Aggregator

Deserialization Issues Also Affect<nobr> <wbr></nobr>.NET, Not Just Java

3 days 20 hours ago
"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers. Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

Read more of this story at Slashdot.

EditorDavid

269 People Joined An Age Discrimination Class Action Suit Against Google

3 days 21 hours ago
Slashdot reader #9,119 BrookHarty writes: "269 people have joined a class-action lawsuit against Google claiming they were discriminated against in the workplace based on their age..." reports BizJournals. "The lawsuit originated in 2015 with plaintiff Robert Heath and was certified as a class-action in 2016." Google has stated it has implemented policies to stop age discrimination but still has an average employee age of 29. In 2004 Larry Page fired Brian Reid nine days before IPO costing Reid 45 million in unvested stock options. Reid was fired for lack of "cultural fit". Reid has settled for an undisclosed amount.

Read more of this story at Slashdot.

EditorDavid

Amateur Drone Lands On British Air Carrier, Wired Reviews Anti-Drone Technology

4 days ago
Long-time Slashdot reader mi quotes the BBC: The Ministry of Defence is reviewing security after a tiny drone landed on the deck of Britain's biggest warship. The Queen Elizabeth aircraft carrier was docked at Invergordon in the Highlands when an amateur photographer flew the drone close to the giant ship. When the aircraft sensed a high wind risk, it landed itself on the £3bn warship. The pilot told BBC Scotland: "I could have carried two kilos of Semtex and left it on the deck... I would say my mistake should open their eyes to a glaring gap in security." Meanwhile, tastic007 shares Wired's footage of anti-drone products being tested (like net guns, air-to-air combat counter-drones, and drone net shotgun shells) -- part of the research presented at this year's DEFCON.

Read more of this story at Slashdot.

EditorDavid

Crowdfunding Campaign Seeks a Libre Recording of a Newly-Completed Bach Work

4 days 3 hours ago
Slashdot reader DevNull127 writes: Robert Douglass's Kickstarter campaigns have resulted in free fan-funded open source recordings of Bach's Goldberg Variations and the 48 pieces in his Well-Tempered Clavier, Book 1. "Even Richard Stallman found these recordings, and he promptly wrote an email encouraging us to drop the word 'Open' in favor of 'Free' or 'Libre'," Douglas tells BoingBoing (adding "when RMS writes you telling you to change the name of your music project, you change the name of your music project.") Now Douglass is crowdfunding a libre recording of Bach's last masterpiece, 20 fugues developed from a single theme called "the Art of the Fugue". "He wanted to culminate in a final fugue that literally spells his name, B-A-C-H, in musical notation," remembers Douglass, but "unfortunately, Bach died before completing that work, and it has remained a musical mystery (and tragedy) for hundreds of years." Fortunately Kimiko Ishizaka completed the work in 2016, "based on the music that Bach left us... This new composition will also be released under a Creative Commons license as part of the new OpenScore.cc project... Kimiko is eminently grateful to her fans and supporters of free culture for allowing her to focus all of her energies on growing the public domain and bringing the music of J.S. Bach to a far broader audience than ever imagined." They're also rewarding supporters with tickets to two live performances -- one at Carnegie Hall in New York City and one in Hamburg's new Elbphilharmonie.

Read more of this story at Slashdot.

EditorDavid

28 Years Later, Pioneering Tech Magazine 'Mondo 2000' Relaunches Online

4 days 7 hours ago
In 1989 Mondo 2000 magazine ran an editorial promising they'd cover "the leading edge in hyperculture...the latest in human/technological interactive mutational forms as they happen." 28 years later, they're now heckling that editorial as they relaunch into a web site. Slashdot reader DevNull127 quotes Motherboard's interview with R.U. Sirius, the founder of Mondo 2000 (as well as its predecessors High Frontiers and Reality Hackers): "It was my idea to merge psychedelics and emerging technologies, and the culture around technology," Sirius said, citing Timothy Leary, writer Robert Anton Wilson and counterculture magazine The Whole Earth Catalog among his inspirations... "I kind of found my way into that particular stream of bohemian culture. It was probably a minority, but there had always been that idea of letting robots replace human work." Soon High Frontiers evolved into a glossy magazine, Reality Hackers ("Some distributors at the time thought it was about hacking people up, and put it on the shelf next to murder mystery magazines"), and later Mondo 2000, which ran from 1989 till 1998... "We really had to work to convince people that technology was defining the future. Nobody really got it. Doug Rushkoff wrote his book Cyberia, and his first book company cancelled its publication because they said the internet was a fad and that it would be over by the time the book came out"... While he uses Facebook and Twitter, Sirius is critical of their role in colonising what was once a more democratic and open space. "People are being herded into little buildings -- or huge ones -- in what was supposed to be a wide open space in which everybody created their own sites. It's a complete corporate takeover of the net, Facebook in particular... It's definitely not what we were expecting." Mondo 2000's new online relaunch includes audio of a conversation between William Gibson and Timothy Leary about a Neuromancer game to accompany a proposed film back in 1989. (Gibson complained "That was no interview! That was a drunken business meeting!" when first informed of the magazine's plans to publish it, though he eventually "became friendly.") There's also a 1987 discussion about mind technologies with 73-year-old William S. Burroughs (who was also "an advocate of high technology, and the 'brain machine'"), plus an unpublished John Shirley essay titled "The Next Fifty Years: Why I'm Optimistic Because Everything Will Be Terrible" and new pieces by Paul Krassner ("Alternative Facts") and M.Christian ("La Petite Mort: The Death Of Sex").

Read more of this story at Slashdot.

EditorDavid

A New Amiga Will Go On Sale In Late 2017

4 days 9 hours ago
An anonymous reader quote the Register: The world's getting a new Amiga for Christmas. Yes, that Amiga -- the seminal Commodore microcomputers that brought mouse-driven GUIs plus slick and speedy graphics to the masses from 1985 to 1996... The platform died when Commodore went bankrupt, but enthusiasm for the Amiga persisted and various clones and efforts to preserve AmigaOS continue to this day. One such effort, from Apollo Accelerators, emerged last week: the company's forthcoming "Vampire V4" can work as a standalone Amiga or an accelerator for older Amigas... There's also 512MB of RAM, 40-and-44-pin FastIDE connectors, Ethernet, a pair of USB ports and MicroSD for storage [PDF]. Micro USB gets power to the board. A school in Michigan used the same Amiga for 30 years. Whenever it broke, they actually phoned up the high school student who original set it up in 1987 and had him come over to fix it.

Read more of this story at Slashdot.

EditorDavid

OpenSource.com Test-Drives Linux Distros From 1993 To 2003

4 days 11 hours ago
An anonymous reader quotes OpenSource.com: A unique trait of open source is that it's never truly EOL (End of Life). The disc images mostly remain online, and their licenses don't expire, so going back and installing an old version of Linux in a virtual machine and getting a precise picture of what progress Linux has made over the years is relatively simple... Whether you're new to Linux, or whether you're such an old hand that most of these screenshots have been more biographical than historical, it's good to be able to look back at how one of the largest open source projects in the world has developed. More importantly, it's exciting to think of where Linux is headed and how we can all be a part of that, starting now, and for years to come. The article looks at seven distros -- Slackware 1.01 (1993), Debian 0.91 (1994), Jurix/S.u.S.E. (1996), SUSE 5.1 (1998), Red Hat 6.0 (1999), Mandrake 8.0 (2001), and Fedora 1 (2003). Click through for some of the highlights.

Read more of this story at Slashdot.

EditorDavid

'I'm a Teapot' Error Code Saved From Extinction By Public Outcry

4 days 12 hours ago
An anonymous reader quotes Gizmodo: An anonymous reader quotes Gizmodo: It started back in 1998 as an April Fool's Day gag. Written up by Larry Masinter of the Internet Engineering Task Force (IETF), error code 418 -- "I'm a teapot" -- was nothing more than a poke at the "many bad HTTP extensions that had been proposed". Despite its existence as a joke, a number of major software projects, including Node.js, ASP.NET and Google's Go language, implemented it as an Easter egg. A recent attempt to excise the fictitious code from these projects ended up doing the opposite, cementing it as a "reserved" error by the IETF... Australian programmer Mark Nottingham flagged the code's removal as an "issue" for Google's Go language, the Node.js Javascript runtime and Microsoft's ASP.NET... Nottingham's argument was that 418 was "polluting [the] core protocol" of these projects... It didn't take long for a "Save 418" website to go live and through the efforts of interested internet historians (and jokers), all three of the aforementioned projects have decided to keep the code as it is, though Google will "revisit" the situation with the next major version of Go. The Save 418 site argued that "the application of such an status code is boundless. Its utility, quite simply, is astonishingly unparalleled. It's a reminder that the underlying processes of computers are still made by humans. It'd be a real shame to see 418 go."

Read more of this story at Slashdot.

EditorDavid

Study Finds Vaccine Science Outreach Only Reinforced Myths

4 days 13 hours ago
Ars Technica reports on a study suggesting that "Striking at a myth with facts may only shore it up." Applehu Akbar writes: Researchers at the University of Edinburgh studied public attitudes toward vaccination in a group whose opinions on the subject were polled before and after being shown three different kinds of explanatory material that used settled scientific facts about vaccines to explain the pro-vaccination side of the debate. Not only was the anti-vax cohort not convinced by any of the three campaigns, but their attitudes hardened when another poll was taken a week later. What seems to have happened was that the pro-vax campaign was taken by anti-vaxers as just another attempt to lie to them, and as reinforcement for their already made-up minds on the subject. A previous study at Dartmouth College in 2014 used similar methodology and except for the 'hardening' effect elicited similar results. What's really scary about this is that while the Dartmouth subjects were taken from a large general population, the Edinburgh subjects were college students. "The researchers speculate that the mere repetition of a myth during the process of debunking may be enough to entrench the myth in a believer's mind," writes Ars Technica, with one of the study's authors attributing this to the "illusory truth" effect. "People tend to mistake repetition for truth."

Read more of this story at Slashdot.

EditorDavid

Elon Musk + AI + Microsoft = Awesome Dota 2 Player

4 days 14 hours ago
An anonymous reader quotes the Verge: Tonight during Valve's yearly Dota 2 tournament, a surprise segment introduced what could be the best new player in the world -- a bot from Elon Musk-backed startup OpenAI. Engineers from the nonprofit say the bot learned enough to beat Dota 2 pros in just two weeks of real-time learning, though in that training period they say it amassed "lifetimes" of experience, likely using a neural network judging by the company's prior efforts. Musk is hailing the achievement as the first time artificial intelligence has been able to beat pros in competitive e-sports... Elon Musk founded OpenAI as a nonprofit venture to prevent AI from destroying the world -- something Musk has been beating the drum about for years. "Nobody likes being regulated," Musk wrote on Twitter Friday, "but everything (cars, planes, food, drugs, etc) that's a danger to the public is regulated. AI should be too." Musk also thanked Microsoft on Twitter "for use of their Azure cloud computing platform. This required massive processing power."

Read more of this story at Slashdot.

EditorDavid

iOS 10 Quietly Deprecated A Crucial API For VoIP and Communication Apps

4 days 15 hours ago
neutrino38 warns that iOS 10 includes a significant change "overlooked by the general public": It deprecates an API that is crucial for VoIP and other instant messaging applications that enable keeping one socket active despite the fact that the application would run in the background. As a replacement, developers need to use PushKit: when an incoming call is to be forwarded to an iOS VoIP client, the VoIP infrastructure needs to: - withold the call - contact Apple push infrastructure using a proprietary protocol to wake up the client app remotely - wait for the application to reconnect to the infrastructure and release the call when it is ready This "I know better than you" approach is meant to further optimize battery life on iOS devices by avoiding the use of resources by apps running in background. It has also the positive effect of forcing developers to switch to a push model and remove all periodic pollings that ultimately use mobile data and clog the Internet. However, the decision to use an Apple infrastructure has many consequences for VoIP providers: - the reliability of serving incoming calls is directly bound to Apple service - Apple may revoke the PushKit certificate. It thus has life and death decision power over third-party communication infrastructures - organizations wanting to setup IPBX and use iOS client have no option but to open access for the push services of Apple in their firewall - It is not possible to have iOS VoIP or communication clients in network disconnected from the Internet - Pure standard SIP clients are now broken on iOS The original submission argues that Apple is creating "the perfect walled garden," adding that "Ironically, the only VoIP 'app' that is not affected is the (future?) VoLTE client that will be added to iOS one day."

Read more of this story at Slashdot.

EditorDavid

The 2017 Hugo Awards

4 days 16 hours ago
Dave Knott writes: The Hugo Awards, the most prestigious awards in science fiction, had their 2017 ceremony today, at WorldCon 75 in Helsinki, Finland. The winners are: Best Novel: The Obelisk Gate by N.K. Jemisin Best Novella: "Every Heart a Doorway" by Seanan McGuire Best Novelette: "The Tomato Thief" by Ursula Vernon Best Short Story: "Seasons of Glass and Iron", by Amal El-Mohtar Best Related Work: Words Are My Matter: Writings About Life and Books, 2000-2016 by Ursula K Le Guin Best Graphic Story: Monstress, Volume 1: Awakening , written by Marjorie Liu, illustrated by Sana Takeda Best Dramatic Presentation (Long Form): Arrival , screenplay by Eric Heisserer based on a short story by Ted Chiang, directed by Denis Villeneuve Best Dramatic Presentation (Short Form): The Expanse: Leviathan Wakes , written by Mark Fergus and Hawk Ostby, directed by Terry McDonough Best Series: The Vorkosigan Saga, by Lois McMaster Bujold (Baen) John W Campbell Award for Best New Writer: Ada Palmer This year's slate of nominees, unlike the drama surrounding the 2016 and 2015 Hugos, was less impacted by the ballot-stuffing tactics of the "Rabid Puppies", thanks to a change in the way nominees were voted for this year (including the fact no work could appear in more than one category) in an attempt to avoid tactical slate picks.

Read more of this story at Slashdot.

EditorDavid

Intel Unveils One-Petabyte Storage Servers For Data Centers

4 days 17 hours ago
Slashdot reader #9,219 Guy Smiley shared this report on a new breed of high-density flash storage. The Inquirer reports: Intel has unveiled a brand new form factor for solid state disc drives (SSDs)... Intel Optane's new "ruler" format will allow up to a petabyte of storage on a single 1U server rack... By using 3D-NAND, the ruler crams in even more data and will provide more stability with less chance of catastrophic failure with data loss. The company has promised that the Ruler will have more bandwidth, input/output operations per second and lower latency than SAS... As part of the announcement, Intel also announced a range of "hard drive replacement" SSDs -- the S4500 and S4600 0 which are said to have the highest density 32-layer 3D NAND on the market, and are specifically aimed at data centres that want to move to solid state simply and if necessary, in stages.

Read more of this story at Slashdot.

EditorDavid

Should Workplaces Be Re-Defined To Retain Older Tech Workers?

4 days 18 hours ago
rgh02 submitted this article from Backchannel which argues companies "need to work harder and more persistently to attract, retain, and recognize talent" -- especially older talent: We "elders" know perfectly well that our workplaces are by and large not about us. We don't drive how roles, functions, advancement, and success are seen. Career development options and the hierarchical career ladders everyone is expected to climb are designed for the majority: younger workers. What can be done? There has to be a systems overhaul... The article suggests restructuring workplaces with "individual contributor tracks" which reward people who don't go on to become managers, as well as things like paid mentoring positions and "phased retirement" programs that create part-time positions to allow a more gradual transition into retirement.

Read more of this story at Slashdot.

EditorDavid

Canonical Needs Your Help Transitioning Ubuntu Linux From Unity To GNOME

4 days 19 hours ago
BrianFagioli quotes BetaNews: On August 24 and 25, the Ubuntu Desktop team will be holding a "Fit and Finish Sprint," where they will aggressively test GNOME. Canonical is also asking the Ubuntu community to help with this process. In other words, you might be able to assist with making Artful Aardvark even better. What makes this particularly cool, however, is that Canonical will be selecting some community members to visit its London office on August 24 between 4 pm and 9 pm. "Over the two days we'll be scrutinizing the new GNOME Shell desktop experience, looking for anything jarring/glitchy or out of place," says Alan Pope, Community Manager. "We'll be working on the GTK, GDM and desktop theme alike, to fix inconsistencies, performance, behavioral or visual issues. We'll also be looking at the default key bindings, panel color schemes and anything else we discover along the way." A few caveats: Canonical won't pay anyone's travel expenses to London, and "Ideally we're looking for people who are experienced in identifying (and fixing) theme issues, CSS experts and GNOME Shell / GTK themers."

Read more of this story at Slashdot.

EditorDavid

Chrome Extension Developers Under a Barrage of Phishing Attacks

4 days 20 hours ago
An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating. According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

Read more of this story at Slashdot.

EditorDavid

Russian Group That Hacked DNC Used NSA Attack Code In Attack On Hotels

4 days 22 hours ago
An anonymous reader quotes a report from Ars Technica: A Russian government-sponsored group accused of hacking the Democratic National Committee last year has likely been infecting other targets of interest with the help of a potent Windows exploit developed by, and later stolen from, the National Security Agency, researchers said Friday. Eternal Blue, as the exploit is code-named, is one of scores of advanced NSA attacks that have been released over the past year by a mysterious group calling itself the Shadow Brokers. It was published in April in the group's most damaging release to date. Its ability to spread from computer to computer without any user action was the engine that allowed the WCry ransomware worm, which appropriated the leaked exploit, to shut down computers worldwide in May. Eternal Blue also played a role in the spread of NotPetya, a follow-on worm that caused major disruptions in June. Now, researchers at security firm FireEye say they're moderately confident the Russian hacking group known as Fancy Bear, APT 28, and other names has also used Eternal Blue, this time in a campaign that targeted people of interest as they connected to hotel Wi-Fi networks. In July, the campaign started using Eternal Blue to spread from computer to computer inside various staff and guest networks, company researchers Lindsay Smith and Ben Read wrote in a blog post. While the researchers didn't directly observe those attacks being used to infect guest computers connected to the network, they said a related campaign from last year used the control of hotel Wi-Fi services to obtain login credentials from guest devices.

Read more of this story at Slashdot.

BeauHD

Uber and Lyft May Cause Lower Car Ownership In Big Cities, Says Report

5 days 1 hour ago
A new study from the University of Michigan Transportation Research Institute has shed light on what may turn out to be a growing trend: lower car ownership in cities where ride-sharing services are available. SlashGear reports: While Uber and Lyft have both deployed in a number of cities, they have, at times, had to abandon those cities due to local governments driving them out for one reason or another. That's what happened in Austin, Texas, opening the door for an interesting study on personal car ownership. Did the sudden absence of these two services cause increased car usage and/or ownership, or did things remain unaffected? The result, according to the study, was a big increase in personal car usage and a statistically significant increase in car ownership. The researchers surveyed a total of 1,200 people from the Austin region, and found that 41-percent of them started using their own car more often to make up for the lack of Uber and Lyft rides. As well, a total of 9-percent of those surveyed bought their own personal car to make up for the services' absences.

Read more of this story at Slashdot.

BeauHD

NASA Looks At Reviving Atomic Rocket Program

5 days 4 hours ago
Big Hairy Ian shares a report from New Atlas: When the first manned mission to Mars sets out, it may be on the tail of an atomic rocket engine. The Space Race vintage technology could have a renaissance at NASA after the space agency's Marshall Space Flight Center in Huntsville, Alabama signed a contract with BWXT Nuclear Energy to develop updated Nuclear Thermal Propulsion (NTP) concepts and new fuel elements to power them. Today, with NASA once again considering the challenges of sending astronauts to Mars, the nuclear option is back on the table as part of the agency's Game Changing Development program. Under this, NASA has awarded BMXT, which supplies nuclear fuel to the U.S. Navy, a $18.8-million contract running through September 30, 2019 to look into the possibility of developing a new engine using a new type of fuel. Unlike previous designs using highly enriched uranium, BMXT will study the use of Low-Enriched Uranium (LEU), which has less than 20 percent of fissile uranium 235. This will provide a number of advantages. Not only is it safer than the highly enriched fuel, but the security arrangements are less burdensome, and the handling regulations are the same as those of a university research reactor. If NASA determines next month that the LEU engine is feasible, the project will conduct testing and refine the manufacturing process of the Cermet fuel elements over the course of a year, with testing of the full-length Cermet fuel rods to be conducted at Marshall. Slashdot reader Big Hairy Ian adds: "At the very least it looks much more feasible than Project Orion."

Read more of this story at Slashdot.

BeauHD

FBI Says Islamic State Used eBay, PayPal To Channel Money To the US

5 days 7 hours ago
An anonymous reader quotes a report from The Verge: Islamic State allegedly used PayPal and fake eBay transactions to channel money to an operative in the U.S., The Wall Street Journal reports. The man who allegedly received the money was American citizen Mohamed Elshinawy, who was arrested last year in Maryland. The FBI claims that Elshinawy, in his early 30s, sold computer printers on eBay as a front in order to receive the payments through PayPal. The details have come to light because of a recently unsealed FBI affidavit, which alleges Elshinawy was part of a worldwide network that used such channels to fund ISIS. Elshinawy received $8,700 from ISIS, including five PayPal payments from senior ISIS official Siful Sujan through his technology company. Those funds were used to buy a laptop, a cellphone, and a VPN to communicate with IS, according to the affidavit. Sujan was killed in a drone strike in 2015. eBay told The Wall Street Journal it "has zero tolerance for criminal activities taking place on our marketplace." Meanwhile, a spokeswoman for PayPal said it "invests significant time and resources in working to prevent terrorist activity on our platform. We proactively report suspicious activities and respond quickly to lawful requests to support law enforcement agencies in their investigations."

Read more of this story at Slashdot.

BeauHD