C coming in at #9 (ranking just below CSS). Network World argues that while change comes slowly, "if you go back deeper into RedMonk's rankings, you can see slow, ongoing ascents from languages such as Go, Swift and even TypeScript."
Interestingly, an earlier ranking by the IEEE declared C to be the top programming language of 2016, followed by Java, Python, C++, and R. But RedMonk's methodology involves studying the prevalence of each language on both Stack Overflow and GitHub, a correlation which "we believe to be predictive of future use, hence their value."Read Replies (0)
By EditorDavid from Slashdot's Microsoft-loves-Linux department
An anonymous reader quotes a columnist at CIO:
While Ubuntu is the primary Linux distribution that Microsoft is using to showcase its ChakraCore technologies, the company said that the support should easily translate to other modern Linux distributions.
Microsoft's blog post says the experimental implementation runs not only on x64 Linux but also on OS X.Read Replies (0)
By EditorDavid from Slashdot's last-resorts department
An anonymous reader quotes Reuters:
Trade associations representing wireless, cable and broadband operators on Friday urged the full U.S. Court of Appeals for the District of Columbia to reverse...the Federal Communications Commission's so-called net neutrality rules, put in place last year to make internet service providers treat all internet traffic equally...
The cable groups said the court should correct "serious errors" in a decision "that radically reshapes federal law governing a massive sector of the economy, which flourished due to hundreds of billions of dollars of investment made in reliance on the policy the order throws overboard".. In its filing on Friday, the CTIA said it was illegal to subject broadband internet access to "public-utility style, common carrier regulation" and illegal to impose "common-carrier status on mobile broadband."
FCC Chairman Tom Wheeler said he wasn't surprised to see "the big dogs" challenging net neutrality.Read Replies (0)
By EditorDavid from Slashdot's gas-from-greenhouse-gases department
"Researchers at the University of Illinois at Chicago have engineered a potentially game-changing solar cell that cheaply and efficiently converts atmospheric carbon dioxide directly into usable hydrocarbon fuel, using only sunlight for energy," reports Next Big Future. Slashdot reader William Robinson writes:
This artificial leaf delivers syngas, or synthesis gas, a mixture of hydrogen gas and carbon monoxide. Syngas can be burned directly, or converted into diesel or other hydrocarbon fuels. The discovery opens up possibilities of clean reusable energy.
"A solar farm of such 'artificial leaves' could remove significant amounts of carbon from the atmosphere and produce energy-dense fuel efficiently..." according to the article, which adds that the process could prove useful in the high-carbon atmosphere of Mars. "Unlike conventional solar cells, which convert sunlight into electricity that must be stored in heavy batteries, the new device essentially does the work of plants, converting atmospheric carbon dioxide into fuel, solving two crucial problems at once."Read Replies (0)
By EditorDavid from Slashdot's big-bug-bounties department
A security researcher describes gaining full access to the production database for Imgur's image-sharing site -- and then successfully lobbying the company for a higher bug bounty of $5,000. Nathan Malcolm says he exploited a remote-access vulnerability in one of Imgur's unprotected development servers to read their /etc/passwd file, and also keys.php, which contained the credentials for their MySQL servers. An anonymous Slashdot reader quotes Nathan's article on Medium:
An important part of security research is knowing when to stop. I went far enough to prove how serious the issue is, and demonstrate what a malicious attacker could do, while not being overly careless or intrusive... I hope other teams can learn from Imgur's willingness to take on feedback and improve, as communication around security is so very important.
Imgur's founder and CEO sent him a personal e-mail along with the bounty, which ended "Thanks so much for protecting us and properly reporting it to us." The author of the article reports that "I've continued to participate in Imgur's bug bounty program, and while it's not perfect, it's responded and paid out nicely to myself and others." And the $5,000 bounty? "Half of that went to people in need, including Lauri Love, a hacker facing extradition to the United States, and a close friend who was recently made homeless. Various charities and researchers also benefited from it."Read Replies (0)
By EditorDavid from Slashdot's all-your-ETAs-are-belong-to-us department
An anonymous reader quotes an article from the Washington Times:
Hackers on Friday successfully pulled off cyberattacks against Vietnam's two largest airports and the nation's flag carrier, Vietnam Airlines. The attacks -- attributed to a Chinese hacking group known as 1937CN -- ultimately failed to cause any significant security issues or air traffic control problems, Vice Minister of Transport Nguyen Nhat told local media. Nonetheless, the individuals briefly hijacked flight information screens and sound systems inside Noi Bai and Tan Son Nhat airports in Hanoi and Ho Chi Minh City, respectively... Instead of departure and arrival details, the airports' flight screens and speakers broadcast what local media described as anti-Vietnamese and Philippines slogans, in turn prompting authorities to shut down both systems... Vietnam Airlineâ(TM)s website, meanwhile, "was seized control and transferred to a malicious website abroad" and... passenger data pertaining to an undisclosed number of its frequent flyers was published online as well, the airline said in a statement. Local media on Friday said about 100 MB of data concerning roughly 40,000 VMA passengers had been dumped online.Read Replies (0)
By EditorDavid from Slashdot's Libre-as-you-can-get department
A new crowdfunding campaign by Rhombus Tech "introduces the world's first devices built around the EOMA68 standard," which separates a "modular" CPU board from the rest of the system so that it can be easily used in multiple devices and upgraded more simply. Rhombus Tech is now offering a 15.6-inch laptop, a laser-cut wooden Micro-Desktop housing, and two types of computer cards, both using A20 dual-core ARM Cortex A7 processors.
The cards are available with four flavors of the GNU/Linux operating system, and they're hoping to receive RYF certification from the Free Software Foundation.
"No proprietary software," explains their campaign's video. "No backdoors. No spyware. No NDAs." They envision a world where users upgrade their computers by simply popping in a new card -- reducing electronic waste -- or print new laptop casings to repair defects or swap in different colors. (And they also hope to eventually see the cards also working with cameras, phones, tablets, and gaming consoles.) Rhombus Tech CTO Luke Leighton did a Slashdot interview in 2012, and contacted Slashdot this weekend to announce:
A live-streamed video from Hope2016 explains what it's about, and there is a huge range of discussions and articles online. The real burning question is: if a single Software Libre Engineer can teach themselves PCB design and bring modular computing to people on the budget available from a single company, why are there not already a huge number of companies doing modular upgradeable hardware?Read Replies (0)
By manishs from Slashdot's sense-prevails department
When the Republican presidential nominee Donald Trump asked Russia -- wittingly or otherwise -- to launch hack attacks to find Hillary Clinton's missing emails, it caused a stir of commotion. Russia is allegedly behind DNC's leaked emails. But The Washington Post is reminding us that U.S.'s efforts in the cyber-security world aren't much different. (could be paywalled; same article syndicated elsewhere From the report: The U.S. approach to this digital battleground is pretty advanced. For example: Did you know that the military uses its submarines as underwater hacking platforms? In fact, subs represent an important component of America's cyber strategy. They act defensively to protect themselves and the country from digital attack, but -- more interestingly -- they also have a role to play in carrying out cyberattacks, according to two U.S. Navy officials at a recent Washington conference. "There is a -- an offensive capability that we are, that we prize very highly," said Rear Adm. Michael Jabaley, the U.S. Navy's program executive officer for submarines. "And this is where I really can't talk about much, but suffice to say we have submarines out there on the front lines that are very involved, at the highest technical level, doing exactly the kind of things that you would want them to do." The so-called "silent service" has a long history of using information technology to gain an edge on America's rivals. In the 1970s, the U.S. government instructed its submarines to tap undersea communications cables off the Russian coast, recording the messages being relayed back and forth between Soviet forces. (The National Security Agency has continued that tradition, monitoring underwater fiber cables as part of its globe-spanning intelligence-gathering apparatus. In some cases, the government has struck closed-door deals with the cable operators ensuring that U.S. spies can gain secure access to the information traveling over those pipes.) These days, some U.S. subs come equipped with sophisticated antennas that can be used to intercept and manipulate other people's communications traffic, particularly on weak or unencrypted networks. "We've gone where our targets have gone" -- that is to say, online, said Stewart Baker, the National Security Agency's former general counsel, in an interview. "Only the most security-conscious now are completely cut off from the Internet." Cyberattacks are also much easier to carry out than to defend against, he said.Read Replies (0)
By EditorDavid from Slashdot's Underwriters-Laboratory-for-code department
Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept:
"Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...
The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.Read Replies (0)
By EditorDavid from Slashdot's bring-out-the-GIMP department
GIMP 2.9.4 was released earlier this month, featuring "symmetry painting" and the ability to remove holes when selecting a region, as well as improvements to many of its other graphics-editing tools. But today core developer Jehan Pages discussed the vision for GIMP's future, writing that the Generic Graphics (GEGL) programming library "is a hell of a cool project and I think it could be the future of Free and Open Source image processing":
I want to imagine a future where most big graphics programs integrate GEGL, where Blender for instance would have GEGL as the new implementation of nodes, with image processing graphs which can be exchanged between programs, where darktable would share buffers with GIMP so that images can be edited in one program and updated in real time in the other, and so on. Well of course the short/mid-term improvements will be non-destructive editing with live preview on high bit depth images, and that's already awesomely cool right...?
[C]ontributing to Free Software is not just adding any random feature, that's also about discussing, discovering others' workflow, comparing, sometimes even compromising or realizing that our ideas are not always perfect. This is part of the process and actually a pretty good mental builder. In any case we will work hard for a better GIMPRead Replies (0)
By EditorDavid from Slashdot's don't-be-evil department