Slashdot Mirror

Well, there's this story...

Everything is also great for exploit authors as well. Maybe less time should be spent rewriting screensavers?

A drive-by Gstreamer attack?

For those who don't know, my company acquired SourceForge along with Slashdot and have been improving it. Redesign coming soon as well. http://arstechnica.com/informa...

Now lets dumb it down so a nerd such as yourself can understand it. THERE WAS NO HACK. THERE IS NO EVIDENCE OF A HACK.

Since you ask so nicely, here you go: http://arstechnica.com/securit...

See http://arstechnica.com/securit....

That's ridiculous on its face. Counter-example: I give you an ounce of gold and you give me a laptop. Extend that example to any comparable cashless payment platform.

Ah, youngsters.., they forget that an ounce of gold was cash, for example, classic US "double eagle" coins prior to 1933.

Hint: cash is any material object commonly used to exchange value, as distinguished from use for barter between individuals seeking specific items.

"Cashless" is any electronically-based payment system relying upon an exchange of information -- rather than material obects -- and requiring three parties, such as a buyer, a seller, and a payment system. Bitcoin's third party is those maintaining the blockchain.

That three party system invevitably extends to include the government, which will demand things like "complete user security settings and history (including confirmed devices and account activity)." Presuming that the information is not public to begin with, as in the bitcoin blockchain.

Reports mention that the failure to acquire an address is, at least sometimes, tied to the "Connected Devices Platform Service" crashing. Apparently this service is "used for Connected Devices and Universal Glass scenarios", which really clears things up.

Nobody seems to have much to say on what exactly the 'connected devices platform' is; but it sounds like the problem isn't with the DHCP client itself; but with some questionably sensible abstraction layer failing at automagic above it, in the service of some windows-everywhere-in-the-connected-home fever dream.

Sort of like the time they broke all those webcams, not by monkeying with UVC support; but by quietly inserting a poorly thought out frameserver without telling anyone because being able to log in with your face is obviously more important than Directshow working as expected.

While nobody wants a huge abusive spy agency tracking Americans at all times, there are going to be plenty of people on here jumping up and down hoping for the destruction of the NSA... while simultaneously running around like chickens with their heads cut off claiming that Russian Hackers are the sole reason that Trump is president.

Seriously, WTF is this comment and why is it (currently) +4 Interesting?

#1. Many, many people who have been most critical of the NSA's activities have been skeptical of the claim that Russian hackers are the sole reason Trump is president. This includes Glenn Greenwald as well as many in the security community who don't take leaked reports of CIA briefings at face value. I'm not seeing anyone who is anti-NSA spying wholesale accepting the CIA's story. So the premise of your point is not correct.

#2. Even if they DID accept the Putin story... There is no inherent conflict between not wanting a "huge abusive spy agency tracking Americans at all times" and wanting an agency to protect against foreign attack (if one has occurred, which as I said is not certain).

#3. The NSA has done very little that would have prevented the hacks, while actually having done very much to weaken national security-- the kind of thing that facilitates break-ins. They have compromised security algorithms and pushed the RSA to accept them as standards. They have deliberately inserted weaknesses into Cisco products. There are numerous examples of this. If the "Russians" has hacked us because of weak technology, the NSA very well could be to blame. The assumption that they're some kind of shield against attacks appears to be backwards.

#4. Podesta's emails were reportedly hacked via social engineering. Explain to me how you think the NSA's role has been stopping human beings from typing in their own Gmail login information when tricked to do so.

#5. Finally, elucidate on the connection you make between a "huge spy agency tracking Americans at all times" and an alleged nation state hacking campaign. What the hell does the surveillance state agency spying on all citizen activity have to do with these hacks? If anything, the alleged influence of Russian agents in our election occurred WHILE the mass-spying is occurring. Therefore, by your logic, the NSA should stop all spying to stop Putin. Right?. Right??

In short, your post makes no sense, it is not "insightful"-- it connects dots that don't have anything to do with each other. Worse, it is in some ways dangerous because it is really an attack on questioning authority. There is zero contradiction in opposing an all-powerful state surveillance agency on one hand vs. a corrupted electoral system on the other.

Not to mention that those reports of foreigners meddling in our election originate from an agency with a notorious decades of history in... well, meddling with foreign elections.

Considering one of the major contributers is "unintentional injury deaths, such as overdoses and car accidents, increased by 6.7 percent" much of the blame likely sits on the pain pill problem. Cancer deaths actually went down, so health care is working for that disease. Alzheimers deaths rose a lot... but they say this is due to the medical establishment just recategorizing that as a cause of death... woner what those were usually listed under.

The ars article has some useful charts, if, unlike 3 out of 5 of trump supporters, you know how to read them.

I've got to say, this seems creepy to me. It's not just spying on kids, it's spying on whoever is in range. It's basically an open mic in your home, transmitting to god knows who.

So is Cortana, and Alexa, and Siri, and "OK Google," and Xfinity has some voice-controlled stuff now, and Samsung TVs have been caught transmitting audio back to the mother ship... People are voluntarily buying these gadgets up by the millions and putting them in their homes. There's a woman filing a lawsuit because she bought some kind of IoT dildo and was shocked, just shocked to find out it phoned home with data about how she used it. Like, why the hell does your dildo need to be connected to anything but a battery?

I don't think society cares anymore, or maybe I have it backwards and they don't care yet. We need a good leak. I can't wait until someone dumps a few hundred gigs of highly sensitive audio snippets, correlated to peoples' email addresses or Facebook accounts. Maybe at that point, people will wake up and pay attention.

If I was paranoid, I'd say that some intelligence organization is pushing these kinds of things in order to establish a covert surveillance network that could be used for all sorts of evil shit.

That isn't paranoia, that's rationality.

My bad, I got mixed up with the Pizzagate article today. Here are the links:

http://arstechnica.com/tech-po...
http://www.nytimes.com/2016/11...
https://www.buzzfeed.com/craig...

By the way, did you notice how the owner of the pizza restaurant didn't post the photo you linked to? And how it's not proof of anything other than someone making a really bad joke? This is what conspiracy theories are made of.

Or create an app with the same name of an obscure library file, get the repository to remove the library file, piss off the author of the library file, and break the Internet at the same time.

http://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet//

The original article that Ars sourced was posted July 27, 2016.

That article was from when the lawsuit began. This story is about the end of it all after the judge made a decision on the case. The date of the judgement in the PDF from the article was dated November 21.

Yes we acquired SourceForge just this year, and yes what you say about reputations is true. SourceForge's improvements this year weren't covered nearly as much as their previous missteps, but we'll continue to improve it regardless for the 1 million+ users we see per day. Ars Technica did a good write up though.

= Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln

"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.

Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."

http://www.theregister.co.uk/2... [theregister.co.uk]
https://web.archive.org/web/20...

= Firefox 0day in the wild is being used to attack Tor users

http://arstechnica.com/securit...
https://web.archive.org/web/20...

= [tor-talk] Javascript exploit

"This is an Javascript exploit actively used against TorBrowser NOW. It
consists of one HTML and one CSS file, both pasted below and also
de-obscured. The exact functionality is unknown but it's getting access to
"VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."

https://lists.torproject.org/p...
https://web.archive.org/web/20...

Is there a contest on slashdot as to how to talk about malware without mentioning that it will only run on Microsoft Windows?

"the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations' networks".

The proof of harassment has been posted multiple times, and confirmed by GamerGate's own IRC chat logs. You just choose to ignore this evidence that has been posted multiple times.

http://archive.today/Ler4O
http://www.wehuntedthemammoth....
http://arstechnica.com/gaming/...

How long are you going to keep this pretence up?

realistically nobody believes China and India or the other developing nations will stop modernizing to keep emissions down.

China is working hard to shift away from coal too. See http://arstechnica.com/science.... In particular where it says, "Accounting for the fact that 2016 was a leap year with an extra day, they estimate that China’s emissions will drop by about 0.5 percent (largely due to coal use declining nearly two percent)."

They have huge pollution problems, and they know that shifting to cleaner energy sources is necessary to do anything about it. From https://en.wikipedia.org/wiki/...: "In 2015 China became the world's largest producer of photovoltaic power, at 43 GW installed capacity. China also led the world in the production and use of wind power and smart grid technologies, generating almost as much water, wind, and solar energy as all of France and Germany's power plants combined."

Re 'Two factor authentication, ALWAYS" Two factor authentication is not holding as expected.
"Google warns journalists and professors: Your account is under attack" (11/24/2016)
http://arstechnica.com/securit...
"Some of the people who received the warning reported their accounts were protected by two-factor authentication... "

I can somewhat agree but look at the stupid competition. Can't buy a cheaper android phone from china without a 60% chance of some kind of backdoor. Also, given how Apple doesn't just discard updates for their phone after 6 months and trying to make the iPhone a black box really appeals to me.

The constant interface between devices. A safer app store, abit shitty search for years. Its really REALLY hard for me to look at an alternative

Hell, it was a Samsung phone I was looking to upgrade my iPhone 5 from, just because it seemed to have all these features above. They blew that one. There really aren't that many smart phone companies out there that keep this kind of quality. I am looking at the Google pixel too, but it's just too new and doesn't look that impressive to be honest. Its still $600+ too.

I very much doubt anything is going to change in the next few years and both Apple and Samsung can charge insane prices for the phones because of it

Hi Qbertino,

If you read through this thread, the replies you received will likely be greatly disheartening.

It's truly a fact-free world where "truthiness" trumps reality.

Even here on Slashdot.

When stories of outrageous ISP pricing and behaviour, etc. ad nauseam, start appearing in the future, take some solace in that it's basically exactly what they've asked for and they deserve it, hard. H.L. Menken being paraphrased there.

Thanks for you many +5 Informative / Insightful posts over the years. I don't expect to personally be around to see any further ones you make. But I'd enjoy reading your comments on ArsTechnica where I linger silently.

It's one place where facts and reality triumph over emotions and beliefs.

Unless you happen to use Spotify... http://arstechnica.com/informa...

According to Ars Technica it is different product

http://arstechnica.com/informa...

Visual Studio for Mac isn't, in fact, Visual Studio at all. Instead, it's the latest iteration of Xamarin Studio, the cross-platform C# development environment that Microsoft inherited when it bought Xamarin, developers of cross-platform .NET-based mobile development tools, last year.

These are two very different products, and the real Windows Visual Studio is the more capable product.

Doesn't it worry you at all that the FBI investigation so close to the vote most likely lost it for Clinton? Wikileaks and the FBI turned nothing into a Trump victory.

Sounds like John Podesta complaining that FBI Director Comey cost Hillary the election.
http://arstechnica.com/tech-po...
No, this did not cost Hillary the election. The damage had been done long ago when the DNC and Hillary screwed over Bernie Sanders.
The DNC did not listen to others who told them the selecting Hillary was a mistake, that she was almost unelectable.
https://theintercept.com/2016/...
Then top it off the Democrats got the opposing candidate they wanted in Donald Trump.
Come election day Bernie Sanders supporters stayed away on election day in key states.
This is attributed to the DNC email dumps in the weeks leading up to the election.
Many voters in the rust belt, who voted for Obama in '08 and '12 voted Trump this time around.
Most said Hillary was an insider and part of the problem, they wanted change and Trump offered that.
As for me, no I did not vote for Trump. I also did not give Hillary my vote.
She carried my state and got the biggest prize of all, as the Democrats always do.
The announcement from Comey didn't change my mind, I wasn't going to vote for her from the start.
Her previous actions and mishandling of classified information did it for me. She should NEVER hold a security clearance again.
Now it looks like she never will need one again. That is a good thing for this country.

With Trump being elected, the one thing I am thankful for is that the TPP is DOA.
It may be the only thing good that may come from the Trump presidency but it is a start.

He has called for NASA to get out of the Earth Sciences area (after all, that AGW stuff is all a Chinese hoax), and focus on making Mars Great again or something....

http://arstechnica.com/science...

So Google will flag Google, and for 30 days and 30 nights, a plague upon their own house? Awesome. You do have a good point about cleaning your own house before going hunting for other sites.

More like Google will flag Alphabet, because all the ad companies don't fall under Google anymore, but the Alphabet group of companies.

Of course, this will also mean every single web page will have the warning, since they all are repeat offenders....

Heck, even Google's own AdSense distributed malware for Android phones.

Of course, one could argue Alphabet is the largest malware distributor...

If CSIRO is involved you can bet whatever they find they'll coat it with so many layers of "intellectual property" nobody will be able to get it without paying through the nose. CSIRO is pure evil.

http://arstechnica.com/tech-po...

E

You don't need launch codes. They are already seat in each silo. The code was a zero, followed by another zero, and another zero, and another zero ... 8 zeros There's no way that you can expect two men to dial in different codes for each of 50 missile launches before the first bombs take them out. And one code for all removes the ability to be sure of a limited strike, so might as well just set them to all zeroes.

Uber does it too...

One difference between video games and ball sports is that unlike ball sports, video games are subject to an exclusive right to perform them publicly. A game's publisher holds copyright that it can use and in some cases has used to ban leagues from publicly performing its games. Blizzard, for example, has had a spat with KeSPA from 2008 through 2011. This doesn't bode well for potential competitors to Blizzard's league.

If the National League held copyright on baseball, the American League, Negro National League, and Negro American League could never have formed. (The NL and AL eventually merged to form MLB, and most NNL and NAL players were signed to MLB teams after World War II.)

If the National Football League held copyright on gridiron football, the American Football League could never have formed. (They eventually merged to form the present NFL.)

If the National Basketball League held copyright on gridiron football, the Basketball Association of America and American Basketball Association could never have formed. (The NBL merged with the BAA and ABA to form the NBA.)

>"Any reference?"

I will admit I am yelling "fire" without seeing the flames. My bad, and I should probably tone it down.

Here is an example of what can happen: http://arstechnica.com/securit... It shows just how easy it can be for them to insert something that can be abused.

The real danger is that with a binary-only, closed-source browser like Chrome, there is really no easy way know what it is doing behind-the-scenes or what backdoors it might have for them or governments. It is probably harder to prove it is not spying on users than proving it is. And Google has far more incentive to track everything you do compared to, say, Mozilla. Of course, if you also use Google search and/or sign-in with a Google account while using Chrome/Chromium, you are turning it into a type of approved super spyware on the spot.

http://betanews.com/2012/03/01...
http://www.theverge.com/2016/9...
http://www.huffingtonpost.com/...

I am amazed at how cavalier people are about their privacy, especially when it involves Google. The scariest thing is that most people have no idea just how much data is being collected about them (and yes it happens with all browsers and all services, but it is stepped up to overdrive with Google).

And if you are curious, no, I don't use Google's search engine directly, I always use http://startpage.org/ I also install Firefox browser on my Android devices and use that and startpage for searching.

I'll grant you that the US is at the front of researching and developing reusable launch vehicles. That's the best thing going for you at the moment, but many of your aerospace people are dismissing even this advantage. You're NOT currently building "a rocket to take men to Mars"; the SLS is a lame joke, even considering the lack of relevant payload; and New Armstrong and MCT/ITS are not currently being built. And I'd definitely say that China is making advances in manned spaceflight. After all, they didn't have manned spaceflight until some time ago and now they have it, presumably at lower costs than the US. Now they still have those low costs but their economy is going seriously forward, and they happen to have a much more consistent government when it comes to large-scale national projects. They don't have to worry about what happens in the next election cycle.

Drones banned: http://arstechnica.com/tech-po...

And since I live in one of the cities that has banned fireworks, I will not provide you with a source. But google exist...

Last year, Github was hit by a DDoS caused by attack code injected into plain-text http:// traffic by someone in China.

Let's assume for a moment that the attack on Github consisted of altering the contents of a single 50 byte packet. If that 50 byte packet corresponds to 0.0000000000000000000000000000000000000001% of rewritten traffic, then the remaining 99.9999999999999999999999999999999999999999% would correspond to 10^19 yottabytes of traffic.

Bearing in mind that total global internet traffic is barely even one zettabyte per year, let alone over a million trillion yottabytes, I think it's reasonable to conclude that the percentage of attacks that occur on the webserver as opposed to somewhere in-flight is lower than 99.9999999999999999999999999999999999999999%. (Especially when you consider that the DDoS that Github was struggling with for 4 days most likely involved rewriting more than a single 50-byte packet.)

When I look at this comparison of file systems, btrfs looks nice.

Reposting at the top level since nearly every other comment is getting this wrong...

Most (all?) jurisdictions allow a voter to request a replacement ballot, in the event of him making an error on the ballot. It would be trivial to take a ballot selfie with one ballot, request a replacement ballot, and vote differently.

This makes ballot selfies ineffective for vote-buying efforts.

The 1st Circuit Court court recognized that the NH law was unconstitutional because it bans protected political speech. NH's US Senator Ayotte is even planning to post her own ballot selfie, in violation of the NH law to prove the point.

NY is in the 2nd Circuit, so they will need their own decision until SCOTUS upholds the 1st Circuit decision.

Regardless, these bans aren't about vote buying - that won't work - they're about preventing people from expressing their political views on social media. Such postings have more benefit for insurgent candidates than establishment candidates, so the establishment is firmly against such efforts.

http://arstechnica.com/securit...

Aside from the fact that millions of Android apps contain native code which is very hard to find malware in and now we have a wonderful Dirty Cow vulnerability which affects almost 100% of Android devices, which means a new update or install from Google Play will automatically p0wn your device for good and will probably install an undetectable/unerasable rootkit.

I'd love to think that Android is secure but Google chose to use the Linux kernel which doesn't fare that well vs. microkernels like QNX. Call me crazy but I believe the QNX kernel would have been a much better choice for Android.

APK has a 20-year history of begging to have his ass whipped----and getting what he asked for

Stay tuned for our next instalment, when we'll show you how he got his ass handed back to him right here on Slashdot just a couple of years back.

Y'all enjoy.

Well, here are my reasons.

1. Runs macOS. I used Linux exclusively from 1994 to 2008. I like macOS better.

2. Better hardware for my uses. I move around with my laptop everywhere (rarely use a desk) so battery life and weight are priorities to me. The hidpi display is something I will never give up. The trackpad performs way better (on Linux, I preferred the IBM capacitive tracepoint). Generally, you get better specs and lower price on a Linux machine only if you give up on having a lightweight device.

3. Better hardware support. Suspend/resume ALWAYS WORKS. Getting a device from System76 that was specifically specced for Linux will get rid of a lot of problems, but as Ars Technica noticed recently there are ongoing problems with new hardware. Power management in general works much better under macOS and battery life is better as a result.

Air Force Says F-35 Glitches Mean the A-10 Will Keep Flying 'Indefinitely'

This reminds me of the JTRS program and Boeing GMR in particular. This is all thanks to the joint-acquisition mindset that you must build some all encompassing shit that is to do everything for everyone. This goes again all normal notions of sound engineering.

I suggest you read about JTRS and GMR if you haven't (feast yer eyes and weep at the sheer stupidity of it.): http://arstechnica.com/informa...

Having worked in defense (albeit just for a few years), I can attest this shit is all too common. Another one is putting all types of COTS and cobble them together even when they aren't meant to be.

The notion of limiting scope does not exists. Now, it is all fun and traditional to blame defense contractors. To a point, they are. But the biggest culprit is the DoD itself. It sets up incredibly bizantine requirements, forces contractors to divvy-up work in ways that, when coupled with clearance levels, it makes information sharing nearly impossible and costly. Worst of all, it always leaves the door open to increase the scope of shit. Always.

So it is inevitable that contractors end up with project overruns. Now, contractors are already geared to feast on that shit till they are fat (the law of unintended consequences). But the blame sits squarely with the DoD's way of acquiring shit, and joint-acquisition mentality specifically.

It is always better to build tools with specific purposes and scopes and orchestrate them as needed than trying to build the ultimate kitchen-sink uber-toaster. Not for the DoD, though.

I fear that for a long time we were able to pull some good shit despite all of it just by throwing money on it. But times have changed, and we can barely afford to do that anymore.

Either we wise the fuck up, or someone else is eventually going to eat our lunch.

Of course, the big news here is that this 'hack' doesn't work against the most popular series of drones, those made by the Chinese company DJI. These common UAVs (Phantoms, Inspires, Mavics) use a proprietary, partially encrypted, spread spectrum protocol. They've been jammed by other devices, just not this particular one.

That is literally only because the developer hasn't got one:

The attack hardware was a teensy and a cyrf6936 transceiver from my friend at 1bitsquared.com, but we could have just as easily implemented it using the same teensy and a ML2724 to attack DJI and Futaba systems.

The attacker in this case had lots of sample hardware, so he attacked that. Sadly, it's the dominant protocol today in general, because it's cheap and good. You can get a LemonRX 0008 DSM2 diversity satellite receiver (two distinct radios in there) for ten bucks shipped or less, but that's a one-week turnaround from a US seller which I've literally just installed into a quadcopter. Most flight controllers will even put them into bind mode now, otherwise you need a DSM RX with a sat port, or a 3.3 volt Arduino.

ISTR there being alternate firmware for some RXs. If so, and it is Open-Sourced, this problem could be fixed in a proprietary, encrypted revision of the protocol and supported by TXs with open firmware like maybe the Devo7e and probably other, fancier Devos which use fancier MCUs with more flash. You'd still be able to predict the frequencies and jam them, but you wouldn't be able to take over without breaking the encryption.

Well, it isn't like it isn't anything new

https://yro.slashdot.org/story...

Lets not also forget about badbios malware that reportedly transfers similarly.

http://arstechnica.com/securit...

And no, you do not install "let me send you some ads" app that needs permission to use your microphone, you install some other app that uses an ad package for advertisement and payments to support it's development which in turn has the app. This is why some apps want to have access to your microphone, camera, contacts, media, network and so on when you install them and they are just a dressed up solitaire game.

Hell, the app for my blood pressure monitor machine wants access to my phone, contacts, photos, and something else which I could never understand. I couldn't get the manufacturer to explain why when all it did was dump the reading into a file with the date and time via blue tooth and you could add notes and search it later is you wanted.

I read the recent Ars piece on how the pizza biz uses robots to make pizza. At first this was a bit of a surprise/news to me, but then you immediately realize how repetitive the job is. Great use for robots -- faster, less waste, tireless, etc. But also, great job for a human to no longer do -- brain-deadening, low-paying and a RSI maker if ever there was one.

OSX and iOS are based on NextSTEP:

http://arstechnica.com/apple/2...

https://en.wikipedia.org/wiki/...

Back on topic; Project Zero went the ethical way.

You mean only AFTER Apple BEGGED them, don't you?

Who knows what really went on behind the scene. But still; Project Zero went the ethical way whatever the reason.

OSX and iOS are based on NextSTEP:

http://arstechnica.com/apple/2...

https://en.wikipedia.org/wiki/...

Back on topic; Project Zero went the ethical way.

You mean only AFTER Apple BEGGED them, don't you?

OSX and iOS are based on NextSTEP:

http://arstechnica.com/apple/2...

https://en.wikipedia.org/wiki/...

Back on topic; Project Zero went the ethical way.

Try the linked http://arstechnica.com/tech-po...
Will the copyrights and patents be valid or will fair use win? The wider court role of a "four-factor "fair use" test"?
The way APIs could be/is/will be/can be copyrighted.
The news and summary is all in the linked arstechnica.com recap.
If its a win, its fair use for all.
Not a win, then some "fair use" test for US code? Doing programming in the USA just got more interesting. Code has to work and pass a final court test every time per product cycle?
Another type of win and its all copyrighted. Doing programming well away from the USA just got traction.

Non-techies often giggle when I use the word "dongle". Can't we find a better word before HR hauls me in for alleged harassment?

Not as far fetched as you think....