Slashdot Mirror

wiredmikey writes from a report via SecurityWeek: A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain. CyberX VP of research David Atch told SecurityWeek that the KillDisk variant they have analyzed is a well-written piece of ransomware, and victims are instructed to pay 222 bitcoins ($210,000) to recover their files, which experts believe suggests that the attackers are targeting "organizations with deep pockets." From the report: "The ransomware is designed to encrypt various types of files, including documents, databases, source code, disk images, emails and media files. Both local partitions and network folders are targeted. The contact email address provided to affected users is associated with Lelantos, a privacy-focused email provider only accessible through the Tor network. The Bitcoin address to which victims are told to send the ransom has so far not made any transactions. Atch pointed out that the same RSA public key is used for all samples, which means that a user who receives a decryptor will likely be able to decrypt files for all victims. According to CyberX, the malware requires elevated privileges and registers itself as a service. The threat terminates various processes, but it avoids critical system processes and ones associated with anti-malware applications, likely to avoid disrupting the system and triggering detection by security products."

MojoKid writes from a report via HotHardware: If you've had any doubts of Intel's upcoming Kaby Lake processor's capabilities with respect to overclocking, don't fret. It's looking like even the most dedicated overclockers are going to have a blast with this series. Someone recently got a hold of an Intel Core i7-7700K chip and decided to take it for an overclocking spin. Interestingly, the motherboard used is not one of the upcoming series designed for Kaby Lake, but the chip was instead overclocked on a Z170 motherboard from ASRock (Z170M OC Formula). That bodes well for those planning to snag a Kaby Lake CPU and would rather not have to upgrade their motherboard as well. With liquid nitrogen cooling the processor, this particular chip peaked at just over 7GHz, which helped deliver a SuperPi 32M time of 4m 20s, and a wPrime 1024M time of 1m 33s. It's encouraging to see the chip breaking this clock speed, even with extreme methods, since it's a potential relative indicator of how much headroom will be available for overclocking with more standard cooling solutions.

Uber has launched a website for a service called Uber Freight. While there are little details about the company's expansion from ride-hailing, Uber Freight is meant to prepare the world for autonomous delivery trucks, according to Inverse. From the report: Uber acquired a startup called Otto, which planned to bring the first self-driving trucks to market, in August. Since then the company has used its trucks to deliver 50,000 cans of beer and hundreds of Christmas trees in San Francisco. This new service won't use those trucks, at least not at the beginning. Instead it will function much like Uber's existing platform: Some people will sign up to drive items across the country, and others will join so they can send packages without having to sign a contract with established shipping companies. The service will likely bring "surge pricing" to trucking, too. Uber Freight could also help Otto's trucks by using data gathered from drivers on the platform. This would allow the self-driving vehicles to learn from experienced people while regulators figure out how to govern autonomous trucks and the technology catches up to all of the promises made by its creators. Uber Freight's launch coincides with growing interest in trucking from many tech companies. Nikola Motor Company wants to use tech to make trucking more environmentally friendly and appealing to millennials; Tesla's working on self-driving trucks; the list could go on. Uber told Inverse it's going to wait until the new year to elaborate on how the system works. "We don't have any new information to share at the moment," a spokesperson said, "but hope to in the new year so please do stay in touch." It looks like the future of trucking -- or at least one potential future -- is going to take a little while longer to make its debut.

Uber has launched a website for a service called Uber Freight. While there are little details about the company's expansion from ride-hailing, Uber Freight is meant to prepare the world for autonomous delivery trucks, according to Inverse. From the report: Uber acquired a startup called Otto, which planned to bring the first self-driving trucks to market, in August. Since then the company has used its trucks to deliver 50,000 cans of beer and hundreds of Christmas trees in San Francisco. This new service won't use those trucks, at least not at the beginning. Instead it will function much like Uber's existing platform: Some people will sign up to drive items across the country, and others will join so they can send packages without having to sign a contract with established shipping companies. The service will likely bring "surge pricing" to trucking, too. Uber Freight could also help Otto's trucks by using data gathered from drivers on the platform. This would allow the self-driving vehicles to learn from experienced people while regulators figure out how to govern autonomous trucks and the technology catches up to all of the promises made by its creators. Uber Freight's launch coincides with growing interest in trucking from many tech companies. Nikola Motor Company wants to use tech to make trucking more environmentally friendly and appealing to millennials; Tesla's working on self-driving trucks; the list could go on. Uber told Inverse it's going to wait until the new year to elaborate on how the system works. "We don't have any new information to share at the moment," a spokesperson said, "but hope to in the new year so please do stay in touch." It looks like the future of trucking -- or at least one potential future -- is going to take a little while longer to make its debut.

Uber has launched a website for a service called Uber Freight. While there are little details about the company's expansion from ride-hailing, Uber Freight is meant to prepare the world for autonomous delivery trucks, according to Inverse. From the report: Uber acquired a startup called Otto, which planned to bring the first self-driving trucks to market, in August. Since then the company has used its trucks to deliver 50,000 cans of beer and hundreds of Christmas trees in San Francisco. This new service won't use those trucks, at least not at the beginning. Instead it will function much like Uber's existing platform: Some people will sign up to drive items across the country, and others will join so they can send packages without having to sign a contract with established shipping companies. The service will likely bring "surge pricing" to trucking, too. Uber Freight could also help Otto's trucks by using data gathered from drivers on the platform. This would allow the self-driving vehicles to learn from experienced people while regulators figure out how to govern autonomous trucks and the technology catches up to all of the promises made by its creators. Uber Freight's launch coincides with growing interest in trucking from many tech companies. Nikola Motor Company wants to use tech to make trucking more environmentally friendly and appealing to millennials; Tesla's working on self-driving trucks; the list could go on. Uber told Inverse it's going to wait until the new year to elaborate on how the system works. "We don't have any new information to share at the moment," a spokesperson said, "but hope to in the new year so please do stay in touch." It looks like the future of trucking -- or at least one potential future -- is going to take a little while longer to make its debut.

An anonymous reader quotes a report from Ars Technica: Just before the Christmas holiday, Fitbit dropped a case it filed with the U.S. International Trade Commission claiming Jawbone had violated one of Fitbit's patents. The trial for this case had been set for March 2017, and if Fitbit had won, it would have prevented Jawbone from importing its devices into the US. In a report from The Wall Street Journal, Fitbit states: "Jawbone appears to be a different company. SEC filings of one of its biggest investors now value Jawbone shares as worth nothing, as well as indicate that Jawbone has filed for bankruptcy or is in default." There are no reports of Jawbone being in default, nor has the company filed for bankruptcy. Jawbone gave a statement to Recode which states: "By dismissing this action, Fitbit is no longer seeking to block importation of Jawbone devices, including Jawbone products in development. Jawbone believes this case -- involving patents already found once to be invalid -- should have been dismissed long ago by Fitbit." This is likely the simplest ending that any of the lawsuits between Fitbit and Jawbone will have. In April, the ITC ruled in Fitbit's favor after Jawbone filed a claim stating its rival had infringed on some of its sleep monitoring and data output patents. Later in August, Fitbit came out on top again after the ITC ruled it did not misappropriate trade secrets from Jawbone.

Carrie Fisher, the actress, author and screenwriter who brought a rare combination of nerve, grit and hopefulness to her most indelible role, as Princess Leia in the "Star Wars" film franchise, died on Tuesday morning at the age of 60. From a report: "It is with a very deep sadness that Billie Lourd confirms that her beloved mother Carrie Fisher passed away at 8:55 this morning," reads the statement. Fisher was flying from London to Los Angeles on Friday, Dec. 23, when she went into cardiac arrest. Paramedics removed her from the flight and rushed her to a nearby hospital, where she was treated for a heart attack. She later died in the hospital. The daughter of renowned entertainers Debbie Reynolds and Eddie Fisher, Fisher was brought up in the sometimes tumultuous world of film, theater and television. Escaping Hollywood in 1973, the star enrolled in the Central School of Speech and Drama in London, where she spent over a year studying acting. Just two years later, though, the bright lights of Hollywood drew her back, and Fisher made her film debut in the Warren Beatty-led Shampoo. Her role in Star Wars would follow in 1977 -- and she detailed the experience, including her on-set affair with costar Harrison Ford, in her latest memoir, The Princess Diarist. She was only 19 when the first installment of the beloved sci-fi franchise was filmed. Fisher's fans, family, and colleagues have paid their tribute to the actress The Guardian has published an intense tribute to Fisher in an article titled "The loss of Carrie Fisher is felt by all who love Hollywood, warmth and wit".

From BBC's obituary of Fisher: She was a self-confessed bookworm as a child reading poetry and classical literature. Her high school education was disrupted by the lure of the stage when she appeared in the musical Irene alongside her mother, and she never graduated. She moved to London where she enrolled in the Central School of Speech and Drama before returning to the US and attending the Sarah Lawrence arts college near New York. Having managed to kick drugs and alcohol, she was rushed to hospital in 1985 after accidentally taking an overdose of sleeping pills and prescription drugs. The episode formed the basis for her first novel, the semi-autobiographical Postcards from the Edge, in which she satirised her own dependence on drugs and the sometimes difficult relationship she had with her mother. Three years later Fisher adapted it into a screenplay, and it was made into a film starring Meryl Streep, Shirley MacLaine, and Dennis Quaid. Fisher -- who had bipolar disorder -- also wrote and frequently talked in public about her years of drug addiction and mental illness. Carrie Fisher's fame as an actress rested on just one role, but it was a role in one of the best known and most successful film franchises in cinema history. She was remarkably frank about the personal difficulties she had fought and overcome. "There's a part of me that gets surprised when people think I am brave to talk about what I've gone through," she once said. "I was brave to last through it." The world is poorer without you, Fisher. Rest in peace.

Last week, Cyanogen Inc announced it is shutting down all its services. A day later, CyanogenMod announced that it is going away too. Regardless of how you found Cyanogen's commercial operating system or open source fork CyanogenMod, the demise has bigger implications. From a report on GreenBot: Cyanogen might never have seriously threatened to take control of Android, but the upstart's shutdown still represents a major victory for Google. As Google showed with the launch of the Pixel, the company is taking steps to ensure no one ever gets close to stealing Android's soul ever again. [...] In many ways, Cyanogen encapsulated more of the spirit of Google's mobile OS project than Android itself ever did. As an early offshoot of the mainstream project designed and supported by habitual modders, Cyanogen was in many ways more aligned with the iOS jailbreaking community than Android proper, bringing customization and features far beyond those available in the stock OS. But almost as quickly as Android took off, Google began reining it in. By implementing stricter rules for manufacturers to prevent further fragmentation -- including licensing of its apps and mandatory inclusion of its search bar widget -- Google actively worked to keep deviant versions of Android on the fringes. Nonetheless, CyanogenMod persisted, surviving cease-and-desist orders, takeover rumors and general Google-led consternation. And now it's all over. Google won, not by waging war with Cyanogen but by doubling down on its own vision, forging partnerships with manufacturers, and working to ensure that Google's Android remained the world's Android.

Earlier this month, Amazon announced that it is expanding its Prime Video on-demand video streaming service to over 200 countries and territories. But how good is the content catalogue? A report on Variety explores: In several countries looked at by Variety, the company hasn't even bothered to translate the PrimeVideo.com website's interface from English into the local language. And its content offerings seem scant and lacking in local flavor. Amazon's strategy appears to be a two-step process: first establish a global footprint, then go back and build out more tailored platforms in key new markets with better-curated and more local-language content, similar to what the company has already done in the U.S., the U.K., Germany, Austria, and Japan. In India, they set up a local operation prior to their Dec. 14 launch there. "We are just getting started. It's still day one for us," Roy Price, Vice President, Amazon Prime Video and Amazon Studio, wrote in emailed comments to Variety. "Like everything we do at Amazon, we are focused on continuously improving the customer experience, including adding content and localizing features over time," Price said, noting that Prime will be adding new Amazon originals as well as licenced and localized programming in the future. To do this, Amazon will likely start cutting larger acquisition deals with prominent local players, including leading broadcasters.

Microsoft's $26.2 billion acquisition of LinkedIn could help the Redmond company become the first technology giant to reach a market value of $1 trillion, or so thinks a notable analyst. Analyst Michael Markowski believes that Microsoft will be able to leverage LinkedIn to become a leader in social media space and the emerging crowdfunding platform. So much so that it will beat Amazon, Google, Apple, and Facebook in becoming the first company to hit $1 trillion market value. From a report on GeekWire: Here are the market caps of these big tech companies as of Monday morning: Apple: $622.6B, Alphabet: $549.7B, Microsoft: $489.3B, Amazon: $358.7B, and Facebook: $337.6B. "The public has an insatiable appetite for making small bets and purchasing lottery tickets, etc., that provide the chance to make a big profit," Markowski wrote. "The millennials will be a good example. Many will want to routinely invest $100 or even less into high-risk ventures that could produce returns of 10X to 100X." Microsoft, through LinkedIn, will be able to take advantage of this trend because it has a monopoly on the business social media sphere. Markowski predicts that all the big tech companies will eventually build services to facilitate crowdfunding investments.

Last week, Consumer Reports concluded that it won't be recommending Apple's new MacBook Pro models. The American magazine published since 1936 by Consumers Union, a nonprofit organization, cited inconsistent battery issues for not recommending the MacBook Pro for the first time in its history. Apple's VP of Marketing has since addressed the report, saying they are working with the magazine to understand the results. From a report: Apple Senior Vice President Phil Schiller followed up with a tweet late Friday saying Apple is "working with CR to understand their battery tests. Results do not match our extensive lab tests or field data." Consumer Reports' review says that in-house testing revealed wild fluctuations in battery life for unplugged MacBook Pro computers. In the case of the 13-inch model without a Touch Bar, for example, battery life ranged from 19.5 hours to just 4.5 hours. Apple says the devices should operate for up to 10 hours between charges.

In less than a week after Nokia sued Apple for patent infringement in courts around the world, saying that Apple has refused to license its patents, Apple has pulled all Withings products from its stores. Earlier this year, Nokia bought Withings, which makes Wi-Fi scales and other digital health and fitness gear.

Long-time Slashdot reader Nemosoft Unv. writes: A very brief post on Cyanogen's blog says it all really: "As part of the ongoing consolidation of Cyanogen, all services and Cyanogen-supported nightly builds will be discontinued no later than 12/31/16. The open source project and source code will remain available for anyone who wants to build CyanogenMod personally." Of course, with no focused team behind the CyanogenMod project it's effectively dead. Building an Android OS from scratch is no mean feat and most users won't be able to pull this off, let alone make fixes and updates. So what will happen next? Cyanogen had already laid off 20% of its workforce in July, and in November announced they had "separated ties" with Cyanogen founder and primary contributor Steve Kondik. One Android site quoted Kondik as saying "what I was trying to do, is over" in a private Google+ community, and the same day Kondik posted on Twitter, "Time for the next adventure." He hasn't posted since, so it's not clear what he's up to now. But the more important question is whether anyone will continue developing CyanogenMod.

UPDATE: Android Police reports that the CyanogenMod team "has posted an update of their own, confirming the shutdown of the CM infrastructure and outlining a plan to continue the open-source initiative as Lineage." The team posts on their blog that "we the community of developers, designers, device maintainers and translators have taken the steps necessary to produce a fork of the CM source code and pending patches."

Long-time Slashdot reader Nemosoft Unv. writes: A very brief post on Cyanogen's blog says it all really: "As part of the ongoing consolidation of Cyanogen, all services and Cyanogen-supported nightly builds will be discontinued no later than 12/31/16. The open source project and source code will remain available for anyone who wants to build CyanogenMod personally." Of course, with no focused team behind the CyanogenMod project it's effectively dead. Building an Android OS from scratch is no mean feat and most users won't be able to pull this off, let alone make fixes and updates. So what will happen next? Cyanogen had already laid off 20% of its workforce in July, and in November announced they had "separated ties" with Cyanogen founder and primary contributor Steve Kondik. One Android site quoted Kondik as saying "what I was trying to do, is over" in a private Google+ community, and the same day Kondik posted on Twitter, "Time for the next adventure." He hasn't posted since, so it's not clear what he's up to now. But the more important question is whether anyone will continue developing CyanogenMod.

UPDATE: Android Police reports that the CyanogenMod team "has posted an update of their own, confirming the shutdown of the CM infrastructure and outlining a plan to continue the open-source initiative as Lineage." The team posts on their blog that "we the community of developers, designers, device maintainers and translators have taken the steps necessary to produce a fork of the CM source code and pending patches."

An anonymous reader quotes a CBS report about more bad news for Twitter: The microblogging service has acknowledged that it inadvertently overcharged some advertisers for video ads, capping off a year that has featured a failed sale of the company, the departure of six of its 10 top executives and a nearly 30% drop in its stock price. As Business Insider reported, a bug in a recent version of Twitter's Android App inflated some metrics by as much as 35% for video ad campaigns that ran between November 7 and December 12.

The San Francisco-based company issued refunds to the affected advertisers, which in many cases were for minimal amounts of money, a person familiar with the situation said. "The impact was limited given this happened only on Android clients over the course of a month," the San Francisco-based company said in a statement. "This was a technical error, not a policy or definition issue, so it has been resolved."
One analyst told CBS, "I don't think this as fatal as it is embarrassing."

"If you look at what our Congress is doing for tech, it's failing. It's putting all of us in danger," game developer Brianna Wu told CNN, adding "It's so imperative that people of my generation, native to technology, that we step up and make our voices known." An anonymous reader quotes CNN's report: Wu says she is running for Congress in 2018. The co-founder and head of development at games firm Giant Spacekat hasn't announced which district she wants to represent in the U.S. House of Representatives to prevent alerting her potential opponent while she prepares. Wu, a Massachusetts Democrat, told CNNMoney she's building up a team of advisers and figuring out campaign logistics before announcing her candidacy next month... She said the election of President-elect Donald Trump spurred her to consider entering politics...
Wu "says her extensive technical knowledge and experience fighting the alt-right and harassment and will be advantageous for a Congressional representative."

On Friday, more than a year after Python 3.5, core developers Elvis Pranskevichus and Yury Selivanov announced the release of version 3.6. An anonymous reader writes: InfoWorld describes the changes as async in more places, speed and memory usage improvements, and pluggable support for JITs, tracers, and debuggers. "Python 3.6 also provides support for DTrace and SystemTap, brings a secrets module to the standard library [to generate authentication tokens], introduces new string and number formats, and adds type annotations for variables. It also gives us easier methods to customize the creation of subclasses."
You can read Slashdot's interview with Python creator Guido van Rossum from 2013. I also remember an interview this July where Perl creator Larry Wall called Python "a pretty okay first language, with a tendency towards style enforcement, monoculture, and group-think...more interested in giving you one adequate way to do something than it is in giving you a workshop that you, the programmer, get to choose the best tool from." Anyone want to share their thoughts today about the future of Python?

On Friday, more than a year after Python 3.5, core developers Elvis Pranskevichus and Yury Selivanov announced the release of version 3.6. An anonymous reader writes: InfoWorld describes the changes as async in more places, speed and memory usage improvements, and pluggable support for JITs, tracers, and debuggers. "Python 3.6 also provides support for DTrace and SystemTap, brings a secrets module to the standard library [to generate authentication tokens], introduces new string and number formats, and adds type annotations for variables. It also gives us easier methods to customize the creation of subclasses."
You can read Slashdot's interview with Python creator Guido van Rossum from 2013. I also remember an interview this July where Perl creator Larry Wall called Python "a pretty okay first language, with a tendency towards style enforcement, monoculture, and group-think...more interested in giving you one adequate way to do something than it is in giving you a workshop that you, the programmer, get to choose the best tool from." Anyone want to share their thoughts today about the future of Python?

earlytime writes: Large scale account hacks such as the billion user Yahoo breach and targeted phishing hacks of gmail accounts during the U.S. election have made 2016 an infamous year for web security. Along comes U2F/web-security keys to address these issues at a critical time. Ars Technica reports that U2F keys "may be the world's best hope against account takeovers": "The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms. After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication. The architects based their assessment on the ease of using and deploying keys, the security it provided against phishing and other types of password attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication."

The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."

earlytime writes: Large scale account hacks such as the billion user Yahoo breach and targeted phishing hacks of gmail accounts during the U.S. election have made 2016 an infamous year for web security. Along comes U2F/web-security keys to address these issues at a critical time. Ars Technica reports that U2F keys "may be the world's best hope against account takeovers": "The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms. After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication. The architects based their assessment on the ease of using and deploying keys, the security it provided against phishing and other types of password attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication."

The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."

schwit1 quotes a report from Politico: Since Tuesday, foreign travelers arriving in the United States on the visa waiver program have been presented with an "optional" request to "enter information associated with your online presence," a government official confirmed Thursday. The prompt includes a drop-down menu that lists platforms including Facebook, Google+, Instagram, LinkedIn and YouTube, as well as a space for users to input their account names on those sites. The new policy comes as Washington tries to improve its ability to spot and deny entry to individuals who have ties to terrorist groups like the Islamic State. But the government has faced a barrage of criticism since it first floated the idea last summer. The Internet Association, which represents companies including Facebook, Google and Twitter, at the time joined with consumer advocates to argue the draft policy threatened free expression and posed new privacy and security risks to foreigners. Now that it is final, those opponents are furious the Obama administration ignored their concerns. The question itself is included in what's known as the Electronic System for Travel Authorization, a process that certain foreign travelers must complete to come to the United States. ESTA and a related paper form specifically apply to those arriving here through the visa-waiver program, which allows citizens of 38 countries to travel and stay in the United States for up to 90 days without a visa. "There are very few rules about how that information is being collected, maintained [and] disseminated to other agencies, and there are no guidelines about limiting the government's use of that information," said Michael W. Macleod-Ball, chief of staff for the American Civil Liberties Union's Washington office. "While the government certainly has a right to collect some information... It would be nice if they would focus on the privacy concerns some advocacy groups have long expressed."

An anonymous reader quotes a report from Reuters: The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China's military, people with knowledge of the matter said. The security breach, in which hackers gained access to dozens of computers including the workstation for former FDIC Chairwoman Sheila Bair, has also been the target of a probe by a congressional committee. The FDIC is one of three federal agencies that regulate commercial banks in the United States. It oversees confidential plans for how big banks would handle bankruptcy and has access to records on millions of individual American deposits. Last month, the banking regulator allowed congressional staff to view internal communications between senior FDIC officials related to the hacking, two people who took part in the review said. In the exchanges, the officials referred to the attacks as having been carried out by Chinese military-sponsored hackers, they said. The staff was not allowed to keep copies of the exchanges, which did not explain why the FDIC officials believe the Chinese military was behind the breach. After FDIC staff discovered the hack in 2010, it persisted into the next year and possibly later, with staff working at least through 2012 to verify the hackers were expunged, according to a 2013 internal probe conducted by the FDIC's inspector general, an internal watchdog. The intrusion is part of series of cybersecurity lapses at the FDIC in recent years that continued even after the hack suspected to be linked to Beijing. This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.

Reader MojoKid writes: NVIDIA's Pascal architecture has been wildly successful in the consumer space. The various GPUs that power the GeForce GTX 10 series are all highly competitive at their respective price points, and the higher-end variants are currently unmatched by any single competing GPU. NVIDIA has since retooled Pascal for the professional workstation market as well, with products that make even the GeForce GTX 1080 and TITAN X look quaint in comparison. NVIDIA's beastly Quadro P6000 and Quadro P5000 are Pascal powered behemoths, packing up to 24GB of GDDR5X memory and GPUs that are more capable than their consumer-targeted counterparts. Though it is built around the same GP102 GPU, the Quadro P6000 is particularly interesting, because it is outfitted with a fully-functional Pascal GPU with all of its SMs enabled, which results in 3,840 active cores, versus 3,584 on the TITAN X. The P5000 has the same GP104 GPU as the GTX 1080, but packs in twice the amount of memory -- 8GB vs 16GB. In the benchmarks, with cryptographic workloads and pro-workstation targeted graphics tests, the Quadro P6000 and Quadro P5000 are dominant across the board. The P6000 significantly outpaced the previous-generation Maxwell-based Quadro M6000 throughout testing, and the P5000 managed to outpace the M6000 on a few occasions as well. Of particular note is that the Quadro P6000 and P5000, while offering better performance than NVIDIA's previous-gen, high-end professional graphics cards, do it in much lower power envelopes, and they're quieter too. In a couple of quick gaming benchmarks, the P6000 may give us a hint at what NVIDIA has in store for the rumored GeForce GTX 1080 Ti, with all CUDA cores enabled in its GP102 GPU and performance over 10% faster than a Titan X.

Reader MojoKid writes: NVIDIA's Pascal architecture has been wildly successful in the consumer space. The various GPUs that power the GeForce GTX 10 series are all highly competitive at their respective price points, and the higher-end variants are currently unmatched by any single competing GPU. NVIDIA has since retooled Pascal for the professional workstation market as well, with products that make even the GeForce GTX 1080 and TITAN X look quaint in comparison. NVIDIA's beastly Quadro P6000 and Quadro P5000 are Pascal powered behemoths, packing up to 24GB of GDDR5X memory and GPUs that are more capable than their consumer-targeted counterparts. Though it is built around the same GP102 GPU, the Quadro P6000 is particularly interesting, because it is outfitted with a fully-functional Pascal GPU with all of its SMs enabled, which results in 3,840 active cores, versus 3,584 on the TITAN X. The P5000 has the same GP104 GPU as the GTX 1080, but packs in twice the amount of memory -- 8GB vs 16GB. In the benchmarks, with cryptographic workloads and pro-workstation targeted graphics tests, the Quadro P6000 and Quadro P5000 are dominant across the board. The P6000 significantly outpaced the previous-generation Maxwell-based Quadro M6000 throughout testing, and the P5000 managed to outpace the M6000 on a few occasions as well. Of particular note is that the Quadro P6000 and P5000, while offering better performance than NVIDIA's previous-gen, high-end professional graphics cards, do it in much lower power envelopes, and they're quieter too. In a couple of quick gaming benchmarks, the P6000 may give us a hint at what NVIDIA has in store for the rumored GeForce GTX 1080 Ti, with all CUDA cores enabled in its GP102 GPU and performance over 10% faster than a Titan X.

The world's first solar road has officially opened in the small village of Tourouvre-au-Perche in Normandy, France. The road is 1 kilometer long and can generate enough electricity to power the street lights. The Verge reports: That might not sound very impressive for 30,000 square feet of solar panels -- and it kind of isn't, especially for its $5.2 million price tag. The panels have been covered in a silicon-based resin that allows them to withstand the weight of passing big rigs, and if the road performs as expected, Royal wants to see solar panels installed across 1,000 kilometers of French highway. There are numerous issues, however. For one, flat solar panels are less effective than the angled panels that are installed on roofs, and they're also massively more expensive than traditional panels. Colas, the company that installed the road, hopes to reduce the cost of the panels going forward and it has around 100 solar panel road projects in progress around the world. Earlier this year, Solar Roadways partnered with the Missouri Department of Transportation to upgrade a small stretch of the historic Route 66 roadway with solar-powered panels. They too are facing the same seemingly insurmountable cost problems as Colas and the French.

An anonymous reader quotes a report from SFGate: Uber is moving its self-driving pilot to Arizona, one day after the California Department of Motor Vehicles ordered the autonomous vehicles off the roads in San Francisco. "Our cars departed for Arizona this morning by truck," an Uber spokeswoman said Thursday afternoon in a statement. "We'll be expanding our self-driving pilot there in the next few weeks, and we're excited to have the support of Governor Ducey." After starting its San Francisco pilot on Dec. 14, the ride-hailing company angered the mayor and officials at the DMV by refusing to get a permit to operate its self-driving cars. And so, around noon on Thursday, a fleet of Uber self-driving cars passed through the South of Market area on the backs of several flat-bed trucks. Commuters gawked at the fleet with their distinctive hoods, backing up traffic as the convoy slowly drove by. In a statement Thursday, Arizona Governor Doug Ducey called California's regulations "burdensome" and said Arizona welcomes Uber's self-driving car pilot with "open arms." "While California puts the brakes on innovation and change with more bureaucracy and more regulation, Arizona is paving the way for new technology and new businesses," he said. It is unclear which city -- or cities -- the cars are headed to.

An anonymous reader quotes a report from CNN: Edward Snowden has been in contact with Russian intelligence officials since arriving in Russia in 2013, according to a new report from Congress. "Since Snowden's arrival in Moscow, he has had, and continues to have, contact with Russian intelligence services," the 33-page report, issued Thursday by the bipartisan House Permanent Select Committee on Intelligence, said. Snowden, the former National Security Agency contractor who leaked volumes of information on American intelligence and surveillance operations to the media, settled in Moscow after initially traveling to Hong Kong following his 2013 public disclosure of classified information. The Russian government granted asylum to Snowden shortly thereafter. Large portions of the pertinent section, entitled "foreign influence," are redacted, but one paragraph reveals the Russian link, saying that Frants Klintsevich, the deputy chairman of the Russian parliament's defense and security committee, "publicly conceded that 'Snowden did share intelligence' with his government." Snowden immediately took to Twitter following the report's release to dispute the accusations, writing "they claim without evidence that I'm in cahoots with the Russians." The report cites classified material in the section linking Snowden to Russian intelligence. The investigation also noted that Snowden left encrypted hard drives containing classified information in Hong Kong and that the CIA had refused to grant Snowden access to sensitive information years before he began working with the NSA, documenting numerous issues that Snowden had with supervisors and co-wokers during his various jobs in the intelligence community.

An anonymous reader quotes a report from Ars Technica: With Firefox 50, Mozilla has rolled out the first major piece of its new multi-process architecture. Edge, Internet Explorer, Chrome, and Safari all have a multiple process design that separates their rendering engine -- the part of the browser that reads and interprets HTML, CSS, and JavaScript -- from the browser frame. They do this for stability reasons (if the rendering process crashes, it doesn't kill the entire browser) and security reasons (the rendering process can be run in a low-privilege sandbox, so exploitable flaws in the rendering engine are harder to take advantage of). Moreover, these browsers can all create multiple rendering engine processes and use different processes for different tabs. This means that the scope of a crash is narrowed even further, typically to a single tab. Internet Explorer and Chrome both implemented this long ago, in 2009. Firefox, however, has not offered a similar design. Although work on a multi-process browser was started in 2009, under the codename Electrolysis, that work was suspended between 2011 and 2013 as priorities within the organization shifted. In response, Mozilla started switching to a new extension system in 2015 that opened the door to a multi-process design. The first stage of Firefox's move to multi-process involves separating the browser shell from a single rendering process that's used by every tab. In Firefox 48, that feature was enabled for a small number of users who used no extensions. Firefox 49 was rolled out to include users running a limited selection of extensions. Now, in Firefox 50, a separate renderer process is used for most users and most extensions. Developers are now able to mark their extensions as explicitly multi-process compatible. Firefox 51 will extend this even further to cover all extensions, except those that are explicitly marked as incompatible. Mozilla says that, even with the limited changes made in Firefox 50, responsiveness of the browser has improved by 400 percent due to the separation between the renderer and the browser shell. During page loads, responsiveness will increase to 700 percent.

An anonymous reader quotes a report from Ars Technica: With Firefox 50, Mozilla has rolled out the first major piece of its new multi-process architecture. Edge, Internet Explorer, Chrome, and Safari all have a multiple process design that separates their rendering engine -- the part of the browser that reads and interprets HTML, CSS, and JavaScript -- from the browser frame. They do this for stability reasons (if the rendering process crashes, it doesn't kill the entire browser) and security reasons (the rendering process can be run in a low-privilege sandbox, so exploitable flaws in the rendering engine are harder to take advantage of). Moreover, these browsers can all create multiple rendering engine processes and use different processes for different tabs. This means that the scope of a crash is narrowed even further, typically to a single tab. Internet Explorer and Chrome both implemented this long ago, in 2009. Firefox, however, has not offered a similar design. Although work on a multi-process browser was started in 2009, under the codename Electrolysis, that work was suspended between 2011 and 2013 as priorities within the organization shifted. In response, Mozilla started switching to a new extension system in 2015 that opened the door to a multi-process design. The first stage of Firefox's move to multi-process involves separating the browser shell from a single rendering process that's used by every tab. In Firefox 48, that feature was enabled for a small number of users who used no extensions. Firefox 49 was rolled out to include users running a limited selection of extensions. Now, in Firefox 50, a separate renderer process is used for most users and most extensions. Developers are now able to mark their extensions as explicitly multi-process compatible. Firefox 51 will extend this even further to cover all extensions, except those that are explicitly marked as incompatible. Mozilla says that, even with the limited changes made in Firefox 50, responsiveness of the browser has improved by 400 percent due to the separation between the renderer and the browser shell. During page loads, responsiveness will increase to 700 percent.

An anonymous reader quotes a report from Reuters: Yahoo Inc's secret scanning of customer emails at the behest of a U.S. spy agency is part of a growing push by officials to loosen constitutional protections Americans have against arbitrary governmental searches, according to legal documents and people briefed on closed court hearings. The order on Yahoo from the secret Foreign Intelligence Surveillance Court (FISC) last year resulted from the government's drive to change decades of interpretation of the U.S. Constitution's Fourth Amendment right of people to be secure against "unreasonable searches and seizures," intelligence officials and others familiar with the strategy told Reuters. The unifying idea, they said, is to move the focus of U.S. courts away from what makes something a distinct search and toward what is "reasonable" overall. The basis of the argument for change is that people are making much more digital data available about themselves to businesses, and that data can contain clues that would lead to authorities disrupting attacks in the United States or on U.S. interests abroad. While it might technically count as a search if an automated program trawls through all the data, the thinking goes, there is no unreasonable harm unless a human being looks at the result of that search and orders more intrusive measures or an arrest, which even then could be reasonable. Civil liberties groups and some other legal experts said the attempt to expand the ability of law enforcement agencies and intelligence services to sift through vast amounts of online data, in some cases without a court order, was in conflict with the Fourth Amendment because many innocent messages are included in the initial sweep. But the general counsel of the Office of the Director of National Intelligence (ODNI), Robert Litt, said in an interview with Reuters on Tuesday that the legal interpretation needed to be adjusted because of technological changes.

Long-time Slashdot reader emil writes about how ADUPS, an Android "firmware provisioning" company specializing in both big data collection of Android usage and hostile app installation and/or firmware control, has been found pre-loaded on Barnes and Noble's new $50 tablet: ADUPS was recently responsible for data theft on BLU phones and an unsafe version of the ADUPS agent is pre-loaded on the Barnes and Noble BNTV450. ADUPS' press releases claim that Version 5.5 of their agent is safe, but the BNTV450 is running 5.2. The agent is capable of extracting contacts, listing installed apps, and installing new apps with elevated privilege. Azzedine Benameur, director of research at Kryptowire, claims that "owners can expect zero privacy or control while using it."

Long-time Slashdot reader emil writes about how ADUPS, an Android "firmware provisioning" company specializing in both big data collection of Android usage and hostile app installation and/or firmware control, has been found pre-loaded on Barnes and Noble's new $50 tablet: ADUPS was recently responsible for data theft on BLU phones and an unsafe version of the ADUPS agent is pre-loaded on the Barnes and Noble BNTV450. ADUPS' press releases claim that Version 5.5 of their agent is safe, but the BNTV450 is running 5.2. The agent is capable of extracting contacts, listing installed apps, and installing new apps with elevated privilege. Azzedine Benameur, director of research at Kryptowire, claims that "owners can expect zero privacy or control while using it."

Facebook CEO Mark Zuckerberg recently demoed his homemade artificial intelligence assistant Jarvis for Fast Company, and while their report didn't mention anything specific about the assistant's synthesized voice at the time, we have now learned that Morgan Freeman will be the voice behind Jarvis. Robert Downey Jr. originally volunteered to be the new voice of Jarvis under certain conditions, but Zuckerberg decided to let the public weigh in on Facebook. With more than 50,000 comments, Morgan Freeman emerged victorious. USA Today reports: Zuckerberg told Fast Company he called Freeman and said: "Hey, I posted this thing, and...thousands of people want you to be the voice. Will you do it?" Freeman told Zuckerberg: "Yeah, sure." Of course, Freeman has other starring voice roles in the tech world. He's one of the celebrity voices on Google's navigation app Waze. Facebook has not disclosed whether Freeman is getting paid, according to Fast Company.

Apple CEO Tim Cook may have assured employees that the company is committed to Mac computers, but people working in the Mac team say the company now pays far less attention to the computer lineup, according to Bloomberg's Mark Gurman, who has been right just about every time with Apple scoops. From his report: Interviews with people familiar with Apple's inner workings reveal that the Mac is getting far less attention than it once did. They say the Mac team has lost clout with the famed industrial design group led by Jony Ive and the company's software team. They also describe a lack of clear direction from senior management, departures of key people working on Mac hardware and technical challenges that have delayed the roll-out of new computers. While the Mac generates about 10 percent of Apple sales, the company can't afford to alienate professional designers and other business customers. After all, they helped fuel Apple's revival in the late 1990s. In a stinging critique, Peter Kirn, founder of a website for music and video creators, wrote: "This is a company with no real vision for what its most creative users actually do with their most advanced machines." If more Mac users switch, the Apple ecosystem will become less sticky -- opening the door to people abandoning higher-value products like the iPhone and iPad. The report also sheds light on battery issues in the new MacBook Pro lineup that many have complained about. From the report: In the run-up to the MacBook Pro's planned debut this year, the new battery failed a key test, according to a person familiar with the situation. Rather than delay the launch and risk missing the crucial holiday shopping season, Apple decided to revert to an older design. The change required roping in engineers from other teams to finish the job, meaning work on other Macs languished, the person said. The new laptop didn't represent a game-changing leap in battery performance, and a software bug misrepresented hours of power remaining. Apple has since removed the meter from the top right-hand corner of the screen.

According to a report from The Information (Warning: paywalled), Uber has lost more than $800 million in the third quarter. CNBC reports: The results, The Information reported, put Uber on pace to record an 25 percent steeper operating loss than last year, of at least $2.8 billion in 2016, before interest, tax, depreciation and amortization. Despite steep results from one of the world's most valuable start-ups, these results would have been worse if not for a one-time windfall thanks to the sale of Uber's China business to Didi Chuxing, The Information reported. On the bright side, Uber's revenue is skyrocketing, and its rate of losses slowed from the prior quarter, The Information said. Still, the report comes as Uber's multi-billion dollar valuation has come under scrutiny from those who say its business model depends on subsidies and faces looming battles over regulation.

harrymcc writes: As Mark Zuckerberg's personal challenge for 2016, he built Jarvis -- a service similar to Alexa or Google Assistant, but built to do exactly the things he wants to do in his home, and controllable by both voice and Messenger bot. Now that it's mostly complete, he demoed it for Fast Company's Daniel Terdiman. Terdiman writes: "In his January post announcing the Jarvis project, Zuckerberg wrote that he'd set out to build a system allowing him to control everything in the house, including music, lights, and temperature, with his voice. He also wanted Jarvis to let his friends in the house just by looking at their faces when they arrive and to alert him to anything important going on in Max's room. And he hoped to design the system to 'visualize data in VR to help me build better services and lead my organizations [at Facebook] more efficiently.' Now, in December, he has achieved all of that, save for the bit about VR. And it works. However, when he showed off the system to me in person, I learned that it sometimes needs a little coddling. Zuckerberg began by demoing the Messenger bot he'd built as a front end for the system. Using his iPhone, he typed simple commands to turn the lights off and on, and sure enough, they went off and then on. On the other hand, he also built the system to respond to voice commands, via a custom iOS app he'd created, and there, the results were decidedly more inconsistent. He had to tell the system four times to turn the lights off before it got dark."

People aren't loving Nintendo's newly released Super Mario Run. Nintendo's stock plunged 7.1% Monday, bringing its total drop since the game's release last week to more than 11%, Bloomberg reports. The game's mediocre reviews had a similar impact on DeNA, the Nintendo partner that helped with the game's development: Since the game's introduction, its stock has fallen 14%. From a report: Reviews in Apple's App Store (so far, the game is only available on iPhone) show an average rating of two and half stars out of five. Overall, there have been nearly 50,000 reviews. Its reviews make it among the lowest rated app among those at the top of the download rankings, according to Bloomberg.

An anonymous reader quote InfoWorld: Two years ago Microsoft did the unthinkable: It declared it would open-source its .NET server-side cloud stack with the introduction of .NET Core... Thus far, the move has paid off. Microsoft has positioned .NET Core as a means for taking .NET beyond Windows. The cross-platform version extends .NET's reach to MacOS and Linux...

Developers are buying in, says Scott Hunter, Microsoft partner director program manager for .NET. "Forty percent of our .NET Core customers are brand-new developers to the platform, which is what we want with .NET Core," Hunter says. "We want to bring new people in." Thanks in considerable part to .NET Core, .NET has seen a 61% uptick in the number of developers engaged with the platform in the past year.
The article includes an interesting quote from Microsoft-watching analyst Rob Sanfilippo. "It could be argued that the technology generates indirect revenue by incenting the use of Azure services or Microsoft developer tools."

An anonymous reader quote InfoWorld: Two years ago Microsoft did the unthinkable: It declared it would open-source its .NET server-side cloud stack with the introduction of .NET Core... Thus far, the move has paid off. Microsoft has positioned .NET Core as a means for taking .NET beyond Windows. The cross-platform version extends .NET's reach to MacOS and Linux...

Developers are buying in, says Scott Hunter, Microsoft partner director program manager for .NET. "Forty percent of our .NET Core customers are brand-new developers to the platform, which is what we want with .NET Core," Hunter says. "We want to bring new people in." Thanks in considerable part to .NET Core, .NET has seen a 61% uptick in the number of developers engaged with the platform in the past year.
The article includes an interesting quote from Microsoft-watching analyst Rob Sanfilippo. "It could be argued that the technology generates indirect revenue by incenting the use of Azure services or Microsoft developer tools."

"If someone gave you a big chunk of change to build a small one- or two-room office, what would you do?" asks long-time Slashdot reader darkpixel2k, as he plans to build a small office out in his backyard. My plan is to trench CAT6 from our ISP fiber DMARC over to the ~12x20 building, wire the structure up for network and power, and furnish it with a small rack, UPS, switch, router, a desk, whiteboard walls, a wireless access point, and an air conditioner for the summer heat... While I have the "big picture" idea in my head, I don't really have a grasp of the fine details that would make it a comfortable work environment... Should I put down carpet and one of those plastic mats for chairs? A friend suggested I wire up speakers so I don't have to listen to my terrible laptop speakers, and a large flat-screen TV so I can display dashboards and statistics.

Lastly, physical security is somewhat of an issue. While everything is insured, downtime of a few days or weeks due to meth heads would be a huge impact to the company and also on my paycheck. I was talking with the local company that builds small office-like structures, sheds, and barns, and they said they can "double up" the 2x4s to strengthen the walls and make a stronger door, but I need to supply my own lock. Should I use some off-the-shelf lock from a big-box hardware store? Should I install a digital lock?
There's more details in the original submission -- but it's also a lot of fun to speculate about what you'd do with a big chunk of change to build your own work-from-home office. So leave your best answers for darkpixel2k in the comments. How should he furnish (and secure) his work-from-home office?

It's the open source web version of the classic Linux strategy game, and now Slashdot reader Andreas(R) -- one of its developers -- has an announcement. Now the developers are working on bringing the game to the modern era with 3D WebGL graphics [and] a beta of the 3D WebGL version of Freeciv has been released today. The game will work on any device with a browser with HTML5 and WebGL support, and three gigabytes of RAM... It's a volunteer community development project and anyone is welcome to contribute to the project. Have fun and remember to sleep!
The developers of Freeciv-web are now also working on a VR version using Google Cardboard, according to the site, while the original Freeciv itself has still been maintained for over 20 years -- and apparently even has its own dedicated port number.

Less than four weeks after Microsoft formally acquired LinkedIn for $26 billion, there's been a database breach. An anonymous reader writes: LinkedIn is sending emails to 9.5 million users of Lynda.com, its online learning subsidiary, warning the users of a database breach by "an unauthorized third party". The affected database included contact information for at least some of the users. An email to customers says "while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure." Ironically, the breach comes less than a month after Russia blocked access to LinkedIn over privacy concerns.
LinkedIn has also reset the passwords for 55,000 Lynda.com accounts (though apparently many of its users don't have accounts with passwords).

Less than four weeks after Microsoft formally acquired LinkedIn for $26 billion, there's been a database breach. An anonymous reader writes: LinkedIn is sending emails to 9.5 million users of Lynda.com, its online learning subsidiary, warning the users of a database breach by "an unauthorized third party". The affected database included contact information for at least some of the users. An email to customers says "while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure." Ironically, the breach comes less than a month after Russia blocked access to LinkedIn over privacy concerns.
LinkedIn has also reset the passwords for 55,000 Lynda.com accounts (though apparently many of its users don't have accounts with passwords).

Java SE is free, but Java SE Suite and various flavors of Java SE Advanced are not, and now Oracle "is massively ramping up audits of Java customers it claims are in breach of its licenses," reports the Register. Oracle bought Java with Sun Microsystems in 2010 but only now is its License Management Services division chasing down people for payment, we are told by people familiar with the matter. The database giant is understood to have hired 20 individuals globally this year, whose sole job is the pursuit of businesses in breach of their Java licenses... Huge sums of money are at stake, with customers on the hook for multiple tens and hundreds of thousands of dollars.
Slashdot reader rsilvergun writes, "Oracle had previously sued Google for the use of Java in Android but had lost that case. While that case is being appealed, it remains to be seen if the latest push to monetize Java is a response to that loss or part of a broader strategy on Oracle's part." The Register interviewed the head of an independent license management service who says Oracle's even targeting its own partners now.

But after acquiring Sun in 2010, why did Oracle's License Management Services wait a full six years? "It is believed to have taken that long for LMS to devise audit methodologies and to build a detailed knowledge of customers' Java estates on which to proceed."

Java SE is free, but Java SE Suite and various flavors of Java SE Advanced are not, and now Oracle "is massively ramping up audits of Java customers it claims are in breach of its licenses," reports the Register. Oracle bought Java with Sun Microsystems in 2010 but only now is its License Management Services division chasing down people for payment, we are told by people familiar with the matter. The database giant is understood to have hired 20 individuals globally this year, whose sole job is the pursuit of businesses in breach of their Java licenses... Huge sums of money are at stake, with customers on the hook for multiple tens and hundreds of thousands of dollars.
Slashdot reader rsilvergun writes, "Oracle had previously sued Google for the use of Java in Android but had lost that case. While that case is being appealed, it remains to be seen if the latest push to monetize Java is a response to that loss or part of a broader strategy on Oracle's part." The Register interviewed the head of an independent license management service who says Oracle's even targeting its own partners now.

But after acquiring Sun in 2010, why did Oracle's License Management Services wait a full six years? "It is believed to have taken that long for LMS to devise audit methodologies and to build a detailed knowledge of customers' Java estates on which to proceed."

msm1267 quotes ThreatPost: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It's a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability.

The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications... According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn't exercise due diligence on the software libraries used in their project.
That seems like a one-sided take, so I'm curious what Slashdot readers think. Does code reuse endanger secure software development?

msm1267 quotes ThreatPost: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It's a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability.

The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications... According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn't exercise due diligence on the software libraries used in their project.
That seems like a one-sided take, so I'm curious what Slashdot readers think. Does code reuse endanger secure software development?

msm1267 quotes ThreatPost: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It's a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability.

The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications... According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn't exercise due diligence on the software libraries used in their project.
That seems like a one-sided take, so I'm curious what Slashdot readers think. Does code reuse endanger secure software development?

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.