Slashdot Mirror

An anonymous reader quotes a report from ZDNet: A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services. This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names. The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services. The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products. In research published today, the Ruhr-University Bochum team described three vulnerabilities that they found in the digital signing process used by several desktop and web-based PDF signing services. Summarized, they are:

1. Universal Signature Forgery (USF) -- vulnerability lets attackers trick the signature verification process into showing users a fake panel/message that the signature is valid.
2. Incremental Saving Attack (ISA) -- vulnerability lets attackers add extra content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking the already-existing signature.
3. Signature Wrapping (SWA) -- vulnerability is similar to ISA, but the malicious code also contains extra logic to fool the signature validation process into "wrapping" around the attacker's extra content, effectively digitally signing the incremental update. Additional details about the three vulnerabilities are available in this PDF research paper [1, 2], this blog post, and this dedicated website.

An anonymous reader shares a blog post: It appears that when you use a year constraint on book search, the search index has dramatically constricted to the point of being, essentially, broken. Here's an example. While writing something, I became interested in the etymology of the phrase 'set in stone.' Online essays seem to generally give the phrase an absurd antiquity -- they talk about Hammurabi and Moses, as if it had been translated from language to language for decades. I thought that it must be more recent -- possibly dating from printers working with lithography in the 19th century.

So I put it into Google Ngrams. As it often is, the results were quite surprising; about 8,700 total uses in about 8,000 different books before 2002, the majority of which are after 1985. Hammurabi is out, but lithography doesn't look like a likely origin for widespread popularity either. That's much more modern that I would have thought -- this was not a pat phrase until the 1990s. That's interesting, so I turned to Google Books to find the results. Of those 8,000 books published before 2002, how many show up in the Google Books search result with a date filter before 2002? Just five. Two books that have "set in stone" in their titles (and thus wouldn't need a working full-text index), one book from 2001, and two volumes of the Congressional record. 99.95% of the books that should be returned in this search -- many of which, in my experience, were generally returned four years ago or so -- have vanished. Further reading: How Google Book Search Got Lost; Whatever Happened To Google Books?; and Google's New Book Search Deals in Ideas, Not Keywords.

An anonymous reader shares a blog post: It appears that when you use a year constraint on book search, the search index has dramatically constricted to the point of being, essentially, broken. Here's an example. While writing something, I became interested in the etymology of the phrase 'set in stone.' Online essays seem to generally give the phrase an absurd antiquity -- they talk about Hammurabi and Moses, as if it had been translated from language to language for decades. I thought that it must be more recent -- possibly dating from printers working with lithography in the 19th century.

So I put it into Google Ngrams. As it often is, the results were quite surprising; about 8,700 total uses in about 8,000 different books before 2002, the majority of which are after 1985. Hammurabi is out, but lithography doesn't look like a likely origin for widespread popularity either. That's much more modern that I would have thought -- this was not a pat phrase until the 1990s. That's interesting, so I turned to Google Books to find the results. Of those 8,000 books published before 2002, how many show up in the Google Books search result with a date filter before 2002? Just five. Two books that have "set in stone" in their titles (and thus wouldn't need a working full-text index), one book from 2001, and two volumes of the Congressional record. 99.95% of the books that should be returned in this search -- many of which, in my experience, were generally returned four years ago or so -- have vanished. Further reading: How Google Book Search Got Lost; Whatever Happened To Google Books?; and Google's New Book Search Deals in Ideas, Not Keywords.

schwit1 shares a report from The Hollywood Reporter: Douglas Rain, the veteran Canadian stage actor who provided the soft and gentle voice of the rogue HAL 9000 computer for Stanley Kubrick's classic 2001: A Space Odyssey and its sequel, has died. He was 90. The first drafts of the 2001 script had HAL being voiced by a woman and was called Athena; afterward, it was decided that the computer should sound more like a man. Nigel Davenport, Martin Balsam and others were tried out -- and ruled out -- before and during filming of the 1968 sci-fi thriller.

"Well, we had some difficulty deciding exactly what HAL should sound like, and Marty just sounded a little bit too colloquially American, whereas Rain had the kind of bland mid-Atlantic accent we felt was right for the part,' Kubrick told Newsday film critic Joseph Gelmis in an interview for the 1970 book The Film Director as Superstar. Kubrick told Rain that he had made the computer "too emotional and too human." So, in late 1967, the actor flew to New York City and spent a day and a half -- about 9 1/2 hours in all -- to voice HAL. As reported on the blog 2010: The Year We Make Contact, Rain "did the recordings with his bare feet resting on a pillow, in order to maintain the required relaxed tone."

Layzej writes: Back in 2005, solar physicists Galina Mashnich and Vladimir Bashkirtsev made a $10,000 bet that global temperatures, driven primarily by changes in the Sun's activity, would fall over the next decade. The bet would compare the then record hot years between 1998 to 2003 with that between between 2012 and 2017. With temperatures falling from their peak during the 1998 super El-Nino, and solar output continuing to fall, this seemed like a sure bet. The results are now in and all datasets show that climate modeler James Annan is the clear winner.

At the time of the wager, Annan had supposed that the reputation of the scientists involved would be enough to ensure payment once the bet was settled. Unfortunately, as was the case with Alfred Russel Wallace's famous 1870 bet against flat-Earthers, the losing parties have refused to pay up.
"More precisely, Bashkirtsev is refusing to pay," writes the climate modeler on his blog, "and Mashnich is refusing to even reply to email.

"With impressive chutzpah, Bashkirtsev proposed we should arrange a follow-up bet which he would promise to honour."

Layzej writes: Back in 2005, solar physicists Galina Mashnich and Vladimir Bashkirtsev made a $10,000 bet that global temperatures, driven primarily by changes in the Sun's activity, would fall over the next decade. The bet would compare the then record hot years between 1998 to 2003 with that between between 2012 and 2017. With temperatures falling from their peak during the 1998 super El-Nino, and solar output continuing to fall, this seemed like a sure bet. The results are now in and all datasets show that climate modeler James Annan is the clear winner.

At the time of the wager, Annan had supposed that the reputation of the scientists involved would be enough to ensure payment once the bet was settled. Unfortunately, as was the case with Alfred Russel Wallace's famous 1870 bet against flat-Earthers, the losing parties have refused to pay up.
"More precisely, Bashkirtsev is refusing to pay," writes the climate modeler on his blog, "and Mashnich is refusing to even reply to email.

"With impressive chutzpah, Bashkirtsev proposed we should arrange a follow-up bet which he would promise to honour."

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

An anonymous reader shares a report: Ten years have passed since the 2008 financial crisis, and the effects linger. For one thing, the crisis produced a significant shift in American higher education. Scared by a seemingly treacherous labor market, since the downturn college students have turned away from the humanities and towards job-oriented degrees. It's not clear they are making the right decision. The humanities were humming along prior to 2008, according to an analysis by the Northeastern University historian Benjamin Schmidt. Over the previous decade, disciplines like history, philosophy, English literature, and religion were either growing or holding steady as a share of all college majors. But in the decade after the financial crisis, all of these majors took a nosedive. The popularity of the history major is an illustrative example. From 1998 to 2007, the share of college students graduating with a degree in history averaged around 2%. By 2017, it had fallen closer to 1%. (All data in this article are based on reports that colleges submit to the US Department of Education.) Other humanities majors saw a similar fall. "Declines have hit almost every field in the humanities... and related social sciences," wrote Schmidt in the The Atlantic. "[T]hey have not stabilized with the economic recovery, and they appear to reflect a new set of student priorities, which are being formed even before they see the inside of a college classroom."

An anonymous reader writes: Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year. The feature's name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME's thumbnail parsers in July 2017, with the release of GNOME 3.26. In recent years, security researchers have proven that thumbnail parses can be an attack vector [1, 2, 3].

Ubuntu Security Tech Lead Alex Murray said the Ubuntu team chose to disable Bubblewrap inside Ubuntu because they did not have the time to perform a security audit. Murray blamed the many CPU bugs (Spectre, Meltdown, etc.), which kept the team busy and prevented them to audit the feature.

An anonymous reader writes: Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year. The feature's name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME's thumbnail parsers in July 2017, with the release of GNOME 3.26. In recent years, security researchers have proven that thumbnail parses can be an attack vector [1, 2, 3].

Ubuntu Security Tech Lead Alex Murray said the Ubuntu team chose to disable Bubblewrap inside Ubuntu because they did not have the time to perform a security audit. Murray blamed the many CPU bugs (Spectre, Meltdown, etc.), which kept the team busy and prevented them to audit the feature.

Long-time Slashdot reader theodp writes: In her Bard College commencement speech, ex-Google VP and former U.S. CTO Megan Smith revealed to graduates that she gave President Obama a computing history lesson on the same day he learned to code in 2014. "I walked into the Oval Office to do coding with President Obama, and, interestingly, Prince William had just stepped out," Smith explained (YouTube). "They had just had a meeting. I said to President Obama, you know what you and I are about to do is related to Prince William, and he said, how's that. Well, the Prince's wife Kate, her mother and grandmother were codebreakers at Bletchley Park, where they cracked the Nazi Enigma codes...." [Presumably Smith meant to say Kate's great-aunt, not mother — Carole Middleton wasn't born until 1955.]

To be fair to the President, Smith once confessed to not knowing much about computing history herself, explaining in a 2012 Official Google Blog post that she and other visiting tech luminaries were embarrassingly clueless about who Ada Lovelace was in a 2011 visit to England. "Last year, a group of us were lucky enough to visit the U.K. Prime Minister's residence at 10 Downing Street, as part of the Silicon Valley Comes to the U.K. initiative," Smith wrote. "While there, we asked about some of the paintings on the wall. When we got to a large portrait of a regally dressed woman, our host said 'and of course, that's Lady Lovelace'... You can imagine our surprise when we learned she was considered by some to be the world's first computer programmer -- having published the first algorithm intended for use on Charles Babbage's Analytical Engine." One imagines Smith might also have been surprised to learn that many programmers older than Smith were already very aware of Lady Ada at that time thanks to the Department of Defense, who tried in vain to make Ada a household name for decades, but had little success popularizing the Ada programming language, which was named after Augusta Ada King, Countess of Lovelace.

An anonymous reader writes: "An Argentinian security researcher named Ezequiel Fernandez has published a powerful new tool yesterday that can easily extract plaintext credentials for various DVR brands and grant attackers access to those systems, and inherently the video feeds they're supposed to record," reports Bleeping Computer. "The tool, named getDVR_Credentials, is a proof-of-concept for CVE-2018-9995, a vulnerability discovered by Fernandez at the start of last month, [affecting TBK DVR systems]. Fernandez discovered that by accessing the control panel of specific DVRs with a cookie header of 'Cookie: uid=admin,' the DVR would respond with the device's admin credentials in cleartext." Tens of thousands of vulnerable devices available online can be hijacked with their video feeds assembled in voyeur sites, like it's been done in the past.

theodp writes: While Google suggests that parents and educators are to blame for why kids can't code, Allen Downey, Professor at Olin College argues that learning to program is getting harder . Downey writes: The fundamental problem is that the barrier between using a computer and programming a computer is getting higher. When I got a Commodore 64 (in 1982, I think) this barrier was non-existent. When you turned on the computer, it loaded and ran a software development environment (SDE). In order to do anything, you had to type at least one line of code, even if all it did was another program (like Archon). Since then, three changes have made it incrementally harder for users to become programmers:
1. Computer retailers stopped installing development environments by default. As a result, anyone learning to program has to start by installing an SDE -- and that's a bigger barrier than you might expect. Many users have never installed anything, don't know how to, or might not be allowed to. Installing software is easier now than it used to be, but it is still error prone and can be frustrating. If someone just wants to learn to program, they shouldn't have to learn system administration first.
2. User interfaces shifted from command-line interfaces (CLIs) to graphical user interfaces (GUIs). GUIs are generally easier to use, but they hide information from users about what's really happening. When users really don't need to know, hiding information can be a good thing. The problem is that GUIs hide a lot of information programmers need to know. So when a user decides to become a programmer, they are suddenly confronted with all the information that's been hidden from them. If someone just wants to learn to program, they shouldn't have to learn operating system concepts first.
3. Cloud computing has taken information hiding to a whole new level. People using web applications often have only a vague idea of where their data is stored and what applications they can use to access it. Many users, especially on mobile devices, don't distinguish between operating systems, applications, web browsers, and web applications. When they upload and download data, they are often confused about where is it coming from and where it is going. When they install something, they are often confused about what is being installed where. For someone who grew up with a Commodore 64, learning to program was hard enough. For someone growing up with a cloud-connected mobile device, it is much harder. theodp continues: So, with the Feds budgeting $200 million a year for K-12 CS at the behest of U.S. tech leaders, can't the tech giants at least put a BASIC on every phone/tablet/laptop for kids?

"The internet is unavailable to and/or unaffordable by about 50% of the world population," writes Larry Press (formerly of IBM), who's now an information systems professor at California State University. But he's also long-time Slashdot reader lpress, and reports on new efforts to bring cheap high-speed internet to the entire world. SpaceX, Boeing, OneWeb, Telesat, and Leosat are investing in very large projects to deliver global, high-speed Internet service [using low-earth orbit satellites]. This could be a significant option for developing nations, rural areas of developed nations, long-haul links, Internet of things, and more by the mid-2020s.
Parts of Alaska could see internet-via-satellite as soon as 2020, according to Larry's article, which adds that the technology could even be used to bring high-speed internet access to ships at sea.

An anonymous reader writes: Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless. The bug appeared when Microsoft changed a registry value in Windows 8 and occurs only in certain ASLR configuration modes. Basically, if users have enabled system-wide ASLR protection turned on, a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations. For ASLR to work properly, users must configure it to work in a system-wide bottom-up mode. An official patch from Microsoft is not available yet, but a registry hack can be applied to make sure ASLR starts in the correct mode.

The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.

Benjamin Breen, an assistant professor of history at UC Santa Cruz, looks at art history to figure out what people cooked in the 1600s, and wonders whether it is possible to ascertain the taste of food. From a blog post: What can we learn about how people ate in the seventeenth century? And even if we can piece together historical recipes, can we ever really know what their food tasted like? This might seem like a relatively unimportant question. For one thing, the senses of other people are always going to be, at some level, unknowable, because they are so deeply subjective. Not only can I not know what Velazquez's fried eggs tasted like three hundred years ago, I arguably can't know what my neighbor's taste like. And why does the question matter, anyway? A very clear case can be made for the importance of the history of medicine and disease, or the histories of slavery, global commerce, warfare, and social change. By comparison, the taste of food doesn't seem to have the same stature. Fried eggs don't change the course of history. But taste does change history. Fascinating read.

schwit1 was the first to share the news about Saturday's successful launch from Cape Canaveral: A satellite designed to help the U.S. military keep tabs on the ever-growing population of orbiting objects took to the skies atop a converted missile early Saturday morning. The Air Force's Operationally Responsive Space-5 (ORS-5) satellite lifted off from Florida's Cape Canaveral Air Force Station at 2:04 a.m. EDT (0604 GMT) atop an Orbital ATK Minotaur IV rocket, which carved a fiery orange arc into the sky as it rose... The first three stages of the Minotaur IV rocket are derived from decommissioned Peacekeeper intercontinental ballistic missiles... This morning's launch was the sixth for the Minotaur IV and the 26th overall for the Minotaur rocket family, which also includes the flight-proven Minotaur I, II and V vehicles.
The Orlando Sentinel notes it took place on "a long-dormant launch pad on the Space Coast...Launch Complex 46, which last hosted a rocket launch in 1999..."

"The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016," reports BleepingComputer. An anonymous reader writes: The issue at hand is in how some .NET libraries deserialize JSON or XML data, doing it in a total unsecured way, but also how developers handle deserialization operations when working with libraries that offer optional secure systems to prevent deserialized data from accessing and running certain methods automatically. The issue is similar to a flaw known as Mad Gadget (or Java Apocalypse) that came to light in 2015 and 2016. The flaw rocked the Java ecosystem in 2016, as it affected the Java Commons Collection and 70 other Java libraries, and was even used to compromise PayPal's servers.

Organizations such as Apache, Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP, and SolarWinds , all issued security patches to fix their products. The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects. Now a similar issue was discovered in .NET. This research has been presented at the Black Hat and DEF CON security conferences. On page 5 [of this PDF], researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.

Jim Hall is celebrating the 23rd birthday of the FreeDOS Project, calling it "a major milestone for any free software or open-source software project," and remembering how it all started. An anonymous reader quotes Linux Journal: If you remember Windows 3.1 at the time, it was a pretty rough environment. I didn't like that you could interact with Windows only via a mouse; there was no command line. I preferred working at the command line. So I was understandably distressed in 1994 when I read via various tech magazines that Microsoft planned to eliminate MS-DOS with the next version of Windows. I decided that if the next evolution of Windows was going to be anything like Windows 3.1, I wanted nothing to do with it... I decided to create my own version of DOS. And on June 29, 1994, I posted an announcement to a discussion group... Our "PD-DOS" project (for "Public Domain DOS") quickly grew into FreeDOS. And 23 years later, FreeDOS is still going strong! Today, many people around the world install FreeDOS to play classic DOS games, run legacy business software or develop embedded systems...

FreeDOS has become a modern DOS, due to the large number of developers that continue to work on it. You can download the FreeDOS 1.2 distribution and immediately start coding in C, Assembly, Pascal, BASIC or a number of other software development languages. The standard FreeDOS editor is quite nice, or you can select from more than 15 different editors, all included in the distribution. You can browse websites with the Dillo graphical web browser, or do it "old school" via the Lynx text-mode web browser. And for those who just want to play some great DOS games, you can try adventure games like Nethack or Beyond the Titanic, arcade games like Wing and Paku Paku, flight simulators, card games and a bunch of other genres of DOS games.
On his "Open Source Software and Usability" blog, Jim says he's been involved with open source software "since before anyone coined the term 'open source'," and first installed Linux on his home PC in 1993. Over on the project's blog, he's also sharing appreciative stories from FreeDOS users and from people involved with maintaining it (including memories of early 1980s computers like the Sinclair ZX80, the Atari 800XL and the Coleco Adam). Any Slashdot readers have their own fond memories to share?

Jim Hall is celebrating the 23rd birthday of the FreeDOS Project, calling it "a major milestone for any free software or open-source software project," and remembering how it all started. An anonymous reader quotes Linux Journal: If you remember Windows 3.1 at the time, it was a pretty rough environment. I didn't like that you could interact with Windows only via a mouse; there was no command line. I preferred working at the command line. So I was understandably distressed in 1994 when I read via various tech magazines that Microsoft planned to eliminate MS-DOS with the next version of Windows. I decided that if the next evolution of Windows was going to be anything like Windows 3.1, I wanted nothing to do with it... I decided to create my own version of DOS. And on June 29, 1994, I posted an announcement to a discussion group... Our "PD-DOS" project (for "Public Domain DOS") quickly grew into FreeDOS. And 23 years later, FreeDOS is still going strong! Today, many people around the world install FreeDOS to play classic DOS games, run legacy business software or develop embedded systems...

FreeDOS has become a modern DOS, due to the large number of developers that continue to work on it. You can download the FreeDOS 1.2 distribution and immediately start coding in C, Assembly, Pascal, BASIC or a number of other software development languages. The standard FreeDOS editor is quite nice, or you can select from more than 15 different editors, all included in the distribution. You can browse websites with the Dillo graphical web browser, or do it "old school" via the Lynx text-mode web browser. And for those who just want to play some great DOS games, you can try adventure games like Nethack or Beyond the Titanic, arcade games like Wing and Paku Paku, flight simulators, card games and a bunch of other genres of DOS games.
On his "Open Source Software and Usability" blog, Jim says he's been involved with open source software "since before anyone coined the term 'open source'," and first installed Linux on his home PC in 1993. Over on the project's blog, he's also sharing appreciative stories from FreeDOS users and from people involved with maintaining it (including memories of early 1980s computers like the Sinclair ZX80, the Atari 800XL and the Coleco Adam). Any Slashdot readers have their own fond memories to share?

An anonymous reader quotes a report from Ars Technica: A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated. The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction." Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post. The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Science doesn't have all the answers. There are plenty of things it may never prove, like whether there's a God. Or whether we're living in a computer simulation, something proposed by Swedish philosopher Nick Bostrom. From an article on Gizmodo: This kind of thinking made at least one person angry, theoretical physicist and science writer Sabine Hossenfelder from the Frankfurt Institute for Advanced Studies in Germany. Last week, she took to her blog Backreactions to vent. It's not the statement "we're living in a simulation" that upsets Hossenfelder. It's the fact that philosophers are making assertions that, if true, should most certainly manifest themselves in our laws of physics. "I'm not saying it's impossible," Hossenfelder told Gizmodo. "But I want to see some backup for this claim." Backup to prove such a claim would require a lot of work and a lot of math, enough to solve some of the most complex problems in theoretical physics.

Bufferbloat is that "undesirable latency that comes from a router or other network equipment buffering too much data," according to the site for an ongoing project trying to address it. Now long-time Slashdot reader mtaht writes:Inside the lede-project, two core new bufferbloat-fighting techniques are poised to enter the linux mainline kernel and thousands of routers -- the first being a fq-codel'd and airtime fair scheduler for wifi, and the second, the new "cake" qdisc, which outperforms fq_codel across the board for shaping inbound and outbound connections.
His submission ends with a question for Slashdot readers. "It's been nearly six years since the start of the bufferbloat project. Have you or has your ISP fixed your bufferbloat yet?"

Very long-time Slashdot reader Jim Hall -- part of GNOME's board of directors -- has a Christmas gift. Since 1994 he's been overseeing an open source project that maintains a replacement for the MS-DOS operating system, and has just announced the release of the "updated, more modern" FreeDOS 1.2! [Y]ou'll find a few nice surprises. FreeDOS 1.2 now makes it easier to connect to a network. And you can find more tools and games, and a few graphical desktop options including OpenGEM. But the first thing you'll probably notice is the all-new new installer that makes it much easier to install FreeDOS. And after you install FreeDOS, try the FDIMPLES program to install new programs or to remove any you don't want. Official announcement also available at the FreeDOS Project blog.
FreeDOS also lets you play classic DOS games like Doom, Wolfenstein 3D, Duke Nukem, and Jill of the Jungle -- and today marks a very special occasion, since it's been almost five years since the release of FreeDos 1.1. "If you've followed FreeDOS, you know that we don't have a very fast release cycle," Jim writes on his blog. "We just don't need to; DOS isn't exactly a moving target anymore..."

According to a report from The Information (Warning: paywalled), Uber has lost more than $800 million in the third quarter. CNBC reports: The results, The Information reported, put Uber on pace to record an 25 percent steeper operating loss than last year, of at least $2.8 billion in 2016, before interest, tax, depreciation and amortization. Despite steep results from one of the world's most valuable start-ups, these results would have been worse if not for a one-time windfall thanks to the sale of Uber's China business to Didi Chuxing, The Information reported. On the bright side, Uber's revenue is skyrocketing, and its rate of losses slowed from the prior quarter, The Information said. Still, the report comes as Uber's multi-billion dollar valuation has come under scrutiny from those who say its business model depends on subsidies and faces looming battles over regulation.

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."

"The Associated Press reports that on Monday Eric Schmidt will be in Havana to sign a deal bringing Google Global Cache to Cuba," writes lpress. Here's some details from the AP's report on the deal. Cuba suffers from some of the world's slowest internet speeds due to a range of problems that include the convoluted, and thus slower, paths that data must travel between Cuban users and servers that are often in the U.S... home internet connections remain illegal for virtually all Cubans, forcing them to use public WiFi spots that are often shared by dozens of people at a time and run at achingly slow speeds... Both pro-detente forces and those arguing for a hard line on President Raul Castro's single-party government have been pushing for Cubans to have better access to information.
The article cites Slashdot reader Larry Press as "a California-based expert on the Cuban internet," who also shares some more thoughts on his blog. "I'd love to see a country -- even a small one -- in which Google Plus was more popular than Facebook."

lpress writes: The Internet was a major source of news -- fake and real -- during the election campaign. The operators of fake sites, whether motivated by politics or greed, are often anonymous. We avoid voter fraud by requiring verification of ones name, age and address. A verifiable real-names domain registration policy would discourage information fraud.
"I understand the wish to protect the privacy of a person or organization registering a domain name," argues the linked-to blog post, "but there is also a public interest." ICANN already requested comments on this back in 2015, but I'm curious what Slashdot's readers think. Should domain name registrations require a verifiable real name?

In June Google's task-force against zero day exploits "identified a coding exploit in the underlying kernel of Apple's OSX and it's mobile operating system iOS, which could allow for root-level escalation of privileges for an attacker in a non-updated version of the OS," according to The Stack.

An anonymous reader writes that Google "initially refused Apple's request for sixty days' grace, but eventually settled on September 21st for disclosure. But when Apple's last-minute September fix turned out to be ineffective, Project Zero agreed to keep quiet, eventually granting Apple nearly five months of silence about the task_t bug -- which has now been fixed in the latest updates to Mac OS and iOS." The fix was released Monday, the Stack reports: Since the task_t bug allows the user to gain any entitlements they may want, it could also nullify kernel code signing, which would allow unauthorized programs to run with elevated privileges on a Mac system. Any current OSX or iOS user who has applied the latest system updates is not susceptible to the task_t vulnerability.

The future of Google Fiber has been shaky ever since Google's parent company, Alphabet, was founded. The original plan was to expand Fiber's blazing fast internet service to more than 20 cities, with the goal of eventually delivering nationwide gigabit service. However, Alphabet hit the reset button on those plans Tuesday. Not only is Google Fiber CEO Craig Barratt leaving, but about 9 percent of staff is being let go. That translates to about 130 job losses, since the business has about 1,500 employees. Bloomberg reports: Barratt wrote in a blog post that the company is pulling back fiber-to-the-home service from eight different cities where it had announced plans. Those include major metropolitan areas such as Dallas, Los Angeles and Phoenix. Moving into big cities was a contentious point inside Google Fiber, according to one former executive. Leaders like Barratt and Dennis Kish, who runs Google Fiber day-to-day, pushed for the big expansion. Others pushed back because of the prohibitive cost of digging up streets to lay fiber-optic cables across some of America's busiest cities. "I suspect the sheer economics of broad scale access deployments finally became too much for them," said Jan Dawson, an analyst with Jackdaw Research. "Ultimately, most of the reasons Google got into this in the first place have either been achieved or been demonstrated to be unrealistic."

Krystalo quotes a report from VentureBeat: Google today launched Chrome 54 for Windows, Mac, and Linux. This release is mainly focused on developers, but the improvements to how the browser handles YouTube embeds is also noteworthy. You can update to the latest version now using the browser's built-in silent updater, or download it directly from google.com/chrome. Chrome 54 rewrites YouTube Flash players to use the YouTube HTML5 embed style. YouTube ditched Flash for HTML5 by default in January 2015, but the old embeds still exist all over the web. Google says the change improves both performance and security for its desktop browser. The report adds that "Chrome also now provides support for the custom elements V1 spec," which allows "developers to create custom HTML tags as well as define their API and behavior in JavaScript." BroadcastChannel API will also be implemented "to allow one-to-many messaging between windows, tabs, iframes, web workers, and service workers." You can read more about Chrome 54 on Google's blog post.

Slashdot reader justthinkit writes: Google Chrome is arguably the best browser and the biggest memory hog. Presently. But the Google engineers are hard at work, optimizing the next version of Chrome. Will this be an important, or just another incremental, upgrade?
They're specifically targeting the browser's JavaScript engine, V8, and they've already "analyzed and significantly reduced the memory footprint of several websites that were identified as representative..." (For example, on the mobile New York Times site they've reduced heap memory consumption by about 66%.) Chrome 55 is scheduled for release in December. Any Chrome fans looking forward to testing its performance?

An anonymous reader quotes a report from Ars Technica: Google Fiber today said it has completed its acquisition of Webpass, a wireless Internet service provider that will figure prominently into its plans for deployment of high-speed Internet. But the Alphabet division is not giving up on fiber, saying it will use both wireless and fiber networks to compete against cable companies and telcos. Google Fiber revealed its plan to buy Webpass in June, and the company said in an announcement today that Webpass "is now officially part of the Google Fiber family." The Webpass site has been updated to call the service "Webpass from Google Fiber." Webpass uses point-to-point wireless technology that's useful for connecting businesses and multi-unit residential buildings in densely populated areas. It hasn't been financially feasible for Webpass to bring its high-speed network to single-family homes, so it can't fully replace Google Fiber's wired Internet service. "[O]ur strategy going forward will be a hybrid approach with wireless playing an integral part," Google Fiber President Dennis Kish wrote. "Going forward, Webpass will continue to grow and scale their business with point-to-point wireless technology, including expanding into new cities. And for our part, Google Fiber will continue to build out our portfolio of wireless and fiber technologies, to bring super fast Internet to more people, faster." Existing Webpass customers will see no change to their service, he wrote. Webpass's residential service offers speeds of up to 1Gbps for $60 a month in San Francisco, San Diego, Miami, Chicago, and Boston. There's no word yet on where Webpass will deploy next.

An anonymous reader writes: Google has officially launched their long-awaited messaging app for iOS and Android, called Google Allo. There are several unique features associated with this app that Google hopes will win you over. Smart Reply lets you respond to messages with just a tap, so you can send a quick "yup" in response to a friend asking "Are you on your way?" It will also suggest responses for photos. For example, if you send a picture of a dog, Smart Reply might suggest a heart emoji or "Super cute!" message, which you can select and send with a tap. Google says Smart Reply will improve over time and adjust to your style. You can also send large or small text and emojis, as well as draw on pictures. There's an incognito mode that will activate end-to-end encryption, discreet notifications, and message expiration on your chats. Arguably best of all is the Google Assistant that can be added to your chats to automatically cater useful information to you depending on what is being conversed in the chat. For example, it can deliver news, weather, traffic, sports or your upcoming flight status to your chat. You can also ask your Assistant to "share that funny YouTube video or play games with friends right in your group chat." Google Allo is rolling out to Android and iOS starting today.

Google has an app for just about everything. Their latest application, called Google Trips, aims to help you better plan your vacations and other travels. TechCrunch reports: Called Google Trips, the iOS and Android app pulls in a combination of data from Google Maps and crowdsourced contributions from other travels, in order to offer a personalized travel guide that helps you keep track of your day trips, reservations, points of interest, tourist attractions, restaurants and more. The home screen includes a search box with a prompt "where do you want to go?" for planning new trips, and other cards let you keep track of your current and upcoming vacations and plans. What's helpful is that each city you plan to visit during one of your trips can each have its own tab within the larger "Trip" section, and with a simple toggle switch, you can download all the information about that destination for offline access. Meanwhile, on each city's screen, a variety of colorful cards help you jump into various sections like "Saved places," "Day Plans," "Food and Drink," "Getting around," "Things to do," "Reservations," and more. Google says Trips can show you the most popular day plans and itineraries for the top 200 cities worldwide. This information is actually based on historic visit data from other travelers, which Google has then assembled into lists that include the most popular sights and attractions. In addition to sightseeing, the app can also track flight, hotel, car and restaurant reservations, which makes the app something of a competitor to Concur's TripIt, and, to some extend, the new territory Airbnb is carving out with its own forthcoming Airbnb Trips app, which will focus on travel services. However, what makes Google Trips compelling is that it leverages Google's ability to tap into the data you have stored in your Gmail, as it automatically gathers your reservations from your email and organizes them into trips on your behalf. Google Trips is live now on Android and iOS.

An anonymous Slashdot reader quotes TechCrunch: When Google announced Angular 2 in 2014, it created quite a stir in the web development community because this new version wasn't just an update, but instead a complete rewrite that wasn't compatible with the older version... "Angular 1 first solved the problem of how to develop for an emerging web," the company writes... "Six years later, the challenges faced by today's application developers, and the sophistication of the devices that applications must support, have both changed immensely."
Announcing the final release version of Angular 2 last week, Google thanked the open source community, saying "We are grateful to the large number of contributors who dedicated time to submitting pull requests, issues, and repro cases, who discussed and debated design decisions, and validated (and pushed back on) our RCs." TechCrunch writes that Google's Angular team "now also recommends that developers use TypeScript to write their apps...a Microsoft-developed superset of JavaScript that adds features like static typing and class-based object-oriented programming."

Google is feeling so confident about the security of their latest Android 7.0 Nougat operating system that they're offering $200,000 to anyone who can remotely execute code on a Nexus 6P or 5X running Android 7.0. The Next Web reports: Today, Google is launching the Project Zero Security Contest and awarding over $300,000 in prizes to anyone who can hack Nexus 6P and 5X knowing only the devices' phone number and email address. To be eligible to win, contestants are required to dig up vulnerabilities that can be exploited remotely -- by sending a text message or an email, for instance. All winning participants will be invited to describe the bugs they've discovered in a short technical report that will appear on the Project Zero Blog. The winner will scoop $200,000, while the runner-up will receive $100,000. There's also another $50,000 in the prize pool for any additional winning entries.

An anonymous reader writes from a report via VentureBeat: On Monday, Google announced Google Cast is now built right into Chrome, allowing anyone using the company's browser to cast content to supported devices without having to install or configure anything. The Google Cast extension for Chrome, which launched in July 2013, is no longer required for casting. The report adds: "Here's how it works. When you browse websites that are integrated with Cast, Chrome will now show you a Cast icon as long as you're on the same network as a Cast device. With a couple of clicks, you can view the website content on your TV, listen to music on your speakers, and so on. In fact, Google today also integrated Hangouts with Google Cast: Signed-in users on Chrome 52 or higher can now use the 'Cast...' menu item from Chrome to share the contents of a browser tab or their entire desktop into a Hangout." The support document details all the ways you you can use Google Cast with Chrome.

An anonymous reader quotes a report from Ars Technica: Two former employees of the National Security Agency -- including exiled whistleblower Edward Snowden -- are speculating that Monday's leak of what are now confirmed to be advanced hacking tools belonging to the U.S. government is connected to the separate high-profile hacks and subsequent leaks of two Democratic groups. Private security firms brought in to investigate the breach of the Democratic National Committee and a separate hack of the Democratic Congressional Campaign Committee have said that the software left behind implicates hackers tied to the Russian government. U.S. intelligence officials have privately said they, too, have high confidence of Russian government involvement. Both Snowden and Dave Aitel, an offensive security expert who spent six years as an NSA security scientist, are speculating that Monday's leak by a group calling itself Shadow Brokers is in response to growing tensions between the U.S. and Russia over the hacks on the Democratic groups. As this post was being prepared, researchers with Kaspersky Lab confirmed that the tools belong to Equation Group, one of the most sophisticated hacking groups they've ever investigated. "Why did they do it?" Snowden wrote in a series of tweets early Tuesday morning. "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack." In a brief post of his own, Aitel agreed that Russia is the most likely suspect behind both the Democratic hacks and the leaking of the NSA spying tools. He also said the NSA data was likely obtained by someone with physical access to an NSA secure area who managed to walk out with a USB stick loaded with secrets.

An anonymous Slashdot reader writes: This week the Washington Post ran a long profile of Ahmed Mohamed, the 14-year-old boy whose home-made clock got him arrested after school officials and the local police mistook it for a bomb last summer. The Justice Department is currently investigating the incident -- while the school district is suing the Texas attorney general, and the boy's family is suing the school district. But Ahmed has just returned back to Texas, and spoke to the press -- including a local Fox news affiliate which later broadcast a commentary saying his family was obsessed with fame and plotted the arrest.

Over the last year Ahmed's read everything that appeared online about him, but never responds because he doesn't want to give in to anger. The Post writes that while some kids at school called him ISIS Boy, "Sympathetic crowdfunders raised $18,000 for his education. He visited the White House, the Google Science Fair and the president of his home country of Sudan (a wanted war criminal, but Mohamed said it would be rude not to accept the invitation)." Though he'd like to return to the U.S. someday for college, he's been living in Qatar, where a government organization paid for private schooling for him and his sister. But the Post says he still sometimes imagines what his life might've been like if the incident had never happened. "By now he could have invented something new -- not just a clock that only took him a few minutes to put together from parts in his family's garage, which was full of '90s-era electronics from when his uncle ran a chain called Beeper Warehouse."

An anonymous reader writes: Based largely on a proposal from Unicode Consortium member Google, Unicode Consortium has announced plans to support new emoji aimed at promoting gender equality. There will be "11 new 'professional' emoji [that] will depict both men and women performing different jobs, and there will be both male and female versions of 33 existing emoji that currently depict either a man or a women but not both," writes Ars Technica. "The new professions include, in the Unicode Consortium's words: a farmer, welder, mechanic, health worker, scientist, coder, business worker, chef, student, teacher, and rockstar." What's unusual about the new emoji is that they're created using combinations of existing emoji to avoid waiting for Unicode version 10.0 to be finalized in June of 2017. By using a special "zero-width joiner" (ZWJ) character between two or more emoji, operating systems that support it know to put out a different composite emoji rather than a series of separate emoji. "The new emoji for professions start with either a man or woman emoji, then a ZWJ character, then another character related to the job," reports Ars. "Emoji that were previously one specific gender (the dancing woman or the man running) can be joined to a male or female symbol with a ZWJ character to create emoji of either gender. And all of these emoji can be combined with the existing skin tone modifiers to produce diverse versions of either gender." We may see these combined emoji before the end of the year as software companies begin to integrate them into their operating systems.

An anonymous reader writes from a report via Ars Technica: Silicon Valley Business Journal reports that Google and LinkedIn have worked out a deal that will allow the two neighbors to swap a few million square feet of real estate. The deal will help give Google enough room to build its futuristic "canopy" campus. Ars Technica reports: "Google will receive all of LinkedIn's existing Mountain View territory, which consists of LinkedIn's 370,000-square-feet headquarters and almost eight acres of land LinkedIn had planned on turning into office space. LinkedIn will move a few miles across town into four office buildings currently owned by Google that come out to about 750,000 square feet of office space. LinkedIn instantly gets to double its office space while avoiding a costly 'five- to six-year' construction project, and Google gets the space and building rights it needs to build its crazy indoor/outdoor spiderweb canopy utopia. Google owns a huge chunk of land in Mountain View with many office buildings, but the buildings have all been hand-me-downs. In February 2015, Google announced plans to renovate its campus with an ambitious design featuring a large membrane covering configurable activity space. To expand, both LinkedIn and Google needed to compete for Mountain View's 2.2 million square feet of available commercial square footage. The city, fearing it would become an all-Google town, awarded the majority of the construction rights -- 1.4 million square feet -- to LinkedIn, leaving Google with nowhere to build its new headquarters. With the real estate swap, those construction rights go to Google, so the company now has all the space it asked for." Last month, Microsoft announced plans to acquired LinkedIn for $26.2 billion.

An anonymous reader writes from a report via CNBC: Google said Monday that it will be improving its catalog of searched Googled health symptoms by adding information on related health conditions that have been vetted by the Mayo Clinic and Harvard Medical School. For example, if you type "headache on one side," Google will offer up a list of associated conditions like "migraine," "common cold" or "tension headache." When it comes to general searches like "headache," the company will also give an overview description along with information on self-treatment options or symptoms that warrant a doctor's visit. In Google's official blog post, the company said roughly 1 percent of the searches on Google, which equates to millions of searches, are related to symptoms users are researching. However, search results can be confusing, and result in "unnecessary anxiety and stress," Google said. It plans to use its Knowledge Graph feature, which contains high-quality medical information collected from doctors, to enhance search results.

Remember when Capitol Records sued Vimeo over copyright-violating videos? They just lost in court again, when an Appeals court overruled three lower court decisions. Slashdot reader NewYorkCountryLawyer shares the specifics of the Appeals court's findings: [T]he Copyright Office was dead wrong in concluding that pre-1972 sound recordings aren't covered by the DMCA... the judge was wrong to think that Vimeo employees' merely viewing infringing videos was sufficient evidence of "red flag knowledge"... a few sporadic instances of employees being cavalier about copyright law did not amount to a "policy of willful blindness" on the part of the company. "The decision once again affirms that the DMCA extends immunity to a service provider for the infringement of their customers if the service provider removes material at the request of the right holder," writes Ars Technica.

Google on Monday released Spaces, an app that is designed to make it easier to share links, videos and other things from the Web in group conversations. The app, which has been in private beta for a few months, is available for Android, iOS, desktop and mobile web. Google explains: With Spaces, it's simple to find and share articles, videos and images without leaving the app, since Google Search, YouTube, and Chrome come built in. When someone shares something new to a space, the conversational view lets you see what the group is talking about without missing a beat. And if you ever want to find something that was shared earlier -- articles, videos, comments or even images -- a quick search lets you pull it up in a snap.

An anonymous reader writes: Google launched a new keyboard application called "Gboard" for iOS today that features Google Search built-in to the keyboard itself. In addition, it offers swipe-based typing and access to GIFs, as well as some basic features like emojis and word predictions. The "G" icon in the upper lefthand corner opens a window for you to search Google without leaving the keyboard and launching a browser or the Google app. From there you can search for things like flight times, news articles, restaurant and business listings, weather and more, and paste that information into your chat with a single tap. The information is presented in a card-style layout. "We wanted to bring the best of Google to Gboard, so you'll see Maps, Translate, image and video search, News and others," says Rajan Patel, head of the product team that developed Gboard. "Initially, Gboard will not surface any information specific to you," he added, hinting that a personalized keyboard is in the works for the future.

Google announced on Thursday that it is open sourcing its new language parsing model called SyntaxNet. It's a piece of natural-language understanding software, Google says, that you can use automatically parse sentences, as part of its TensorFlow open source machine learning library. The company also announced that it is releasing something called Parsey McParseface (Google has a sense of humor), which is a pre-trained model for parsing English-language text. Nate Swanner of The Next Web, attempts to explain it: Combining machine learning and search techniques, Parsey McParseface is 94 percent accurate, according to Google. It also leans on SyntaxNet's neural-network framework for analyzing the linguistic structure of a sentence or statement, which parses the functional role of each word in a sentence. If you're confused, here's the short version: Parsey and SyntaxNet are basically like five year old humans who are learning the nuances of language. In Google's simple example above, 'saw' is the root word (verb) for the sentence, while 'Alice' and 'Bob' are subjects (nouns). Parsey's scope can get a bit broader, too.

An anonymous reader writes: Google has decided it doesn't want to promote predatory lending practices that are harmful to consumers, so the company has decided to ban ads for payday loans and some related products from their ads systems. "Research has shown that these loans can result in unaffordable payment and high default rates for users so we will be updating our policies globally to reflect that," Google's product policy director, David Graff, writes in a blog post. Payday loans often come with extremely high interest rates if they aren't paid back immediately, which can push people further in debt. Georgetown's Center on Privacy and Technology notes in a statement, "Payday lenders profit from people's weaknesses -- particularly poor people and people of color. Every time someone clicks on those ads, search engines profit, too." While Google may lose some revenue in the short-run by removing these ads, the move will likely benefit the company in the long-run (positive PR doesn't hurt) as Google users should have more trust in the ads they come across. Payday loans will be banned from Google globally starting June 13th.

An anonymous reader quotes a report from The Verge: Google's News section will now highlight the importance of local news sources. "When a local story is picked up by national publishers, it can be difficult for local sources to be heard even after they've done the legwork and research to break a story," admits James Morehead, Google News product manager. Google is helping with a new change today that will see a "Local Source" tag applied to all Google News instances. Google is tagging local news based on where a publisher has written about previously and matching it to a story location. Tagged articles will be available on the web and in Google's iOS and Android apps, and will serve as a way to highlight a local source on a national story.

Google CEO Sundar Pichai says the next big evolution for technology is AI. "Looking to the future, the next big step will be for the very concept of the 'device' to fade away," Pichai wrote in Google's annual founders' letter. USA Today writes: His vision: Over time, computers, whatever shape they take, a mobile device in your hand or a mini computer on your wrist, "will be an intelligent assistant helping you through your day." This marks the first time anyone other than founders Larry Page and Sergey Brin have penned the annual letter outlining Google's mission. "For us, technology is not about the devices or the products we build. Those aren't the end-goals," Pichai wrote in the letter posted Thursday. "Technology is a democratizing force, empowering people through information. Google is an information company. It was when it was founded, and it is today."