Slashdot Mirror

Burz writes: Invisible Things Labs has released Qubes OS 3.1. Some of the features recently introduced into this secure concept, single-user desktop OS are Salt management, the Odyssey abstraction layer, and UEFI boot support. The 3.x series also lays the groundwork for distributed verifiable builds, Whonix VMs for Tor isolation, split-GPG key management, USB sandboxing, and a host of others. Qubes has recently gained a following among privacy advocates, notable among them journalist J.M. Porup, Micah Lee at The Intercept and Edward Snowden. Embodying a shift away from complex kernel-based security and towards bare metal hypervisors and IOMMUs for strict isolation of hardware components, Qubes seals off the usual channels for 'VM breakout' and DMA attacks. It isolates NICs and USB hardware within unprivileged VMs which are themselves are a re-working of the usual concept, each booting from read-only OS 'templates' which can be shared. Graphics are also virtualized behind a simple, hardened interface. Some of the more interesting attacks mitigated by Qubes are Evil Maid, BadBIOS, BadUSB and Mousejack.

Google is releasing Android N Preview to developers today. The early release is meant to collect feedback sooner than usual, and even includes a new way to download the update. Instead of installing a drive image, you can participate in an Android Beta Program that installs pre-release versions over the air (as long as you have a relatively recent Nexus device or the Pixel C). The biggest attraction, by far, is a new multi-window mode, which lets you use split-screen modes on phones and tablets, and even specify minimum allowable dimensions. There's even a picture-in-picture video mode, too, so you can keep watching YouTube while you message your friends. Other improvements in the preview include direct reply notifications that let you reply to a message right from an alert, iOS-style. Also, Android N optionally bundles notifications from the same app so that they don't clutter your view. Marshmallow's Doze feature has been improved to save battery life whenever the screen turns off, and coders can take advantage of Java 8 features. Google is also working to reduce the memory needs of Android via Project Svelte, allowing the Android OS to run smoothly on lower specced devices.

An anonymous reader writes: The Dutch Privacy Authority made it known today that companies are not allowed to gather their employees' health data from wearable devices [original, in Dutch] such as the Fitbit. Of the two companies that were mentioned in this case, one of them had access to employee sleep patterns. In both cases the employees had given their employers permission to use this data. However, according to the Privacy Authority it is impossible to truly give 'free consent' when there is a 'financial dependency.'

An anonymous reader writes: IBM is pushing big internet companies to pay patent licensing fees in part because IBM invented the Prodigy service, a precursor to the modern web. Yesterday, Big Blue filed a lawsuit against Groupon, saying the company has infringed four IBM patents, including patents 5,796,967 and 7,072,849. IBM inventors working on Prodigy "developed novel methods for presenting applications and advertisements," and "the technological innovations embodied in these patents are fundamental to the efficient communication of internet content," according to the company. The Prodigy patents were filed in 1993 and 1996, but they have "priority dates" stretching back to 1988. "Despite IBM's repeated attempts to negotiate, Groupon refuses to take a license but continues to use IBM's property," IBM lawyers write. IBM says it informed Groupon that it was infringing the '967, '849, and '346 patents as early as 2011. As for the '601 patent, IBM says that Groupon should have been on notice of that once Priceline got sued last year.

An anonymous reader writes: IBM is pushing big internet companies to pay patent licensing fees in part because IBM invented the Prodigy service, a precursor to the modern web. Yesterday, Big Blue filed a lawsuit against Groupon, saying the company has infringed four IBM patents, including patents 5,796,967 and 7,072,849. IBM inventors working on Prodigy "developed novel methods for presenting applications and advertisements," and "the technological innovations embodied in these patents are fundamental to the efficient communication of internet content," according to the company. The Prodigy patents were filed in 1993 and 1996, but they have "priority dates" stretching back to 1988. "Despite IBM's repeated attempts to negotiate, Groupon refuses to take a license but continues to use IBM's property," IBM lawyers write. IBM says it informed Groupon that it was infringing the '967, '849, and '346 patents as early as 2011. As for the '601 patent, IBM says that Groupon should have been on notice of that once Priceline got sued last year.

New submitter eedwardsjr writes: If you've ever wanted to pay just by saying something out loud, then Hands Free is the way to go. Google has released to the public a new app called Hands Free, which lets people pay for items in stores by simply telling the cashier, "I'll pay with Google." The app, available for Android and iOS, is only being piloted in a few locations in the San Francisco area, including some McDonald's and Papa John's restaurants. Hands Free works by tracking your location using Wi-Fi and other sensors in your smartphone to detect whether you're near a participating store. After you say "I'll pay with Google," the cashier confirms your identity by using your initials and the photo you've loaded onto the Hands Free app.

An anonymous reader writes: YouTube has set up a new team dedicated to weeding out false copyright claims and subsequent erroneous takedowns, responding to community criticism. Complaints have accused the video streaming site of a lazy approach to monitoring content, and using an unreliable automated system, Content ID, to enforce copyright policy. In response to these allegations, YouTube has announced that it will be introducing a workforce focused entirely on minimizing mistakes that delete legitimate videos. The tech giant has also promised to improve transparency into the status of monetization claims, and help strengthen communications between video creators and its support teams.

David Rothman writes: Back in 2003, Slashdot ran TeleRead's call for a brick-and-mortar international e-book museum at the Library of Congress. The proposed museum would focus on the devices and other technology rather than the content. It still isn't too late for such a project, and TeleRead is again advocating the idea. Content, too, actually would benefit -- considering that proprietary formats and DRM can imperil the future readability of e-books. Meanwhile, a small-scale e-book museum is about to open in Paris and is looking for donations. A worthy cause!

An anonymous reader writes: On Safer Internet Day Google announced that Gmail will display warning signs for missing encryption and authentication, a great initiative indeed! Now that it's live we've taken it for a spin, only to find that the warning when composing email is quite slow (for new domains), and that they fail to mention that the non-authenticated TLS encryption that the currently sad state of SMTP encryption leaves us with is really poor, and vulnerable to almost anything (except passive wiretapping). I rather wish they took a stance on how we could move on to proper email encryption.

New submitter Evan Hansen writes: Everyone likes to pays lip service to "fail fast," but when was the last time your boss gave you a bonus when your project was killed? In his 2016 TED Talk, concluded just moments ago, Astro Teller, the head of Alphabet's X R&D lab shares some never-before revealed stories of his team's failures and iterations, and explains how "fail fast" can be more than a trite cliche. The first X project was the self-driving car, and subsequent ones include Google Glass, Project Loon's Internet service via balloon, Makani energy kites, and a drone delivery service dubbed Project Wing.

theodp writes: Brown University's Department of Computer Science is seeking to hire student advocates for diversity and inclusion as part of its new action plan to increase diversity. The new hires, who will also serve as members of the CS Diversity Committee, will support students, plan inclusion activities, and educate TAs on issues of diversity. Also on the diversity front, Brown touted last weekend's Hack@Brown, the school's annual student hackathon, as being "unlike any other hackathon" -- welcoming, inclusive, and inviting to students of all experience levels." A cynic might point out that Hack@Brown's tech giant sponsors boast track records that are quite the opposite. By the way, Brown@Hackathon certainly upped the ante on conference Codes of Conduct, warning that those anonymously-charged with making others feel uncomfortable on the basis of "gender, age, sexual orientation, disability, physical appearance, body size, race, or religion (or lack thereof)" will be "expelled from the event without travel reimbursement at the discretion of the event organizers." Brown explained that travel reimbursements were provided to promote "economic diversity", ensuring that students who couldn't otherwise afford to get to and from Providence could attend the Ivy League event. Hey, what "economically diverse" kid wouldn't want to go to a conference where rubbing someone the wrong way could leave them stranded in Rhode Island!

An anonymous reader writes: As part of its wider Internet.org initiative to deliver connectivity to poor and rural communities, Facebook is actively developing a new network technology which uses millimetre wave bands to transmit data. Facebook engineer Sanjai Kohli filed two patents which outlined a 'next generation' data system, which would make use of millimetre wave technology deployed as mesh networks. Kohli's patents detailed a type of centralised, cloud-based routing system which 'dynamically adjusts route and frequency channel assignments, transmit power, modulation, coding, and symbol rate to maximize network capacity and probability of packet delivery, rather than trying to maximize the capacity of any one link.'

An anonymous reader writes: A week ago, Google suddenly removed Adblock Fast from its Android app store. Today, the ad blocker has been reinstated, enabling Samsung users to download it once again from Google Play. Late last month, the browser preinstalled on Samsung's Android phones gained support for content-blocking plugins, and the first plugin to support the functionality was a free and open-source solution called Adblock Fast. Rocketship Apps, the maker of Adblock Fast, uploaded the Android plugin on January 29, but Google rejected an app update on February 1. The app hit Google Play's top spot for free, new productivity apps on February 2, and was pulled by Google on the same day.

The Financial Times reports that Google isn't going to let the VR hardware wars fall to the likes of Samsung and Oculus; instead, it's working on a (cardboard-free) VR headset of its own, to be released in conjunction with Android VR software intended not only to make Android more VR friendly in general but specifically to help developers reduce nausea-inducing lag. The report doesn't quite come out of the blue, considering that Google has shipped more than 5 million of its own Cardboard viewer already, and has several projects dealing with VR infrastructure, either directly (like Jump) or indrectly (like Project Tango). Google (or Alphabet) has proven itself a hardware behemoth, not just the "search giant" it's so often called in news stories, and of late seems to be more interested in making its footprint in hardware a bit firmer.

The Financial Times reports that Google isn't going to let the VR hardware wars fall to the likes of Samsung and Oculus; instead, it's working on a (cardboard-free) VR headset of its own, to be released in conjunction with Android VR software intended not only to make Android more VR friendly in general but specifically to help developers reduce nausea-inducing lag. The report doesn't quite come out of the blue, considering that Google has shipped more than 5 million of its own Cardboard viewer already, and has several projects dealing with VR infrastructure, either directly (like Jump) or indrectly (like Project Tango). Google (or Alphabet) has proven itself a hardware behemoth, not just the "search giant" it's so often called in news stories, and of late seems to be more interested in making its footprint in hardware a bit firmer.

The Financial Times reports that Google isn't going to let the VR hardware wars fall to the likes of Samsung and Oculus; instead, it's working on a (cardboard-free) VR headset of its own, to be released in conjunction with Android VR software intended not only to make Android more VR friendly in general but specifically to help developers reduce nausea-inducing lag. The report doesn't quite come out of the blue, considering that Google has shipped more than 5 million of its own Cardboard viewer already, and has several projects dealing with VR infrastructure, either directly (like Jump) or indrectly (like Project Tango). Google (or Alphabet) has proven itself a hardware behemoth, not just the "search giant" it's so often called in news stories, and of late seems to be more interested in making its footprint in hardware a bit firmer.

TheRealHocusLocus writes: Three Decembers ago I lauded the impending death of the trapezoid. Celebration of the rectangle might be premature however, because in the rush-to-market an appalling number of chargers, cables and legacy adapters have been discovered to be non-compliant. There have been performance issues with bad USB implementation all along, but now — with improved conductors USB-C offers to negotiate up to 3A in addition the 900ma base, so use of a non-compliant adapter may result in damage. Google engineer and hero Benson Leung has been waging a one-man compliance campaign of Amazon reviews to warn of dodgy devices and praise the good. Reddit user bmcclure937 offers a spreadsheet summary of the reviews. It's a jungle out there, don't get fried.

AmiMoJo writes: Japanese broadcasters have indicated that 4k and 8k broadcasts may have recording disabled via a 'do not copy' flag [via Google Translate], which receivers would be expected to obey. Now the Internet Users Association (MIAU) and Shufuren (Housewives Federation) have submitted documentation opposing the ban. The document points out that the ban will only inconvenience the majority of the general audience, while inevitably failing to prevent unauthorized copying by anyone determined to circumvent the protection.

An anonymous reader writes: A Google Security Research update has claimed that Comodo's internet browser Chromodo, based on the open-source project Chromium, contains significant security failings and puts its users at risk. This week's Google alert suggested that the Chromodo browser – available as a standalone download, as well as part of the company's Security package – is less secure than it promises. According to analysis, the browser is disabling the Same Origin policy, hijacking DNS settings, and replacing shortcuts with Chromodo links, among other security violations.

jones_supa writes that on Tuesday, 26th January, Aalto University's Metsähovi observatory located in Kirkkonummi, Finland, detected a rare anomaly in time reported by the GPS system (Google translation). The automatic monitoring system of a hydrogen maser atomic clock triggered an alarm which reported a deviation of 13.7 microseconds. While this is tiny, it is a sign of a problem somewhere, and does not exclude the possibility of larger timekeeping problems happening. The specific source of the problem is not known, but candidates are a faulty GPS satellite or an atomic clock placed in one. Particle flare-up from sun is unlikely, as the observatory has currently not detected unusually high activity from sun.

An anonymous reader writes: Driverless cars could mean a huge downsizing of the auto insurance industry, as the frequency of accidents declines and liability shifts from the driver to the vehicle's software or automaker. This is compounded by the rise of ride-sharing services. Once summoning a vehicle to take you somewhere isn't limited by the number of people available to drive them (and are correspondingly cheaper), car ownership is likely to decline. Many major automakers and tech companies are throwing billions of research dollars into making this happen, and insurance companies are trying to figure out how to survive. For example, a recent patent application shows State Farm is betting on collecting massive amounts of data about you. While they'll no doubt use it to set your insurance rates, they also plan to "send you advice, alerts, coupons or discounts on insurance or other goods and services." Traveler's Insurance is thinking along somewhat similar lines. They want to create "a device that offers specific suggestions for managing errands and other travel. Customers would be able to see a map of 'risk zone' data for places they want to go, such as stores, restaurants and roads. They could then plan the day 'with an eye toward how risky such endeavors may be,' according to the patent application."

An anonymous reader writes: A recent ruling of the European Court of Human Rights has granted EU companies the right to monitor and log private conversations that employees have at work while using the employer's devices. The ruling came after a Romanian was fired for using Yahoo Messenger back in 2007, while at work, to have private conversations with his girlfriend. He argued that his employer was breaking his right for privacy and correspondence. Both Romanian and European courts disagreed.

itwbennett writes: Trend Micro has released an automatic update fixing the problems in its antivirus product that Google security engineer Tavis Ormandy discovered could allow "anyone on the internet [to] steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction." The password manager in Trend's antivirus product is written in JavaScript and opens up multiple HTTP remote procedure call ports to handle API requests, Ormandy wrote. Ormandy says it took him 30 seconds to find one that would accept remote code. He also found an API that allowed him to access passwords stored in the manager. This is just the latest in a string of serious vulnerabilities that have been found in antivirus products in the last seven months.

Press2ToContinue writes: Google and Lenovo announced plans Thursday night in Las Vegas for the first Project Tango phone to be released this summer for less than $500. Project Tango is Google's vision to bring augmented reality to phones by enabling devices to be able to sense where they are and what is around them. During the announcement, Google's Johnny Lee demonstrated measuring a room using a prototype Project Tango tablet and then shopping at Lowes for furniture that would fit it. Google also announced an app incubator for Project Tango, which they hope will encourage developers to start building apps that make use of the AR technology.

Press2ToContinue writes: Google and Lenovo announced plans Thursday night in Las Vegas for the first Project Tango phone to be released this summer for less than $500. Project Tango is Google's vision to bring augmented reality to phones by enabling devices to be able to sense where they are and what is around them. During the announcement, Google's Johnny Lee demonstrated measuring a room using a prototype Project Tango tablet and then shopping at Lowes for furniture that would fit it. Google also announced an app incubator for Project Tango, which they hope will encourage developers to start building apps that make use of the AR technology.

Api.ai makes an Android voice-controlled utility called Assistant. I have it on my Android phone. It is one of many simiar apps, and I have been trying them a little at a time. Are any of them as good as Siri? Let's just say, "Quality varies."

And Android voice assistants aren't the point of this interview, anyway. It's more about the process of developing interactive, voice-based IO systems. This whole voice/response thing is an area that's going to take off any year now -- and has been in that state for several decades -- but may finally be going somewhere, spurred by intense competition between the many companies working in this field, including Ilya's.

Api.ai makes an Android voice-controlled utility called Assistant. I have it on my Android phone. It is one of many simiar apps, and I have been trying them a little at a time. Are any of them as good as Siri? Let's just say, "Quality varies."

And Android voice assistants aren't the point of this interview, anyway. It's more about the process of developing interactive, voice-based IO systems. This whole voice/response thing is an area that's going to take off any year now -- and has been in that state for several decades -- but may finally be going somewhere, spurred by intense competition between the many companies working in this field, including Ilya's.

RoccamOccam writes: Mozilla developers have discussed a plan to implement support for a subset of non-standard CSS prefixes used in WebKit. Mozilla developer Daniel Holbert says: "A good chunk of the web today (and particularly the mobile web) effectively relies on -webkit prefixed CSS properties & features. We wish we lived in a world where web content always included standards-based fallback (or at least multiple-vendor-prefixed fallback), but alas, we do not live in that world. To be successful at rendering the web as it exists, we need to add support for a list of frequently-used -webkit prefixed CSS properties & features."

saizai writes: I just filed my reply to the TSA's opposition to an emergency motion for preliminary injunction and temporary restraining order (PI/TRO) against the TSA's new policy that arbitrarily mandates some people to go through electronic strip search ("AIT"). Case website here (will be kept updated). Court order expected soon, though impossible to know for sure.

I've also released 3 FOIA docs (see 2015-12-30 update), which I submitted as exhibits:

• MD 100.4 2012-01-25 Transportation Security Searches (11p, full) — showing TSA's expansion to "bus, train, [and] other public conveyance"
• SPOT validation study Vol 1 Ch 4 — Descriptive analyses — summary of sources for items (1p) — showing 90% of what they find is immigration and drug related, not weapons
• SPOT validation study Vol 3 App F — Supporting tables — prohibited items data (2p) — giving breakdown list of "prohibited items" they find

See previously:

• Motion Filed In 1st Circuit To Enjoin TSA's New Mandatory "AIT" Screening
• TSA Body Scanner Opt-out No Longer Guaranteed

saizai writes: I just filed my reply to the TSA's opposition to an emergency motion for preliminary injunction and temporary restraining order (PI/TRO) against the TSA's new policy that arbitrarily mandates some people to go through electronic strip search ("AIT"). Case website here (will be kept updated). Court order expected soon, though impossible to know for sure.

I've also released 3 FOIA docs (see 2015-12-30 update), which I submitted as exhibits:

• MD 100.4 2012-01-25 Transportation Security Searches (11p, full) — showing TSA's expansion to "bus, train, [and] other public conveyance"
• SPOT validation study Vol 1 Ch 4 — Descriptive analyses — summary of sources for items (1p) — showing 90% of what they find is immigration and drug related, not weapons
• SPOT validation study Vol 3 App F — Supporting tables — prohibited items data (2p) — giving breakdown list of "prohibited items" they find

See previously:

• Motion Filed In 1st Circuit To Enjoin TSA's New Mandatory "AIT" Screening
• TSA Body Scanner Opt-out No Longer Guaranteed

saizai writes: I just filed my reply to the TSA's opposition to an emergency motion for preliminary injunction and temporary restraining order (PI/TRO) against the TSA's new policy that arbitrarily mandates some people to go through electronic strip search ("AIT"). Case website here (will be kept updated). Court order expected soon, though impossible to know for sure.

I've also released 3 FOIA docs (see 2015-12-30 update), which I submitted as exhibits:

• MD 100.4 2012-01-25 Transportation Security Searches (11p, full) — showing TSA's expansion to "bus, train, [and] other public conveyance"
• SPOT validation study Vol 1 Ch 4 — Descriptive analyses — summary of sources for items (1p) — showing 90% of what they find is immigration and drug related, not weapons
• SPOT validation study Vol 3 App F — Supporting tables — prohibited items data (2p) — giving breakdown list of "prohibited items" they find

See previously:

• Motion Filed In 1st Circuit To Enjoin TSA's New Mandatory "AIT" Screening
• TSA Body Scanner Opt-out No Longer Guaranteed

saizai writes: I just filed my reply to the TSA's opposition to an emergency motion for preliminary injunction and temporary restraining order (PI/TRO) against the TSA's new policy that arbitrarily mandates some people to go through electronic strip search ("AIT"). Case website here (will be kept updated). Court order expected soon, though impossible to know for sure.

I've also released 3 FOIA docs (see 2015-12-30 update), which I submitted as exhibits:

• MD 100.4 2012-01-25 Transportation Security Searches (11p, full) — showing TSA's expansion to "bus, train, [and] other public conveyance"
• SPOT validation study Vol 1 Ch 4 — Descriptive analyses — summary of sources for items (1p) — showing 90% of what they find is immigration and drug related, not weapons
• SPOT validation study Vol 3 App F — Supporting tables — prohibited items data (2p) — giving breakdown list of "prohibited items" they find

See previously:

• Motion Filed In 1st Circuit To Enjoin TSA's New Mandatory "AIT" Screening
• TSA Body Scanner Opt-out No Longer Guaranteed

saizai writes: I just filed my reply to the TSA's opposition to an emergency motion for preliminary injunction and temporary restraining order (PI/TRO) against the TSA's new policy that arbitrarily mandates some people to go through electronic strip search ("AIT"). Case website here (will be kept updated). Court order expected soon, though impossible to know for sure.

I've also released 3 FOIA docs (see 2015-12-30 update), which I submitted as exhibits:

• MD 100.4 2012-01-25 Transportation Security Searches (11p, full) — showing TSA's expansion to "bus, train, [and] other public conveyance"
• SPOT validation study Vol 1 Ch 4 — Descriptive analyses — summary of sources for items (1p) — showing 90% of what they find is immigration and drug related, not weapons
• SPOT validation study Vol 3 App F — Supporting tables — prohibited items data (2p) — giving breakdown list of "prohibited items" they find

See previously:

• Motion Filed In 1st Circuit To Enjoin TSA's New Mandatory "AIT" Screening
• TSA Body Scanner Opt-out No Longer Guaranteed

saizai writes: I just filed my reply to the TSA's opposition to an emergency motion for preliminary injunction and temporary restraining order (PI/TRO) against the TSA's new policy that arbitrarily mandates some people to go through electronic strip search ("AIT"). Case website here (will be kept updated). Court order expected soon, though impossible to know for sure.

I've also released 3 FOIA docs (see 2015-12-30 update), which I submitted as exhibits:

• MD 100.4 2012-01-25 Transportation Security Searches (11p, full) — showing TSA's expansion to "bus, train, [and] other public conveyance"
• SPOT validation study Vol 1 Ch 4 — Descriptive analyses — summary of sources for items (1p) — showing 90% of what they find is immigration and drug related, not weapons
• SPOT validation study Vol 3 App F — Supporting tables — prohibited items data (2p) — giving breakdown list of "prohibited items" they find

See previously:

• Motion Filed In 1st Circuit To Enjoin TSA's New Mandatory "AIT" Screening
• TSA Body Scanner Opt-out No Longer Guaranteed

An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.

New submitter saizai writes: TSA has made electronic strip search mandatory whenever they feel like it. "TSA is updating the AIT PIA to reflect a change to the operating protocol regarding the ability of individuals to opt out of AIT screening in favor of physical screening. While passengers may generally decline AIT screening in favor of physical screening, TSA may direct mandatory AIT screening for some passengers as warranted by security considerations in order to safeguard transportation security." I've filed for an injunction against new TSA policy on mandatory AIT, in my general lawsuit challenging TSA's "orders". The court says TSA will respond to my motion by Tuesday. I'll reply immediately. Hopefully will have it put on hold before January. (Note that "AIT" stands for "Advanced Imaging Technology," the term TSA applies to walk-through body scanners.)

theodp writes: Command the dancers to "point left" in Google's dance-themed Code Boogie learn-to-code tutorial on the Santa Tracker website, and the dancers actually point to their own right. The lesson seems to reinforce a common mistake made by younger children learning to code in LOGO, which is to use their own or the display screen's frame of reference rather than the turtle's frame of reference. "These misconceptions," explained Richard E. Mayer, "may be due to the knowledge that the child brings with him or her to the programming environment. For example, children who possess an egocentric conception of space (Piaget & Inhelder, 1956) would fail to recognize that when the turtle is at a 180-degree orientation, its right corresponds to the child's left." So, it should probably be asked if the learn-to-code tutorials from Lucasfilm, Code.org, and Google that are being used to teach the world's K-12 schoolchildren to code might be making the same mistake as 4-7 year-olds. In this year's flagship flagship Lucasfilm/Code.org Star Wars Hour of Code tutorial, for example, command the droid BB-8 to move left and it could move to either its own left or right depending on what direction it's pointed in. So, did the "Largest Learning Event in History" also get "left" and "right" wrong?

theodp writes: Command the dancers to "point left" in Google's dance-themed Code Boogie learn-to-code tutorial on the Santa Tracker website, and the dancers actually point to their own right. The lesson seems to reinforce a common mistake made by younger children learning to code in LOGO, which is to use their own or the display screen's frame of reference rather than the turtle's frame of reference. "These misconceptions," explained Richard E. Mayer, "may be due to the knowledge that the child brings with him or her to the programming environment. For example, children who possess an egocentric conception of space (Piaget & Inhelder, 1956) would fail to recognize that when the turtle is at a 180-degree orientation, its right corresponds to the child's left." So, it should probably be asked if the learn-to-code tutorials from Lucasfilm, Code.org, and Google that are being used to teach the world's K-12 schoolchildren to code might be making the same mistake as 4-7 year-olds. In this year's flagship flagship Lucasfilm/Code.org Star Wars Hour of Code tutorial, for example, command the droid BB-8 to move left and it could move to either its own left or right depending on what direction it's pointed in. So, did the "Largest Learning Event in History" also get "left" and "right" wrong?

theodp writes: Command the dancers to "point left" in Google's dance-themed Code Boogie learn-to-code tutorial on the Santa Tracker website, and the dancers actually point to their own right. The lesson seems to reinforce a common mistake made by younger children learning to code in LOGO, which is to use their own or the display screen's frame of reference rather than the turtle's frame of reference. "These misconceptions," explained Richard E. Mayer, "may be due to the knowledge that the child brings with him or her to the programming environment. For example, children who possess an egocentric conception of space (Piaget & Inhelder, 1956) would fail to recognize that when the turtle is at a 180-degree orientation, its right corresponds to the child's left." So, it should probably be asked if the learn-to-code tutorials from Lucasfilm, Code.org, and Google that are being used to teach the world's K-12 schoolchildren to code might be making the same mistake as 4-7 year-olds. In this year's flagship flagship Lucasfilm/Code.org Star Wars Hour of Code tutorial, for example, command the droid BB-8 to move left and it could move to either its own left or right depending on what direction it's pointed in. So, did the "Largest Learning Event in History" also get "left" and "right" wrong?

theodp writes: Politico reports that the White House is talking to groups about a push for computer science education in the coming weeks, possibly in mid-January, which could involve commitments from outside groups or companies. Code.org CEO Hadi Partovi recently credited a 2013 push from the White House for inspiring Code.org to dream up and team up with Big Tech on the wildly-successful Hour of Code, an event that brought teachers, schools, computer scientist volunteers, and other organizations together with the goal of bringing hands-on CS learning to 10 million K-12 students. Coincidentally, the Hour of Code event bears more than a passing similarity to the less-successful and now-abandoned National Lab Day (school flyer), an annual event announced by President Obama in 2009 that brought teachers, schools, computer scientist volunteers, and other organizations together with the goal of bringing hands-on STEM learning to 10 million K-12 students.

An anonymous reader writes: A new bug in Outlook allows attackers only to send you an email, and without clicking or downloading attachments, a user's computer can be compromised. The bug [PDF] is because Outlook allows Flash objects to be previewed without a sandbox. Flash files are demon spawns and attackers can put exploits in malicious files, which when previewed or viewed inside an Outlook application will automatically execute their payload.

An anonymous reader writes: VideoLAN today launched VLC, the world's most used media player, for Chrome OS. You can download the new app, which is a port of the VLC version for Android, from the Chrome Web Store. Chrome OS was one of the last desktop operating systems for which VLC was not available (the media player exists for Windows, OS X, Linux, BSD, Solaris, OS/2, Haiku/BeOS, and ReactOS). Yet Chrome OS wasn't an easy operating system to support, as VLC is a native application on all platforms (it uses low-level APIs to output video, audio, and gain access to threads) built using mostly C and C++. Writing VLC in JavaScript and other Web technologies, as Chrome OS requires, is not an easy task by any stretch.

theodp writes: Google Santa Tracker is back, notes the Official Google Blog, and kids can brush up on their computer skills there with new coding games throughout the month. If they want to explore more Google coding projects, Santa Tracker advises kids to visit Made With Code, where they can learn how to "design a ZAC Zac Posen dress that turns heads and lights up a room." Made with Code, Google explains in its FAQS, is part of the company's $90M mission to creatively engage girls with code. Last year, Made With Code teamed with the National Park Service to make the lighting of the White House Christmas trees a girls-only coding project.

MojoKid writes: It's been discovered that some third-party heat sinks can physically damage Intel's new Skylake CPUs, along with the pins in the accompanying motherboard socket. The problem has prompted at least one cooler maker to change the design of its Socket 1151 heat sinks and it wouldn't be surprising if others soon followed suit. The apparent issue is the substrate Intel used for its Skylake chips. A close-up shot of a Skylake CPU sitting side-by-side with a Broadwell processor (Google translation of German original) shows that the substrate is noticeably thinner on Skylake, and thus prone to bending from the force that some third-party heat sinks exert. Intel has addressed the issue by saying, “The design specifications and guidelines for the 6th Gen Intel Core processor using the LGA 1151 socket are unchanged from previous generations and are available for partners and 3rd party manufacturers. Intel can’t comment on 3rd party designs or their adherence to the recommended design specifications. For questions about a specific cooling product we must defer to the manufacturer.”

yoink! writes: According to an article in The Register, corporations big and small are coming under legal fire from CryptoPeak. The Company holds U.S. Patent 6,202,150, which describes "auto-escrowable and auto-certifiable cryptosystems" and has claimed that the Elliptic Curve Cryptography methods/implementations used as part of the HTTPS protocol violates their intellectual property. Naturally, reasonable people disagree.

benrothke writes: Large enterprises have numerous information security challenges. Aside from the external threats; there's the onslaught of security data from disparate systems, platforms and applications. Getting a handle on the security output from numerous point solutions (anti-virus, routers/switches, firewalls, IDS/IPS, ERP, access control, identity management, single sign on and others), often generating tens of millions of messages and alerts daily is not a trivial endeavor. As attacks becoming more frequent and sophisticated and with regulatory compliance issues placing an increasing burden, there needs to be a better way to manage all of this. Getting the raw hardware, software and people to create a SOC is not that difficult. The challenge, and it's a big challenge, is integrating those 3 components to ensure that a formal SOC can operate effectively. In Security Operations Center: Building, Operating, and Maintaining your SOC, authors Joseph Muniz, Gary McIntyre and Nadhem AlFardan have written an indispensable reference on the topic. The authors have significant SOC development experience, and provide the reader with a detailed plan on all the steps involved in creating a SOC. Keep reading for the rest of Ben's review. Security Operations Center: Building, Operating, and Maintaining your SOC author Joseph Muniz, Gary McIntyre, Nadhem AlFardan pages 448 publisher Cisco Press rating 10/10 reviewer Ben Rothke ISBN 978-0134052014 summary Indispensable guide for those designing and deploying a SOC As Mike Rothman notedabout managed services providers, and something that is relevant to a SOC, you should have no illusions about the amount of effort required to get a SOC up and running, or what it takes to keep one current and useful. Many organizations have neither the time nor the resources to implement a SOC, but do, and are then trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats that the SOC had the potential to provide them with, had they done it right. Those considering deploying a SOC and not wanting to be in the hamster wheel of pain will need this book.

The authors have done a great job in covering every phase and many details required to build out a SOC. After going through the book, some readers will likely reconsider deploying an internal SOC given the difficulties and challenges involved. This is especially true since SOC design and deployment is something not many people have experience with.

The book is written for an organization that is serious about building an enterprise SOC. The authors spend much of the book focusing on the myriad requirements for creation of a SOC. They constantly reiterate about details that need to be determined before moving forward.

Chapter 4 on SOC strategy is important as the way in which a firm determines their strategy will affect every aspect of the outcome. The authors wisely note that an inadequate or inaccurate SOC strategy, and the ensuing capabilities assessment exercises would produce a SOC strategy that does not properly address the actual requirements of the organization.

Ultimately, failing to adequately plan and design is a guarantee for SOC failure. That in turn will affect and impact deployment timelines, budgets and cause frustration, dissatisfaction and friction between the different teams involved in the SOC program.

The author's expertise is evident in every chapter, and their real-world expertise quite obvious in chapter 5 on facilities, which is an area often neglected in SOC design. The significant issue is that if the facility in which the SOC team operates out of does meet certain baseline requirements, the SOC effectiveness will be significantly and often detrimentally impacted. The chapter details many overlooked topics such as: acoustics, lighting, ergonomics, and more.

Staffing a SOC is another challenge, and the book dedicates chapter 8 to that. The SOC is only as good as the people inside it, and the SOC staff requires a blend of skills. If the organization wants their SOC to operate 24x7, it will obviously require a lot more manpower of these hard to find SOC analysts.

Another helpful aspect is found in chapter 10 which has a number of checklists you can use to verify that all the required pieces are in place prior to a go live data, or be able to identify area that many not be completed as expected.

With Muniz and AlFardan being Cisco employees and this being a Cisco Press title, the book has a strong emphasis towards Cisco hardware and software. Nonetheless, the book is still quite useful even for those who won't be using Cisco products.

Building a SOC is an arduous process which takes a huge amount of planning and of work. This work must be executed by people from different teams and departments, all working together. Based on these challenges, far too many SOC deployments fail. But for anyone who is serious about building out a SOC, this book should be a part of that effort.

The reason far too many, perhaps most SOC deployments fail is that firms makes the mistake of obsessing on the hardware and software, without adequately considering the security operations functions. The authors make it eminently clear that such an approach won't work, and provide you with the expert guidance to obviate that.

For anyone considering building a SOC, or wants to understand all of the details involved in building one, Security Operations Center: Building, Operating, and Maintaining your SOC, is an absolute must read.

Reviewed by Ben Rothke.

You can purchase Security Operations Center: Building, Operating, and Maintaining your SOC from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

benrothke writes: Large enterprises have numerous information security challenges. Aside from the external threats; there's the onslaught of security data from disparate systems, platforms and applications. Getting a handle on the security output from numerous point solutions (anti-virus, routers/switches, firewalls, IDS/IPS, ERP, access control, identity management, single sign on and others), often generating tens of millions of messages and alerts daily is not a trivial endeavor. As attacks becoming more frequent and sophisticated and with regulatory compliance issues placing an increasing burden, there needs to be a better way to manage all of this. Getting the raw hardware, software and people to create a SOC is not that difficult. The challenge, and it's a big challenge, is integrating those 3 components to ensure that a formal SOC can operate effectively. In Security Operations Center: Building, Operating, and Maintaining your SOC, authors Joseph Muniz, Gary McIntyre and Nadhem AlFardan have written an indispensable reference on the topic. The authors have significant SOC development experience, and provide the reader with a detailed plan on all the steps involved in creating a SOC. Keep reading for the rest of Ben's review. Security Operations Center: Building, Operating, and Maintaining your SOC author Joseph Muniz, Gary McIntyre, Nadhem AlFardan pages 448 publisher Cisco Press rating 10/10 reviewer Ben Rothke ISBN 978-0134052014 summary Indispensable guide for those designing and deploying a SOC As Mike Rothman notedabout managed services providers, and something that is relevant to a SOC, you should have no illusions about the amount of effort required to get a SOC up and running, or what it takes to keep one current and useful. Many organizations have neither the time nor the resources to implement a SOC, but do, and are then trapped on the hamster wheel of pain, reacting without sufficient visibility, but without time to invest in gaining that much-needed visibility into threats that the SOC had the potential to provide them with, had they done it right. Those considering deploying a SOC and not wanting to be in the hamster wheel of pain will need this book.

The authors have done a great job in covering every phase and many details required to build out a SOC. After going through the book, some readers will likely reconsider deploying an internal SOC given the difficulties and challenges involved. This is especially true since SOC design and deployment is something not many people have experience with.

The book is written for an organization that is serious about building an enterprise SOC. The authors spend much of the book focusing on the myriad requirements for creation of a SOC. They constantly reiterate about details that need to be determined before moving forward.

Chapter 4 on SOC strategy is important as the way in which a firm determines their strategy will affect every aspect of the outcome. The authors wisely note that an inadequate or inaccurate SOC strategy, and the ensuing capabilities assessment exercises would produce a SOC strategy that does not properly address the actual requirements of the organization.

Ultimately, failing to adequately plan and design is a guarantee for SOC failure. That in turn will affect and impact deployment timelines, budgets and cause frustration, dissatisfaction and friction between the different teams involved in the SOC program.

The author's expertise is evident in every chapter, and their real-world expertise quite obvious in chapter 5 on facilities, which is an area often neglected in SOC design. The significant issue is that if the facility in which the SOC team operates out of does meet certain baseline requirements, the SOC effectiveness will be significantly and often detrimentally impacted. The chapter details many overlooked topics such as: acoustics, lighting, ergonomics, and more.

Staffing a SOC is another challenge, and the book dedicates chapter 8 to that. The SOC is only as good as the people inside it, and the SOC staff requires a blend of skills. If the organization wants their SOC to operate 24x7, it will obviously require a lot more manpower of these hard to find SOC analysts.

Another helpful aspect is found in chapter 10 which has a number of checklists you can use to verify that all the required pieces are in place prior to a go live data, or be able to identify area that many not be completed as expected.

With Muniz and AlFardan being Cisco employees and this being a Cisco Press title, the book has a strong emphasis towards Cisco hardware and software. Nonetheless, the book is still quite useful even for those who won't be using Cisco products.

Building a SOC is an arduous process which takes a huge amount of planning and of work. This work must be executed by people from different teams and departments, all working together. Based on these challenges, far too many SOC deployments fail. But for anyone who is serious about building out a SOC, this book should be a part of that effort.

The reason far too many, perhaps most SOC deployments fail is that firms makes the mistake of obsessing on the hardware and software, without adequately considering the security operations functions. The authors make it eminently clear that such an approach won't work, and provide you with the expert guidance to obviate that.

For anyone considering building a SOC, or wants to understand all of the details involved in building one, Security Operations Center: Building, Operating, and Maintaining your SOC, is an absolute must read.

Reviewed by Ben Rothke.

You can purchase Security Operations Center: Building, Operating, and Maintaining your SOC from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. If you'd like to see what books we have available from our review library please let us know.

jones_supa writes: The largest computer gear retailer in Finland, Verkkokauppa.com, has unveiled top 20 lists of most returned and most serviced equipment in 2015 (Google translation). To offer an alternative to Black Friday, the company is going with a theme called "Sustainable Christmas". They want to guide shoppers to make good choices, as product returns always create extra burden for the distribution chain. Is there anything that catches your eye in the lists, or something else that you would like to warn about?

An anonymous reader writes: According to a Google report the company has evaluated 1,234,092 URLs from 348,085 requests since the EU's May 2014 "right to be forgotten" ruling, and has removed 42% of those URLs. Engadget reports: "To show how it comes to its decisions, the company shared some of the requests it received and its decisions. For example: a private citizen that was convicted of a serious crime, but had that conviction overturned during appeal, had search results about the crime removed. Meanwhile a high ranking public official in Hungary failed to get the results squelched of a decades-old criminal conviction. Of course, that doesn't mean the system is perfect and the company has already been accused of making mistakes."

jones_supa writes: Months after the smartphone company Jolla announced its split and intent to focus on Sailfish OS licensing, its financial situation has not improved. Jolla's latest financing round has been delayed and so they have had to file for debt restructuring in Finland. As part of that, the company is temporarily laying off a big part of its personnel (Google translation of Finnish original). Jolla co-founder Antti Saarnio said, "Our operating system Sailfish OS is in great shape currently and it is commercially ready. Unfortunately the development until this point has required quite a lot of time and money (PDF). To get out of this death valley we need to move from a development phase into a growth phase. At the same time we need to adapt our cost levels to the new situation. One of the main actions is to tailor the operating system to fit the needs of different clients. We have several major and smaller potential clients who are interested in using Sailfish OS in their projects."