Feed aggregator

Heartbleed Sparks 'Responsible' Disclosure Debate

Slashdot - Fri, 18/04/2014 - 13:49
bennyboy64 writes: "IT security industry experts are beginning to turn on Google and OpenSSL, questioning whether the Heartbleed bug was disclosed 'responsibly.' A number of selective leaks to Facebook, Akamai, and CloudFlare occurred prior to disclosure on April 7. A separate, informal pre-notification program run by Red Hat on behalf OpenSSL to Linux and Unix operating system distributions also occurred. But router manufacturers and VPN appliance makers Cisco and Juniper had no heads up. Nor did large web entities such as Amazon Web Services, Twitter, Yahoo, Tumblr and GoDaddy, just to name a few. The Sydney Morning Herald has spoken to many people who think Google should've told OpenSSL as soon as it uncovered the critical OpenSSL bug in March, and not as late as it did on April 1. The National Cyber Security Centre Finland (NCSC-FI), which reported the bug to OpenSSL after Google, on April 7, which spurred the rushed public disclosure by OpenSSL, also thinks it was handled incorrectly. Jussi Eronen, of NCSC-FI, said Heartbleed should have continued to remain a secret and be shared only in security circles when OpenSSL received a second bug report from the Finnish cyber security center that it was passing on from security testing firm Codenomicon. 'This would have minimized the exposure to the vulnerability for end users,' Mr. Eronen said, adding that 'many websites would already have patched' by the time it was made public if this procedure was followed."

Read more of this story at Slashdot.








New Facebook Phone App Lets You Stalk Your Friends

Slashdot - Fri, 18/04/2014 - 13:05
Hugh Pickens DOT Com (2995471) writes "Iain Thomson reports that Facebook is adding a new application called 'Nearby Friends' that alerts smartphone users when their friends are nearby. 'If you turn on Nearby Friends, you'll occasionally be notified when friends are nearby, so you can get in touch with them and meet up,' says Facebook in a statement. 'For example, when you're headed to the movies, Nearby Friends will let you know if friends are nearby so you can see the movie together or meet up afterward.' The feature, which is opt-in, allows users to select which friends get a warning that you are in the area, and prepare a subset of people who might like to know when you're near, if they have the Nearby Friends activated as well. According to Josh Constine what makes 'Nearby Friends' different than competitors and could give it an advantage is that it's centered around broadcasting proximity, not location. 'If someone's close, you'll know, and can ping them about their precise location and meeting up. Broadcasting location is creepy so we're less likely to share it, and can cause awkward drop-ins where someone tries to come see you when you didn't want them to.'"

Read more of this story at Slashdot.








Lying Eyes: Cyborg Glasses Simulate Eye Expressions

Slashdot - Fri, 18/04/2014 - 10:34
Rambo Tribble (1273454) writes "A researcher in Japan has taken what is, perhaps, the next step after Google Glass: Glasses which produce animated images of the user's eyes to simulate emotional responses. They are intended to aid workers in emotionally-intensive environments. As the researcher explains, '... they allowed others to feel they were "cared" about ...'"

Read more of this story at Slashdot.








Plant Breeders Release 'Open Source Seeds'

Slashdot - Fri, 18/04/2014 - 07:58
mr crypto (229724) writes "A group of scientists and food activists are launching a campaign to change the rules that govern seeds. They're releasing 29 new varieties of crops under a new 'open source pledge' that's intended to safeguard the ability of farmers, gardeners and plant breeders to share those seeds freely."

Read more of this story at Slashdot.








NASA Proposes "Water World" Theory For Origin of Life

Slashdot - Fri, 18/04/2014 - 01:32
William Robinson (875390) writes "A new study from researchers at Nasa's Jet Propulsion Laboratory has proposed the "water world" theory as the answer to our evolution, which describes how electrical energy naturally produced at the sea floor might have given rise to life. While the scientists had already proposed this hypothesis called 'submarine alkaline hydrothermal emergence of life' the new report assembles decades of field, laboratory and theoretical research into a grand, unified picture."

Read more of this story at Slashdot.








MIT Designs Tsunami Proof Floating Nuclear Reactor

Slashdot - Fri, 18/04/2014 - 00:07
First time accepted submitter Amtrak (2430376) writes "MIT has created designs for a nuclear plant that would avoid the downfall of the Fukushima Daiichi plant. The new design calls for the nuclear plant to be placed on a floating platform modeled after the platforms used for offshore oil drilling. A floating platform several miles offshore, moored in about 100 meters of water, would be unaffected by the motions of a tsunami; earthquakes would have no direct effect at all. Meanwhile, the biggest issue that faces most nuclear plants under emergency conditions — overheating and potential meltdown, as happened at Fukushima, Chernobyl, and Three Mile Island — would be virtually impossible at sea."

Read more of this story at Slashdot.








Kepler-186f: Most 'Earth-Like' Alien World Discovered

Slashdot - Thu, 17/04/2014 - 19:27
astroengine (1577233) writes "About 500 light-years away in the constellation Cygnus lives a star, which, though smaller and redder than the sun, has a planet that may look awfully familiar. With a diameter just 10 percent bigger than Earth's, the newly found world is the first of its size found basking in the benign temperature region around a parent star where water, if it exists, could pool in liquid form (abstract). Scientists on the hunt for Earth's twin are focused on worlds that could support liquid surface water, which may be necessary to brew the chemistry of life. "Kepler-186f is significant because it is the first exoplanet that is the same temperature and the same size (well, ALMOST!) as the Earth," David Charbonneau, with the Harvard-Smithsonian Center for Astrophysics, wrote in an email to Discovery News. "Previously, the exoplanet most like Earth was Kepler-62f, but Kepler-186f is significantly smaller. Now we can point to a star and say, 'There lies an Earth-like planet.'""

Read more of this story at Slashdot.








Tor Blacklisting Exit Nodes Vulnerable To Heartbleed

Slashdot - Thu, 17/04/2014 - 17:21
msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 nodes vulnerable to Heartbleed where he was able to retrieve plaintext user traffic. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear."

Read more of this story at Slashdot.








The Dismal State of SATCOM Security

Slashdot - Thu, 17/04/2014 - 16:40
An anonymous reader writes "Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired. The list of security weaknesses IOActive found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws but also features in the devices themselves that could be of use to attackers. The uncovered vulnerabilities include multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems."

Read more of this story at Slashdot.








Apache OpenOffice Reaches 100 Million Downloads. Now What?

Slashdot - Thu, 17/04/2014 - 15:54
We're thankfully long past the days when an emailed Word document was useless without a copy of Microsoft Word, and that's in large part thanks to the success of the OpenOffice family of word processors. "Family," because the OpenOffice name has been attached to several branches of a codebase that's gone through some serious evolution over the years, starting from its roots in closed-source StarOffice, acquired and open-sourced by Sun to become OpenOffice.org. The same software has led (via some hamfisted moves by Oracle after its acquisition of Sun) to the also-excellent LibreOffice. OpenOffice.org's direct descendant is Apache OpenOffice, and an anonymous reader writes with this excellent news from that project: "The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 170 Open Source projects and initiatives, announced today that Apache OpenOffice has been downloaded 100 million times. Over 100 million downloads, over 750 extensions, over 2,800 templates. But what does the community at Apache need to do to get the next 100 million?" If you want to play along, you can get the latest version of OpenOffice from SourceForge (Slashdot's corporate cousin). I wonder how many government offices -- the U.S. Federal government has long been Microsoft's biggest customer -- couldn't get along just fine with an open source word processor, even considering all the proprietary-format documents they're stuck with for now.

Read more of this story at Slashdot.








RCMP Arrest Canadian Teen For Heartbleed Exploit

Slashdot - Thu, 17/04/2014 - 15:13
According to PC Mag, a "19-year-old Canadian was arrested on Tuesday for his alleged role in the breach of the Canada Revenue Agency (CRA) website, the first known arrest for exploiting the Heartbleed bug. Stephen Arthuro Solis-Reyes (pictured) of London, Ontario faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data." That exploit led to a deadline extension for some Canadian taxpayers in getting in their returns this year. The Register has the story as well. The Montreal Gazette has some pointed questions about how much the Canadian tax authorities knew about the breach, and when.

Read more of this story at Slashdot.








SSD-HDD Price Gap Won't Go Away Anytime Soon

Slashdot - Thu, 17/04/2014 - 14:26
storagedude (1517243) writes "Flash storage costs have been dropping rapidly for years, but those gains are about to slow, and a number of issues will keep flash from closing the cost gap with HDDs for some time, writes Henry Newman at Enterprise Storage Forum. As SSD density increases, reliability and performance decrease, creating a dilemma for manufacturers who must balance density, cost, reliability and performance. '[F]lash technology and SSDs cannot yet replace HDDs as primary storage for enterprise and HPC applications due to continued high prices for capacity, bandwidth and power, as well as issues with reliability that can only be addressed by increasing overall costs. At least for the foreseeable future, the cost of flash compared to hard drive storage is not going to change.'"

Read more of this story at Slashdot.








5-Year Suspended Sentence For S. Africa's First Online Pirate

Slashdot - Thu, 17/04/2014 - 13:46
An anonymous reader writes "South Africa's first prosecution for online piracy was concluded this morning, with a five-year, wholly suspended sentence handed down to a filesharer who uploaded local movie Four Corners to The Pirate Bay. The man — who lost his job recently — said he's relieved by the verdict, which was the result of a plea bargain. Director Ian Gabriel, who made the film, recently said he was 'philosophical' about piracy."

Read more of this story at Slashdot.








Switching From Sitting To Standing At Your Desk

Slashdot - Thu, 17/04/2014 - 13:07
Hugh Pickens DOT Com (2995471) writes "Chris Bowlby reports at BBC that medical research has been building up for a while now, suggesting constant sitting is harming our health — potentially causing cardiovascular problems or vulnerability to diabetes. Advocates of sit-stand desks say more standing would benefit not only health, but also workers' energy and creativity. Some big organizations and companies are beginning to look seriously at reducing 'prolonged sitting' among office workers. 'It's becoming more well known that long periods of sedentary behavior has an adverse effect on health,' says GE engineer Jonathan McGregor, 'so we're looking at bringing in standing desks.' The whole concept of sitting as the norm in workplaces is a recent innovation, points out Jeremy Myerson, professor of design at the Royal College of Art. 'If you look at the late 19th Century,' he says, Victorian clerks could stand at their desks and 'moved around a lot more'. 'It's possible to look back at the industrial office of the past 100 years or so as some kind of weird aberration in a 1,000-year continuum of work where we've always moved around.' What changed things in the 20th Century was 'Taylorism' — time and motion studies applied to office work. 'It's much easier to supervise and control people when they're sitting down,' says Myerson. What might finally change things is if the evidence becomes overwhelming, the health costs rise, and stopping employees from sitting too much becomes part of an employer's legal duty of care. 'If what we are creating are environments where people are not going to be terribly healthy and are suffering from diseases like cardiovascular disease and diabetes,' says Prof Alexi Marmot, a specialist on workplace design, 'it's highly unlikely the organization benefits in any way.'"

Read more of this story at Slashdot.








Ask Slashdot: System Administrator Vs Change Advisory Board

Slashdot - Thu, 17/04/2014 - 10:27
thundergeek (808819) writes "I am the sole sysadmin for nearly 50 servers (win/linux) across several contracts. Now a Change Advisory Board (CAB) is wanting to manage every patch that will be installed on the OS and approve/disapprove for testing on the development network. Once tested and verified, all changes will then need to be approved for production. Windows servers aren't always the best for informing admin exactly what is being 'patched' on the OS, and the frequency of updates will make my efficiency take a nose dive. Now I'll have to track each KB, RHSA, directives and any other 3rd party updates, submit a lengthy report outlining each patch being applied, and then sit back and wait for approval. What should I use/do to track what I will be installing? Is there already a product out there that will make my life a little less stressful on the admin side? Does anyone else have to go toe-to-toe with a CAB? How do you handle your patch approval process?"

Read more of this story at Slashdot.








The Squishy Future of Robotics

Slashdot - Thu, 17/04/2014 - 08:09
An anonymous reader writes "The field of soft robotics is fast growing and may be the key to allowing robots and humans to work side-by-side. 'Roboticists are prejudiced toward rigid structures, for which algorithms can be inherited from the well-established factory robot industry. Soft robots solve two huge problems with current robots, however. They don't have to calculate their movements as precisely as hard robots, which rely on springs and joints, making them better for navigating uncontrolled environments like a house, disaster area, or hospital room. They're naturally "cage free," meaning they can work shoulder-to-shoulder with humans. If a soft robot tips over or malfunctions, the danger is on par with being attacked by a pillow. The robot is also less prone to hurt itself.'"

Read more of this story at Slashdot.








Industry-Wide Smartphone "Kill Switch" Closer To Reality

Slashdot - Thu, 17/04/2014 - 00:02
mpicpp (3454017) writes "The 'kill switch,' a system for remotely disabling smartphones and wiping their data, will become standard in 2015, according to a pledge backed by most of the mobile world's major players. Apple, Google, Samsung and Microsoft, along with the five biggest cellular carriers in the United States, are among those that have signed on to a voluntary program announced Tuesday by the industry's largest trade group. All smartphones manufactured for sale in the United States after July 2015 must have the technology, according to the program from CTIA. Advocates say the feature would deter thieves from taking mobile devices by rendering phones useless while allowing people to protect personal information if their phone is lost or stolen. Its proponents include law enforcement officials concerned about the rising problem of smartphone theft."

Read more of this story at Slashdot.








Code Quality: Open Source vs. Proprietary

Slashdot - Wed, 16/04/2014 - 23:17
just_another_sean sends this followup to yesterday's discussion about the quality of open source code compared to proprietary code. Every year, Coverity scans large quantities of code and evaluates it for defects. They've just released their latest report, and the findings were good news for open source. From the article: "The report details the analysis of 750 million lines of open source software code through the Coverity Scan service and commercial usage of the Coverity Development Testing Platform, the largest sample size that the report has studied to date. A few key points: Open source code quality surpasses proprietary code quality in C/C++ projects. Linux continues to be a benchmark for open source quality. C/C++ developers fixed more high-impact defects. Analysis found that developers contributing to open source Java projects are not fixing as many high-impact defects as developers contributing to open source C/C++ projects."

Read more of this story at Slashdot.








Retired SCOTUS Justice Wants To 'Fix' the Second Amendment

Slashdot - Wed, 16/04/2014 - 15:55
CanHasDIY (1672858) writes "In his yet-to-be-released book, Six Amendments: How and Why We Should Change the Constitution, John Paul Stevens, who served as an associate justice of the Supreme Court for 35 years, believes he has the key to stopping the seeming recent spate of mass killings — amend the Constitution to exclude private citizens from armament ownership. Specifically, he recommends adding 5 words to the 2nd Amendment, so that it would read as follows: 'A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms when serving in the Militia shall not be infringed.' What I find interesting is how Stevens maintains that the Amendment only protects armament ownership for those actively serving in a state or federal military unit, in spite of the fact that the Amendment specifically names 'the People' as a benefactor (just like the First, Fourth, Ninth, and Tenth) and of course, ignoring the traditional definition of the term militia. I'm personally curious about his other 5 suggested changes, but I guess we'll have to wait until the end of April to find out."

Read more of this story at Slashdot.








All Packages Needed For FreedomBox Now In Debian

Slashdot - Wed, 16/04/2014 - 15:28
Eben Moglen's FreedomBox concept (personal servers for everyone to enable private communication) is getting closer to being an easy-to-install reality: all packages needed for FreedomBox are now in Debian's unstable branch, and should be migrating to testing in a week or two. Quoting Petter Reinholdtsen: "Today, the last of the packages currently used by the project to created the system images were accepted into Debian Unstable. It was the freedombox-setup package, which is used to configure the images during build and on the first boot. Now all one need to get going is the build code from the freedom-maker git repository and packages from Debian. And once the freedombox-setup package enter testing, we can build everything directly from Debian. :) Some key packages used by Freedombox are freedombox-setup, plinth, pagekite, tor, privoxy, owncloud, and dnsmasq. There are plans to integrate more packages into the setup. User documentation is maintained on the Debian wiki." You can create your own image with only three commands, at least if you have a DreamPlug or Raspberry Pi (you could also help port it to other platforms).

Read more of this story at Slashdot.








Pages