By EditorDavid from Slashdot's thinking-globally department
Long-time Slashdot reader quotes Ars Technica:
The Justice Department on Friday petitioned the US Supreme Court to step into an international legal thicket, one that asks whether US search warrants extend to data stored on foreign servers. The US government says it has the legal right, with a valid court warrant, to reach into the world's servers with the assistance of the tech sector, no matter where the data is stored.
The request for Supreme Court intervention concerns a 4-year-old legal battle between Microsoft and the US government over data stored on Dublin, Ireland servers. The US government has a valid warrant for the e-mail as part of a drug investigation. Microsoft balked at the warrant, and convinced a federal appeals court that US law does not apply to foreign data.
According to the article, the U.S. government told the court that national security was at risk.Read Replies (0)
By EditorDavid from Slashdot's three-factor-authentication department
"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security:
The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.Read Replies (0)
By EditorDavid from Slashdot's Linus-on-Linux department
Linus Torvalds appeared in a new "fireside chat" with VMware Head of Open Source Dirk Hohndel. An anonymous reader writes:
Linus explained what still surprises him about Linux development. "Code that I thought was stable continually gets improved. There are things we haven't touched for many years, then someone comes along and improves them or makes bug reports in something I thought no one used. We have new hardware, new features that are developed, but after 25 years, we still have old, very basic things that people care about and still improve... Our processes have not only worked for 25 years, we still have a very strong maintainer group... And as these maintainers get older and fatter, we have new people coming in."
Linus also says he's surprised by the widespread popularity of Git. "I expected it to be limited mostly to the kernel -- as it's tailored to what we do... In certain circles, Git is more well known than Linux." And he also shares advice if you want to get started as an open source developer. "I'm not sure my example is the right thing for people to follow. There are a ton of open source projects and, if you are a beginning programmer, find something you're interested in that you can follow for more than just a few weeks... If you can be part of a community and set up patches, it's not just about the coding, but about the social aspect of open source. You make connections and improve yourself as a programmer."
Linus also says that "I really like what I'm doing. I like waking up and having a job that is technically interesting and challenging without being too stressful so I can do it for long stretches; something where I feel I am making a real difference and doing something meaningful not just for me."Read Replies (0)
By EditorDavid from Slashdot's life-of-Pi department
DeviceGuru writes: Results from LinuxGizmos.com's annual hacker-friendly single board computer survey are in, and not surprisingly, the Raspberry Pi 3 is the most desired maker SBC by a 4-to-1 margin. In other trends: x86 SBCs and Linux/Arduino hybrids have trended upwards. The site's popular hacker SBC survey polled 1,705 survey respondents and asked for their first, second, and third favorite SBCs from a curated list of 98 community oriented, Linux- and Android-capable boards. Spreadsheets comparing all 98 SBCs' specs and listing their survey vote tallies are available in freely downloadable Google Docs.
Other interesting findings:
"A Raspberry Pi SBC has won in all four of our annual surveys, but never by such a high margin."The second-highest ranked board -- behind the Raspberry Pi 3 -- was the Raspberry Pi Zero W."The Raspberry Pi's success came despite the fact that it offers some of the weakest open source hardware support in terms of open specifications. This, however, matches up with our survey responses about buying criteria, which ranks open source software support and community over open hardware support.""Despite the accelerating Raspberry Pi juggernaut, there's still plenty of experimentation going on with new board models, and to a lesser extent, new board projects."Read Replies (0)
By EditorDavid from Slashdot's process-of-processes department
Walmart Canada claims that it was microservices that allowed them to replace hardware with virtual servers, reducing costs by somewhere between 20 and 50 percent. Now Slashdot reader snydeq shares an article by a senior systems automation engineer arguing that a microservices approach "offers increased modularity, making applications easier to develop, test, deploy, and, more importantly, change and maintain."
The article touts things like cost savings and flexibility for multiple device types, suggesting microservices offer increased resilience and improved scalabiity (not to mention easier debugging and a faster time to market with an incremental development model). But it also warns that organizations need the resources to deploy the new microservices quicky (and the necessary server) -- along with the ability to test and monitor them for database errors, network latency, caching issues and ongoing availability. "You must embrace devops culture," argues the article, adding that "designing for failure is essential... In a traditional setting, developers are focused on features and functionalities, and the operations team is on the hook for production challenges. In devops, everyone is responsible for service provisioning -- and failure."
The original submission ends with a question for Slashdot reader. "What cautions do you have to offer for folks considering tapping microservices for their next application?"Read Replies (0)
By EditorDavid from Slashdot's bug-hunt department
"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes:
Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future." Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."Read Replies (0)
By EditorDavid from Slashdot's PWs-for-PMs department
An anonymous reader quotes the Guardian:
Parliament has been hit by a "sustained and determined" cyber-attack by hackers attempting to gain access to MPs' and their staffers' email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords... The estate's digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails...
The international trade secretary, Liam Fox, told ITV News the attack was a "warning to everyone we need more security and better passwords. You wouldn't leave your door open at night." In an interview with the BBC, he added: "We know that there are regular attacks by hackers attempting to get passwords. We have seen reports in the last few days of even Cabinet ministers' passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails."
One member of Parliament posted on Twitter "Sorry, no parliamentary email access today â" we're under cyber-attack from Kim Jong-un, Putin or a kid in his mom's basement or something." He added later, "I'm off to the pub."Read Replies (0)
By EditorDavid from Slashdot's escalating-privileges department
msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon. The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.Read Replies (0)
By EditorDavid from Slashdot's Doctor-Katz-little department
Long-time Slashdot reader destinyland got a surprise when he visited his local bookstore:
Jon Katz turns 70 this August, and he's published a new book called Talking to Animals: How You Can Understand Animals and They Can Understand You. Katz was a former newspaper reporter (and a contributing editor to Rolling Stone) who wrote for HotWired, the first online presence for Wired magazine in the mid-1990s, before becoming a controversial contributor to Slashdot during the site's early days. Katz left Manhattan in the 1990s to live on a farm "surrounded by dogs, cats, sheep, horses, cows, goats, and chickens," according to the book's description, an experience he writes about on his blog. His new book promises that Katz now "marshals his experience to offer us a deeper insight into animals and the tools needed for effectively communicating with them."Read Replies (0)
By EditorDavid from Slashdot's survey-says department
Phoronix is hosting a 2017 Linux Laptop Survey. From their site:
While Linux laptop compatibility is much better than where it was years ago, it's still not too uncommon to run into display/hybrid issues, shorter battery life under Linux than Windows or macOS, touchpad problems, and other occasional compatibility/performance shortcomings. So we've established this Linux Laptop Survey in conjunction with Linux stakeholders to hopefully gather more feedback that will be useful to many different parties...
The survey will be online until July 6th, after which the results will be publicly available, and will determine the most popular brands, distros, screen sizes, and GPUs, as well as common pain points and popular price points. And one particularly interestng question asks respondents what they'd like to see in a "dream Linux laptop."Read Replies (0)
By BeauHD from Slashdot's left-behind department
citadrianne shares a report from The Outline: President Donald Trump's proposed budget seeks to slash $54 billion from social services including programs like Medicaid and Meals on Wheels. As these resources dry up, crowdfunding websites will further entrench themselves as extra-governmental welfare providers in order to fill the gap. For a lucky few, these sites are a lifeline. For most people, they are worthless. Crowdfunding's fatal flaw is that not every campaign ends up getting the money it needs. A recent study published in the journal Social Science & Medicine found that more than 90 percent of GoFundMe campaigns never meet their goal. For every crowdfunding success story, there are hundreds of failures. "As many happy stories as there are in charitable crowdfunding, there are a lot of really worthy causes when you browse these platforms that nobody has given a cent to," Rob Gleasure, professor at the business school of the National University of Ireland, Cork told The Outline. "People haven't come across them."
Feller and Gleasure's report highlighted how fickle crowdfunding can be. Of all the Razoo campaigns started in 2013, they found, more than a third didn't receive any funding at all. According to their report, donors are more likely to give to campaigns that feature lots of pictures and accompanying text.Read Replies (0)
By BeauHD from Slashdot's Pirate-Bay-for-science department
An anonymous reader quotes a report from TorrentFreak: Two years ago, academic publisher Elsevier filed a complaint (PDF) against Sci-Hub and several related "pirate" sites. It accused the websites of making academic papers widely available to the public, without permission. While Sci-Hub is nothing like the average pirate site, it is just as illegal according to Elsevier's legal team, who obtained a preliminary injunction from a New York District Court last fall. The injunction ordered Sci-Hub's founder Alexandra Elbakyan to quit offering access to any Elsevier content. However, this didn't happen. Instead of taking Sci-Hub down, the lawsuit achieved the opposite. Sci-Hub grew bigger and bigger up to a point where its users were downloading hundreds of thousands of papers per day. Although Elbakyan sent a letter to the court earlier, she opted not engage in the U.S. lawsuit any further. The same is true for her fellow defendants, associated with Libgen. As a result, Elsevier asked the court for a default judgment and a permanent injunction which were issued this week. Following a hearing on Wednesday, the Court awarded Elsevier $15,000,000 in damages, the maximum statutory amount for the 100 copyrighted works that were listed in the complaint. In addition, the injunction, through which Sci-Hub and LibGen lost several domain names, was made permanent.Read Replies (0)
By BeauHD from Slashdot's mission-is-a-go department
OneWeb has been granted approval from the FCC to launch a network of internet-beaming satellites into orbit. FCC chairman Ajit Pai said in a statement: "Humans have long sought inspiration from the stars, from the ancient Egyptians orienting the
pyramids toward certain stars to the Greeks using constellations to write their mythology. In modern
times, we've done the same, with over 1,000 active satellites currently in orbit. Today, the FCC harnesses
that inspiration as we seek to make the promise of high-speed internet access a reality for more Americans, partly through the skies..." The Verge reports: OneWeb plans to launch a constellation of 720 low-Earth orbit satellites using non-geostationary satellite orbit (NGSO) technology in order to provide global, high-speed broadband. The company's goal has far-reaching implications, and would provide internet to rural and hard-to-reach areas that currently have little access to internet connectivity. Additionally, OneWeb has a targets of "connecting every unconnected school" by 2022, and "bridging the digital divide" by 2027. According to OneWeb, the company plans to launch an initial 10 production satellites in early 2018, which, pending tests, will then be followed by a full launch as early as 2019.Read Replies (0)
By BeauHD from Slashdot's retaliatory-actions department
Jessica Conditt reports via Engadget: President Barack Obama learned of Russia's attempts to hack U.S. election systems in early August 2016, and as intelligence mounted over the following months, the White House deployed secrecy protocols it hadn't used since the 2011 raid on Osama bin Laden's compound, according to a report by The Washington Post. Apparently, one of the covert programs Obama, the CIA, NSA and other intelligence groups eventually put together was a new kind of cyber operation that places remotely triggered "implants" in critical Russian networks, ready for the U.S. to deploy in the event of a pre-emptive attack. The downed Russian networks "would cause them pain and discomfort," a former U.S. official told The Post. The report says CIA director John Brennan, Obama and other officials had at least four "blunt" conversations with Russian officials about its cyber intrusions beginning August 4th. Obama confronted Vladimir Putin in person during a meeting of world leaders in China this past September, the report says, and his administration even sent Russia a warning through a secure channel originally designed to help the two countries avoid a nuclear strike. Moscow apparently responded one week later -- after the U.S. election -- denying the accusation.Read Replies (0)
By BeauHD from Slashdot's treasure-hunt department
According to an exclusive report via The Register, "a massive trove of Microsoft's internal Windows operating system builds and chunks of its core source code have leaked online." From the report: The data -- some 32TB of installation images and software blueprints that compress down to 8TB -- were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the data has been exfiltrated from Microsoft's in-house systems since around March. The leaked code is Microsoft's Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond's PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code. Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. In addition to this, hundreds of top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked along with copies of officially released versions.Read Replies (0)
By BeauHD from Slashdot's sad-reality department
An anonymous reader quotes a report from TechCrunch: Yesterday The Information reported on allegations made by half a dozen women working in the tech industry who say they have faced unwanted and inappropriate advances from Silicon Valley venture capitalist, Justin Caldbeck, co-founder and managing partner of Binary Capital. The women include Niniane Wang, co-creator of Google Desktop and a prior CTO of Minted; and Susan Ho and Leiti Hsu, co-founders of Journy, a travel planning and booking service. The Information also talked to three other women who said Caldbeck made inappropriate advances to them. It says these women did not want their names disclosed for fear of retaliation from the VC -- and because of wider concerns they might suffer a backlash from men in the industry who don't see inappropriate advances as a problem. Among the allegations made to The Information are that Caldbeck sent explicit text messages to women; that Caldbeck sent messages in the middle of the night suggesting meeting up; that Caldbeck suggested going to a hotel bedroom during a meeting; that Caldbeck made a proposition about having an open relationship; and that Caldbeck grabbed a woman's thigh under the table of a bar during a meeting. Several of the women reported finding Caldbeck's advances so awkward they gave up on continued dealings with him. In Caldbeck's initial statement, he "strongly" denied the allegations and claimed: "I have always enjoyed respectful relationships with female founders, business partners, and investors." However, in response to The Information's story, his tone changed significantly: "Obviously, I am deeply disturbed by these allegations. While significant context is missing from the incidents reported by The Information, I deeply regret ever causing anyone to feel uncomfortable. The fact is that I have been privileged to have worked with female entrepreneurs throughout my career and I sincerely apologize to anyone who I made uncomfortable by my actions. There's no denying this is an issue in the venture community, and I hate that my behavior has contributed to it." Caldbeck has since released a full statement to Axios, where he says he "will be taking an indefinite leave of absence from Binary Capital..."Read Replies (0)