Slashdot Mirror

An anonymous reader writes: Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords. The attack requires physical access, but it takes less than 30 seconds to carry out. A special device is needed, which runs custom software (available on GitHub), and uses hardware parts that cost around $300. Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.

An anonymous reader writes: This week saw the first proof of concept for Node.js API (or NAPI for short), "making module maintainers' lives easier by defining a stable module API that is independent from changes in [Google's JavaScript engine] V8 and allowing modules to run against newer versions of Node.js without recompilation." Their announcement cites both the efforts of the Node.js API working group and of ChakraCore, the core part of the Chakra Javascript engine that powers Microsoft Edge.

And there was also a second announcement -- that the Node.js build system "will start producing nightly node-chakracore builds, enabling Node.js to be used with the ChakraCore JavaScript engine. "These initial efforts are stepping stones to make Node.js VM-neutral, which would allow more opportunities for Node.js in IoT and mobile use cases as well as a variety of different systems."
One IBM runtime developer called it "a concrete step toward the strategic end goal of VM neutrality," and the Node.js Foundation believes that the API will ultimately result in "more modules to choose from, and more stability with modules without the need to continually upgrade."

An anonymous reader writes: This week saw the first proof of concept for Node.js API (or NAPI for short), "making module maintainers' lives easier by defining a stable module API that is independent from changes in [Google's JavaScript engine] V8 and allowing modules to run against newer versions of Node.js without recompilation." Their announcement cites both the efforts of the Node.js API working group and of ChakraCore, the core part of the Chakra Javascript engine that powers Microsoft Edge.

And there was also a second announcement -- that the Node.js build system "will start producing nightly node-chakracore builds, enabling Node.js to be used with the ChakraCore JavaScript engine. "These initial efforts are stepping stones to make Node.js VM-neutral, which would allow more opportunities for Node.js in IoT and mobile use cases as well as a variety of different systems."
One IBM runtime developer called it "a concrete step toward the strategic end goal of VM neutrality," and the Node.js Foundation believes that the API will ultimately result in "more modules to choose from, and more stability with modules without the need to continually upgrade."

When it comes to VR ports of popular games, "Doom 3's fluid weapon handling, interactivity, and general creepiness put it in a different class entirely," writes Motherboard. An anonymous reader quotes their report: Using the graphically enhanced "BFG" version of 2004's Doom 3, the mod from "Codes4Fun" skillfully ports to game to the HTC Vive, generally making it look as though it was designed for the platform all along. Swedish YouTuber SweViver recently posted a video showing off his first spin with it... SweViver walks and runs about naturally using only the Vive controller's touchpad...the video shows him jumping and using the mod's impressive hand-tracking to handle his gun and flashlight separately as they float before him in place of the controllers in his hands. At one point, he even whips out virtual fists that let him pummel things with the controllers' left and right triggers.
His conclusion? "This is probably the first AAA game that actually works on the Vive."

An anonymous reader quotes a report from Ars Technica: The Tor Project recently announced the release of its prototype for a Tor-enabled smartphone -- an Android phone beefed up with privacy and security in mind, and intended as equal parts opsec kung fu and a gauntlet to Google. The new phone, designed by Tor developer Mike Perry, is based on Copperhead OS, the hardened Android distribution profiled first by Ars earlier this year. "The prototype is meant to show a possible direction for Tor on mobile," Perry wrote in a blog post. "We are trying to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users." To protect user privacy, the prototype runs OrWall, the Android firewall that routes traffic over Tor, and blocks all other traffic. Users can punch a hole through the firewall for voice traffic, for instance, to enable Signal. The prototype only works on Google Nexus and Pixel hardware, as these are the only Android device lines, Perry wrote, that "support Verified Boot with user-controlled keys." While strong Linux geekcraft is required to install and maintain the prototype, Perry stressed that the phone is also aimed at provoking discussion about what he described as "Google's increasing hostility towards Android as a fully Open Source platform." Copperhead OS was the obvious choice for the prototype's base system, Perry told Ars. "Copperhead is also the only Android ROM that supports verified boot, which prevents exploits from modifying the boot, system, recovery, and vendor device partitions," said Perry in his blog post. "Copperhead has also extended this protection by preventing system applications from being overridden by Google Play Store apps, or from writing bytecode to writable partitions (where it could be modified and infected)." He added: "This makes Copperhead an excellent choice for our base system." The prototype, nicknamed "Mission Improbable," is now ready to download and install. Perry said he uses the prototype himself for his personal communications: "E-mail, Signal, XMPP+OTR, Mumble, offline maps and directions in OSMAnd, taking pictures, and reading news and books." He suggests leaving the prototype in airplane mode and connecting to the Internet through a second, less-trusted phone, or a cheap Wi-Fi cell router.

IBM has launched a new system-agnostic platform called Project Intu with which it aims to bring "embodied cognition" to a range of devices. From a report on SiliconAngle: In IBM's parlance, "cognitive computing" refers to machine learning. The idea behind Project Intu is that developers will be able to use the platform to embed the various machine learning functions offered by IBM's Watson service into various applications and devices, and make them work across a wide spectrum of form factors. So, for example, developers will be able to use Project Intu's capabilities to embed machine learning capabilities into pretty much any kind of device, from avatars to drones to robots and just about any other kind of Internet of Things' device. As a result, these devices will be able to "interact more naturally" with users via a range of emotions and behaviors, leading to more meaningful and immersive experiences for users, IBM said. What's more, because Project Intu is system-agnostic, developers can use it to build cognitive experiences on a wide range of operating systems, be it Raspberry PI, MacOS, Windows or Linux. Project Intu is still an experimental platform, and it can be accessed via the Watson Developer Cloud, the Intu Gateway and also on GitHub.

An anonymous reader writes: "Wow, dude I did not even know we were fighting," Wix CEO Avishai Abrahami posted on the company's blog Saturday -- responding to Wordpress creator Matt Mullenweg, who on Friday accused Wix of stealing their code. "The claim is that the Wix mobile apps distribute GPL code and aren't themselves GPL, so they violate the license," Mullenweg wrote.

Abrahami argued that "Everything we improved there or modified, we submitted back as open source," adding "we will release the app you saw as well... " Mullenweg responded "It appears you and [lead engineer] Tal might share a misunderstanding of how the GPL works," ultimately adding "software licensing can be tricky and many people make honest mistakes."
Wix had also argued they're giving back to the open source community by listing 224 public projects on their GitHub page. "Thank you for the offer to use them," Mullenweg responded. "If we do, we'll make sure to follow the license you've put on the code very carefully."

An anonymous reader writes: "Wow, dude I did not even know we were fighting," Wix CEO Avishai Abrahami posted on the company's blog Saturday -- responding to Wordpress creator Matt Mullenweg, who on Friday accused Wix of stealing their code. "The claim is that the Wix mobile apps distribute GPL code and aren't themselves GPL, so they violate the license," Mullenweg wrote.

Abrahami argued that "Everything we improved there or modified, we submitted back as open source," adding "we will release the app you saw as well... " Mullenweg responded "It appears you and [lead engineer] Tal might share a misunderstanding of how the GPL works," ultimately adding "software licensing can be tricky and many people make honest mistakes."
Wix had also argued they're giving back to the open source community by listing 224 public projects on their GitHub page. "Thank you for the offer to use them," Mullenweg responded. "If we do, we'll make sure to follow the license you've put on the code very carefully."

Tuesday Microsoft updated their open source Microsoft Cognitive Toolkit (CNTK), adding support for both C++ and Python. "This announcement is more than a point release..." argues Network World. "It's the recognition of AI and machine learning as the next big platform after mobile." This announcement represents a shift in Microsoft's customer focus from research to implementation... The toolkit is a supervised machine learning system in the same category of other open-source projects such as Tensorflow, Caffe and Torch. Microsoft is one of the leading investors in and contributors to the open machine learning software and research community. A glance at the Neural Information Processing Systems conference reveals that there are just four major technology companies committed to moving the field of neural networks forward: Microsoft, Google, Facebook and IBM.
A Microsoft engineer described CNTK as "democratizing AI," according to Microsoft's announcement, which also notes that their toolkit "has been optimized to best take advantage of the NVIDIA hardware and Azure networking capabilities that are part of the Azure offering."

An anonymous reader quotes a report from Motherboard: Some have put forth a perhaps desperate -- and certainly illegal -- solution to stop massive internet outages, like the one on Friday, from happening: Have white-hat vigilante hackers take over the insecure Internet of Things that the Mirai malware targets and take them away from the criminals. Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the "bad guys" Mirai can do it, a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same. The biggest technical hurdle to this plan, as F-Secure chief research officer Mikko Hypponen put it, is that once it infects a device, Mirai "closes the barn door behind it." Mirai spreads by scanning the internet for devices that have the old-fashioned remote access telnet protocol enabled and have easy to guess passwords such as "123456" or "passwords." Then, once it infects them, it disables telnet access, theoretically stopping others from doing the same. The good news is that the code that controls this function actually doesn't at times work very well, according to Darren Martyn, a security researcher who has been analyzing the malware and who said he's seen some infected devices that still have telnet enabled and thus can be hacked again. Also, Mirai disappears once an infected device is rebooted, which likely happens often as owners of infected cameras and DVRs try to fix their devices that suddenly have their bandwidth saturated. The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who've been tracking the botnets. So a vigilante hacker has a small window before the bad guys come back. The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning. The real challenge of this whole scenario, however, is that despite being for good, this is still illegal. "No one has any real motivation to do so. Anyone with the desire to do so, is probably afraid of the potential jail time. Anyone not afraid of the potential jail time...can think of better uses for the devices," Martyn told Motherboard, referring to criminals who can monetize the Mirai botnet.

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."

An anonymous reader quotes InfoWorld: Developers of Mozilla's Rust language, devised for fast and safe system-level programming, have unveiled the first release of the Rust Language Service, a project that provides IDEs and editors with live, contextual information about Rust code. RLS is one of the first implementations of the Language Server Protocol, co-developed by Microsoft, Codenvy, and Red Hat to standardize communications between IDEs and language runtimes.

It's another sign of Rust's effort to be an A-list language across the board -- not only by providing better solutions to common programming problems, but also cultivating first-class, cutting-edge tooling support from beyond its ecosystem...
The Rust Language Service is "pre-alpha", and the whole Language Service Protocol is only currently supported by two IDEs -- Eclipse and Microsoft's Visual Studio Code. Earlier InfoWorld described it as "a JSON-based data exchange protocol for providing language services consistently across different code editors and IDEs," and one of the Rust developers has already developed a sample RLS client for Visual Studio Code.

An anonymous reader quotes a report from BBC: The Micro Bit mini-computer is to be sold across the world and enthusiasts are to be offered blueprints showing how to build their own versions. The announcements were made by a new non-profit foundation that is taking over the educational project, formerly led by the BBC. About one million of the devices were given away free to UK-based schoolchildren earlier this year. Beyond the UK, Micro Bits are also in use in schools across the Netherlands and Iceland. But the foundation now intended to co-ordinate a wider rollout. "Our goal is to go out and reach 100 million people with Micro Bit, and by reach I mean affect their lives with the technology," said the foundations' new chief executive Zach Shelby. "That means [selling] tens of millions of devices... over the next five to 10 years." His organization plans to ensure Micro Bits can be bought across Europe before the end of the year and is developing Norwegian and Dutch-language versions of its coding web tools to boost demand. Next, in 2017, the foundation plans to target North America and China, which will coincide with an upgrade to the hardware. TrixX adds: The makers of the BBC micro:bit have announced that they are releasing the full specs for the device under an open license, (SolderPad License, similar to Apache License but for hardware). This means that anyone can legally use the specs and build their own device, or fork the reference design GitHub repo and design their derivatives.

pdclarry writes: While all of the recent news has been about hacking the Democratic National Committee, apparently the Republicans have also been hacked over many months (since March 2016). This was not about politics, however; it was to steal credit card numbers. Brian Krebs reports: "a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the web storefront of the National Republican Senatorial Committee (NRSC). [...] If you purchased a 'Never Hillary' poster or donated funds to the NRSC through its website between March 2016 and the first week of this month [October 2016], there's an excellent chance that your payment card data was siphoned by malware and is now for sale in the cybercrime underground." Krebs says his information comes from Dutch researcher Willem De Groot, co-founder and head of security at Dutch e-commerce site byte.nl. The Republicans were not alone; theirs was just one of 5,900 e-commerce sites hacked by the same Russian actors. You can view De Groot's analysis of the malware planted on the NRSC's site and other services here. Krebs adds: "The NRSC did not respond to multiple requests for comment, but a cached copy of the site's source code from October 5, 2016 indicates the malicious code was on the site at the time (load this link, click 'view source' and then Ctrl-F for 'jquery-cloud.net')."

The White House has open sourced the code for President Obama's Facebook Messenger bot in a hope that this will help other governments and developers build similar services. These services will ideally foster similar connections with their citizens with significantly less upfront investment. From the official post: It's also an important part of furthering our mission to "meet the public where they are." Millions of people contact their friends and family using Facebook Messenger. Why shouldn't they be able to contact the White House, too? And President Obama really reads these messages. Since 2009, he's made it part of his daily routine to read 10 letters sent to him by citizens -- something he refers to as the best part of his day. [...] To be specific, we are open-sourcing a Drupal module, complete with easy steps and boiler plate code. This will enable Drupal 8 developers to quickly launch a Facebook Messenger bot. We also left a few lines in the repository describing our hopes for the future of the code and encouraging members of the developer community to get involved.

mask.of.sanity writes from a report via The Register: Hackers have installed skimming scripts on more than 6,000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards. The malware is infecting stores (full list) running vulnerable versions of the Magento ecommerce platform, and also compromised the U.S. National Republican Senatorial Committee store. "Given that there are [about] 5,900 other skimmed stores, and the malpractice has been going on since at least May last year, I would expect the number of stolen cards in the hundreds of thousands," said Dutch developer Willem de Groot. You can read his blog post to learn more.

An anonymous reader writes: AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm, who spent more than a year trying to inform the company about 14 security bugs affecting the firmware of ALL its products. Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation and remote takeover. Search-Lab says their researchers is not the only one that spotted these issues. Currently, the term "AVTECH" is the second most popular search term on Shodan, where anyone can find more than 130,000 of these devices available online. Taking into account the recent attacks from IoT botnets, AVTECH is now on the same level of incompetence and indifference as other CCTV hardware makers such as AVer, Dahua, and TVT, all Chinese and Taiwanese companies. A list of confirmed affected firmware versions is available here, proof of concept exploitation code is available on GitHub, and an exploitation video is available here.

386BSD was last released back in 1994 with a series of articles in Dr. Dobb's Journal -- but then developers for this BSD-based operating system started migrating to both FreeBSD and NetBSD. An anonymous Slashdot reader writes: The last known public release was version 0.1. Until Wednesday, when Lynne Jolitz, one of the co-authors of 386BSD, released the source code to version 1.0 as well as 2.0 on Github.

386BSD takes us back to the days when you could count every file in your Unix distribution and more importantly, read and understand all of your OS source code. 386BSD is also the missing link between BSD and Linux. One can find fragments of Linus Torvalds's math emulation code in the source code of 386BSD. To quote Linus: "If 386BSD had been available when I started on Linux, Linux would probably never had happened."
Though it was designed for Intel 80386 microprocessors, there's already instructions for launching it on the hosted hardware virtualization service Qemu.

Long-time Slashdot reader Qbertino brings news of a new text editor offering what he calls "a modern, hipster-compliant makeover" of both Emacs and Vim: As a classic, perhaps the classic GNU project, Emacs has been marred by abysmal branding and marketing...that has improved slightly but might still leave some people unsatisfied [and] has also been engulfed in an eternal war with Vim, the editor of the beast. Mope no further, salvation is nigh! Spacemacs is a new Emacs distribution that aims to combine all the goodies of Emacs and Vim and then some...
Version .2 of Spacemacs was released this week "with more than 1700 commits since the last major version released in January 2016." With nearly 500 contributors on GItHub, Spacemacs plans to be "crowd-configured" with "curated packages tuned by power users," and is offering features like a real-time display of available key bindings, a simple query system for layers and packages, and of course, a clearly defined set of conventions.

prisoninmate writes: Softpedia reports that there's a new project on GitHub, called alwsl, which promises to let you install the Arch Linux operating system on Windows 10's new WSL (Windows Subsystem for Linux) feature, which allows users to run native Linux command-line tools directly on the Windows operating system alongside their modern desktop and apps. For example, Canonical and Microsoft brought Bash on Ubuntu on Windows using the new WSL functionality. For now, the alwsl project, which is developed by a group of German developers that call themselves "Turbo Developers," offers a .bat file that you can use to install Arch Linux on a WSL (Windows Subsystem for Linux) host, but the software is in developer preview stage. The first stable release, alwsl 1.0 will be able not only to install Arch Linux on the Windows Subsystem for Linux host in Windows 10 editions that support it, but also to create and manage users and snapshots. Also, it looks like it will get rolling upgrades just like a normal Arch Linux installation gets. The final release is expected to launch on December 2016, and you can monitor its development progress on GitHub.

Tor users have long criticized CloudFlare for annoying CAPTCHAs, but it appears the CDN provider is finally working on a fix. An anonymous reader writes: CloudFlare is working on a new system called "Challenge Bypass Specification," which it wants to deploy as a Tor Browser extension and replace the CAPTCHAs Tor users see when trying to access a website protected by CloudFlare. This new system will have users solve one CAPTCHA at the beginning and after that, the browser extension will use nonces (one-time authentication tokens) to prove the user's real identity before accessing a CloudFlare-protected site.

An anonymous reader writes: System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.

An anonymous reader quotes a report from Ars Technica: Since its introduction, TypeScript has included new features to improve performance, enhance JavaScript compatibility, and extend the range of error checking that the TypeScript compiler performs. TypeScript 2.0 introduces a big step forward here by giving developers greater control over null values. null, used to denote (in some broad, hand-waving sense) that a variable holds no value at all, has been called the billion dollar mistake. Time and time again, programs trip up by not properly checking to see if a variable is null, and for good or ill, every mainstream programming language continues to support the null concept. TypeScript 2.0 brings a range of new features, but the biggest is control over these null values. With TypeScript 2.0, programmers can opt into a new behavior that by default prevents values from being null. With this option enabled, variables by default will be required to have a value and can't be set to null accidentally. This in turn allows the compiler to find other errors such as variables that are never initialized.

After a North Korean system administrator misconfigured its nameserver allowing anyone to query it and get the list of the domains that exist for .kp, it was revealed that the secretive country only has 28 websites. That's 28 websites for a country with nearly 25 million people. Naturally, the story was published all across the web, including on Reddit, which resulted in a high number of users visiting North Korea's websites. Mirror.co.uk reports: When a list of North Korea's available websites was posted on Reddit, the surge of visitors to the reclusive state's online offering overloaded the servers. North Korea runs a completely locked-down version of the internet that consists of only 28 "websites" that the population is allowed to view. However, a technical slip-up allowed a GitHub user to work their way into the country's computer network and view the websites from the outside. As the GitHub user puts it: "One of North Korea's top level name servers was accidentally configured to allow global [Domain Name System] transfers. This allows anyone who performs [a zone transfer request] to the country's ns2.kptc.kp name server to get a copy of the nation's top level DNS data." Pretty soon, links to all the websites were posted on Reddit, where thousands of visitors took the opportunity to see what the web looks like from Pyongyang. Reddit's surge of traffic isn't the first time North Korea's internet has been knocked out. In 2014, the country suffered a distributed denial of service (DDoS) attack that was believed to have originated from the U.S. Redditor BaconBakin points out that while North Korea has 28 websites, GTA V has 83 websites. They added, "I think it's safe to say that San Andreas is more technologically advanced than North Korea."

An anonymous Slashdot reader quotes InfoWorld: "Move fast and break things," the saying goes. Apple does both with the 3.0 version of its Swift programming language...its first full point revision since it became an open source project... In a blog post detailing the full body of changes for Swift 3.0, Apple singled out the two biggest breaking changes. The first is better translation of Objective-C APIs into Swift, meaning that code imported from Objective-C and translated into Swift will be more readable and Swift-like. The bad news is any code previously imported from Objective-C into Swift will not work in Swift 3; it will need to be re-imported.

The other major change... Most every item referenced in the standard library has been renamed to be less wordy. But again, this brings bad news for anyone with an existing Swift codebase: Apple says "the proposed changes are massively source-breaking for Swift code, and will require a migrator to translate Swift 2 code into Swift 3 code."
Apple will provide migration tools in version 8.0 of their XCode IDE, "but such tools go only so far," notes the article, questioning what will happen to the Linux and Windows ports of Swift.

An anonymous reader writes from a report via The Next Web: Microsoft CEO Satya Nadella has really embraced open source over the past couple of years. GitHub, a site that is home to a number of the web's biggest collaborative code projects, has counted more than 5.8 million active users on its platform over the past 12 months, and says that Microsoft has the most open source contributors. Microsoft has 16,419 contributors, beating out Facebook's 15,682 contributors, Docker's 14,059 contributors, and Google's 12,140 contributors. The Next Web reports: "Of course, this didn't happen overnight. In October 2014, it open sourced its .NET framework, which is the company's programming infrastructure for building and running apps and services -- a major move towards introducing more developers to its server-side stack. Since then, it's open sourced its Chakra JavaScript engine, Visual Studio's MSBuild compiling engine, the Computational Networks Toolkit for deep learning applications, its Xamarin tool for building cross-platform apps and most recently, PowerShell. It's also worth noting that the company's Visual Studio Code text editor made GitHub's list of repositories with the most contributors. You can check out these lists, as well as other data from GitHub's platform on this page." GitHub CEO Chris Wanstrath said in an interview with Fortune, "The big .Net project has more people outside of Microsoft contributing to it than people who work at Microsoft."

Earlier this year, Microsoft said that its Edge browser was more power efficient than Google's Chrome, a claim that Google refuted with its own findings. But the debate isn't over. An anonymous reader writes: Microsoft is at it again -- touting Edge as the most battery-efficient browser on Windows 10. The company has rerun its battery tests from the previous quarter using the latest versions of the major browsers, open-sourced its lab test on GitHub, and published the full methodology. But this time, Microsoft says it also replicated one of Google's tests to show that Edge lasts longer than Chrome, Firefox, and Opera.

Reader joshtops writes: Facebook needs you to fill its News Feed, Oculus Rift, and Gear VR with 360 content. So today it put all the hardware and software designs of its Surround 360 camera on Github after announcing the plan in April. Thanks to cheeky instruction manual inspired by Ikea's manuals, you can learn how to buy the parts, assemble the camera, load the image-stitching software, and start shooting 360 content. Essentially 17 cameras on a UFO-looking stick, the 360 Surround camera can be built for about $30,000 in parts. The 4-megapixel lenses can shoot 4K, 6K, or 8K 360 video, and fisheye lenses on the top and bottom remove the blindspots. Facebook forced a random engineer to try to build the 360 Surround from the open source instructions, and found it took about four hours.FastCompany has more details.

An anonymous reader writes from The Register: Vine, the six-second-video-loop app acquired by Twitter in 2012, had its source code made publicly available by a bounty-hunter for everyone to see. The Register reports: "According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry. While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request. After that it's all too easy: the docker pull https://docker.vineapp.com:443/library/vinewww request loaded the code, and he could then open the Docker image and run it. 'I was able to see the entire source code of Vine, its API keys and third party keys and secrets. Even running the image without any parameter, [it] was letting me host a replica of Vine locally.' The code included 'API keys, third party keys and secrets,' he writes. Twitter's bounty program paid out -- $10,080 -- and the problem was fixed in March (within five minutes of him demonstrating the issue)."

Dan Goodin, reporting for Ars Technica: A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One."The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."

Dropbox announced on Thursday that it is releasing its image compression algorithm dubbed Lepton under an Apache open-source license on GitHub. Lepton, the company writes, can both compress and decompress files, and for the latter, it can work while streaming. Lepton offers a 22% savings reductions for existing JPEG images, and preserves the original file bit-for-bit perfectly. It compresses JPEG files at a rate of 5MB/s and decodes them back to the original bit at 15MB/s. The company says it has used Lepton to encode 16 billion images saved to Dropbox, and continues to utilize the technology to recode its older images. You can find more technical details here.

Dan Goodin, reporting for Ars Technica: Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites. Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May. "I used that password as a general password for many services," he wrote in an e-mail. "It was a pain to remember which sites it was shared and to change them all. I use a password manager now."

An anonymous Slashdot reader writes: "The code that took America to the moon was just published to GitHub, and it's like a 1960s time capsule," reports Quartz. Two lines of code include the comment "# TEMPORARY, I HOPE HOPE HOPE," and there's also a quote from Shakespeare's play Henry VI. In addition, the keyboard and display system program is named PINBALL_GAME_BUTTONS_AND_LIGHT, and "There's also code that appears to instruct an astronaut to 'crank the silly thing around.'"

A former NASA intern uploaded the thousands of lines of assembly code to GitHub, working from a 2003 transcription made from scans inherited by MIT from a Colorado airplane pilot, and developers are already using GitHub to submit funny issue tickets for the 40-year-old code -- for example, "Extension pack for picking up Matt Damon". Another issue complains that "A customer has had a fairly serious problem with stirring the cryogenic tanks with a circuit fault present." Because this issue succinctly describes the Apollo 13 mission in 1970, the issue has been marked "closed".

An anonymous Slashdot reader writes: "The code that took America to the moon was just published to GitHub, and it's like a 1960s time capsule," reports Quartz. Two lines of code include the comment "# TEMPORARY, I HOPE HOPE HOPE," and there's also a quote from Shakespeare's play Henry VI. In addition, the keyboard and display system program is named PINBALL_GAME_BUTTONS_AND_LIGHT, and "There's also code that appears to instruct an astronaut to 'crank the silly thing around.'"

A former NASA intern uploaded the thousands of lines of assembly code to GitHub, working from a 2003 transcription made from scans inherited by MIT from a Colorado airplane pilot, and developers are already using GitHub to submit funny issue tickets for the 40-year-old code -- for example, "Extension pack for picking up Matt Damon". Another issue complains that "A customer has had a fairly serious problem with stirring the cryogenic tanks with a circuit fault present." Because this issue succinctly describes the Apollo 13 mission in 1970, the issue has been marked "closed".

An anonymous Slashdot reader writes: "This is one of the coolest tickets I've seen on GitHub," writes Ubuntu developer Adolfo Jayme Barrientos, adding "this kind of surreal compatibility between platforms is now enabled...the fact that you can execute and use Linux window managers there, without virtual machines, is simply mind-blowing."

"The Windows 10 Anniversary Update coming in August includes an unusual feature aimed at developers: an Ubuntu sub-system that lets you run Linux software using a command-line interface," explains Liliputing.com "Preview versions have been available since April, and while Microsoft and Canonical worked together to bring support for the Bash terminal to Windows 10, it didn't take long for some users to figure out that they could get some desktop Linux apps to run in Windows. Now it looks like you can even load Ubuntu's Unity desktop environment, making windows 10 look like Ubuntu.

An anonymous reader writes: Google first implemented Full Disk Encryption in Android by default with Android 5.0 Lollipop in an effort to prevent criminals or government agencies from gaining unauthorized access to one's data. What it does is it encodes all the data on a user's Android device before it's ever written to disk using a user's authentication code. Once it is encrypted, it can only be decrypted if the user enters his/her password. However, security researcher Gal Beniamini has discovered issues with the full disk encryption. He published a step-by-step guide on how one can break down the encryption protections on Android devices powered by Qualcomm Snapdragon processors. The source of the exploit is posted on GitHub. Android's disk encryption on devices with Qualcomm chips is based only on your password. However, Android uses your password to create a 2048-bit RSA key (KeyMaster) derived from it instead. Qualcomm specifically runs in the Snapdragon TrustZone to protect critical functions like encryption and biometric scanning, but Beniamini discovered that it's possible to exploit a security flaw and retrieve the keys from TrustZone. Qualcomm runs a small kernel in TrustZone to offer a Trusted Execution Environment known as Qualcomm Secure Execution Environment (QSEE), which allows small apps to run inside of QSEE away from the main Android OS. Beniamini has detailed a way for attackers to exploit an Android kernel security flaw to load their own QSEE app inside this secure environment, thereby exploiting privilege escalation flaw and hijacking of the complete QSEE space, including the keys generated for full disk encryption. The researcher also said Qualcomm or OEMs can comply with government or law enforcement agencies to break the FDE: "Since the key is available to TrustZone, Qualcomm and OEMs [Original Equipment Manufacturers] could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device," Beniamini wrote. "This would allow law enforcement to easily brute force the FDE password off the device using the leaked keys."

An anonymous reader writes: As promised, Mozilla has released the first Nightly build of Servo, its new browser engine. This is the first tech demo of Servo, which Jack Moffitt, Servo project lead at Mozilla, described to us a few months ago as "a next-generation browser engine focused on performance and robustness." Packages for macOS and Linux are available to download from here: Servo Developer Preview Downloads. Mozilla promises that Windows and Android packages will be available "soon." And because this is Mozilla, you can check out all the code yourself over on GitHub.

An anonymous reader writes: Github's transparency report for 2015 shows that the site received many DMCA notices that removed more than 8,200 projects. "In 2015, we received significantly more takedown notices, and took down significantly more content, than we did in 2014," Github reports. For comparison, the company received only 258 DMCA notices in 2014, 17 of which responded with a counter-notice or retraction. In 2015, they received 505 takedown notices, 62 of which were the subject of counters or withdrawals. TorrentFreak reports: "Copyright holders are not limited to reporting one URL or location per DMCA notice. In fact, each notice filed can target tens, hundreds, or even thousands of allegedly infringing locations." September was a particularly active month as it took down nearly 5,834 projects. "Usually, the DMCA reports we receive are from people or organizations reporting a single potentially infringing repository. However, every now and then we receive a single notice asking us to take down many repositories," Github explains. They are called 'Mass Removals' when more than 100 repositories are asked to be removed. "In all, fewer than twenty individual notice senders requested removal of over 90% of the content GitHub took down in 2015."

An anonymous reader writes: After changing its DRM to exclude ReVive last month, Oculus has changed its mind again and is now allowing HTC Vive games to play on the Oculus Rift. "We continually revise our entitlement and anti-piracy systems, and in the June update we've removed the check for Rift hardware from the entitlement check. We won't use hardware checks as part of DRM on PC in the future," Oculus VR said. "We believe protecting developer content is critical to the long-term success of the VR industry, and we'll continue taking steps in the future to ensure that VR developers can keep investing in ground-breaking new VR content." VentureBeat reports: "ReVive developers have acted quickly following the removal of the check. An update to the software has been posted on GitHub to bring it back in line, meaning you'll now be able to access the games that were previously available without jumping through extra hoops. Perhaps even more games might work going forward. CrossVR, one of the system's developers, took to Reddit to thank Oculus for the decision. 'I'm delighted to see this change and I hope it can generate a lot of goodwill for Oculus.' CrossVR said."

Orome1 quotes a report from Help Net Security: Red Hat launched Ansible Container under the Ansible project, which provides a simple, powerful, and agent-less open source IT automation framework. Available now as a technology preview, Ansible Container allows for the complete creation of Docker-formatted Linux containers within Ansible Playbooks, eliminating the need to use external tools like Dockerfile or docker-compose. Ansible's modular code base, combined with ease of contribution, and a community of contributors in GitHub, enables the powerful IT automation platform to manage today's infrastructure, but also adapt to new IT needs and DevOps workflows. Help Net Security reports: "The automated container creation and deployment offered by Ansible factor into Red Hat's existing container infrastructure stack, which now includes: A stable, container-centric operating system in Red Hat Enterprise Linux Atomic Host; An enterprise-grade, Kubernetes- and Docker-native container application platform through Red Hat OpenShift and the recently announced next-generation OpenShift Online public cloud service; Infrastructure management, automation and monitoring across hybrid environments with Red Hat CloudForms, Red Hat insights, Red Hat Satellite and Ansible Tower by Red Hat; Massively-scalable private and hybrid cloud architecture for large-scale container deployment through Red Hat OpenStack Platform and Red Hat Cloud Suite, which also includes Red Hat OpenShift."

An anonymous reader writes from a report via Softpedia: Microsoft has open-sourced Checked C, an extension to the C programming language that brings new features to address a series of security-related issues. As its name hints, Checked C will add checking to C, and more specifically pointer bounds checking. The company hopes to curb the high-number of security bugs such as buffer overruns, out-of-bounds memory accesses, and incorrect type casts, all which would be easier to catch in Checked C. Despite tangible benefits to security, the problem of porting code to Checked C still exists, just like it did when C# or Rust came out, both C alternatives.

John Leyden, writing for The Register: GitHub has reset the passwords of users targeted in an attack this week that relied on using stolen credentials from a breach at a third-party site. The software repository itself has not suffered a breach. Hackers behind the assault were trying to break into the accounts of users who had inadvisedly used the same login credentials on an unnamed site that had suffered a breach, as a statement by GitHub explains. GitHub said it had reset the passwords on all affected accounts before beginning the process of notifying those affected. "We encourage all users to practise good password hygiene and enable two-factor authentication to protect your account," GitHub sensibly advised.

An anonymous reader writes: Google published an early version of TensorFlow that adds support for iOS. TensorFlow is "neural network" software that lets computers process data in a way similar to our own brain cells. Google CEO Sundar Pichai recently said it advances machine learning capability by a factor of three generations. With the software running on your iPhone, its capabilities will allow for more sophisticated apps to run on iOS. We can expect the apps to be released later this year and into next year from Google and others who use TensorFlow. Some of the tasks TensorFlow can allow for include being able to recognize subjects in photographs or being able to teach your phone what a particular object looks like, which is what another neural network software project called MemKite aims to do. Google has released its TensorFlow software as open source, where anyone can use or modify it for free.

An anonymous reader writes: Google published an early version of TensorFlow that adds support for iOS. TensorFlow is "neural network" software that lets computers process data in a way similar to our own brain cells. Google CEO Sundar Pichai recently said it advances machine learning capability by a factor of three generations. With the software running on your iPhone, its capabilities will allow for more sophisticated apps to run on iOS. We can expect the apps to be released later this year and into next year from Google and others who use TensorFlow. Some of the tasks TensorFlow can allow for include being able to recognize subjects in photographs or being able to teach your phone what a particular object looks like, which is what another neural network software project called MemKite aims to do. Google has released its TensorFlow software as open source, where anyone can use or modify it for free.

An anonymous reader writes: Google published an early version of TensorFlow that adds support for iOS. TensorFlow is "neural network" software that lets computers process data in a way similar to our own brain cells. Google CEO Sundar Pichai recently said it advances machine learning capability by a factor of three generations. With the software running on your iPhone, its capabilities will allow for more sophisticated apps to run on iOS. We can expect the apps to be released later this year and into next year from Google and others who use TensorFlow. Some of the tasks TensorFlow can allow for include being able to recognize subjects in photographs or being able to teach your phone what a particular object looks like, which is what another neural network software project called MemKite aims to do. Google has released its TensorFlow software as open source, where anyone can use or modify it for free.

An anonymous reader writes: Google's Project Magenta, which aims to use machine learning to create music and art, just created its first song. The song, which can be more appropriately described as a 90-second melody, is quite simplistic and reminiscent of an old Nokia ringtone. It's impressive for a machine! Magenta is built on top of its TensorFlow system, and all the open-sourced materials one could ever need are available through its Github. The team wants to be able to tell stories from the art it creates similar to that of artists. "The design of models that learn to construct long narrative arcs is important not only for music and art generation, but also areas like language modeling, where it remains a challenge to carry meaning even across a long paragraph, much less whole stories," the team wrote. "Attention models like the Show, Attend and Tell point to one promising direction, but this remains a very challenging task."

Jordan Novet, writing for VentureBeat: Amazon today announced the availability of Echosim.io, a website that simulates the capabilities of the Amazon Echo speaker, which employs Amazon's Alexa voice assistant technology. The thing about Alexa is that many people who don't own the Echo -- or its smaller siblings, the Tap and the Echo Dot -- haven't been able to see what Alexa is capable of. The new tool -- which was inspired by the Alexa in the Browser application that Nexmo developer advocate Sam Machin came up with during a hackathon last year -- solves that problem. All you have to do is head to the website, sign in with your Amazon credentials, and start holding your mouse down over the microphone button to see what Alexa can do. It's nifty for anyone to use, but it's also potentially useful to developers. "Developers worldwide can use Echosim to experience Alexa," Amazon Alexa developer marketing manager Glenn Cameron wrote in a blog post.Interesting move, especially for people who either do not want to -- or can't -- purchase the device (unavailability being one reason). You will need to login with your Amazon account in order to test Echosim.

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."

Last summer a developer created a plugin which made it possible to run snippets of COBOL code embedded in JavaScript using the Node.js interpreter. Now Slashdot reader techfilz writes: Romanian developer Bizau Ionica has engineered a software bridge called node.cobol which can execute Node.js scripts from within COBOL programs.
The link shows COBOL code executing a Node.js script that launches a Web server and creates ASCII art from a JPEG image -- in this case, Admiral Grace Hopper, who helped create COBOL in 1959. And Ars Technica points out the same developer has also built a Node.js bridge for FORTRAN.

executioner quotes a report from The Intercept: The Intercept's first SIDtoday release comprises 166 articles, including all articles published between March 31, 2003, when SIDtoday began, and June 30, 2003, plus installments of all article series begun during this period through the end of the year. Major topics include the National Security Agency's role in interrogations, the Iraq War, the war on terror, new leadership in the Signals Intelligence Directorate, and new, popular uses of the internet and of mobile computing devices. You can download this batch directly here, or download the documents via Github.