Domain: slashdot.org
Stories and comments across the archive that link to slashdot.org.
Stories · 37,380
-
Interviews: Linus Torvalds Answers Your Question
Last Thursday you had a chance to ask Linus Torvalds about programming, hardware, and all things Linux. You can read his answers to those questions below. If you'd like to see what he had to say the last time we sat down with him, you can do so here. Productivity
by DoofusOfDeath
You've somehow managed to originate two insanely useful pieces of software: Linux, and Git. Do you think there's anything in your work habits, your approach to choosing projects, etc., that have helped you achieve that level of productivity? Or is it just the traditional combination of talent, effort, and luck?
Linus: I'm sure it's pretty much always that "talent, effort and luck". I'll leave it to others to debate how much of each...
I'd love to point out some magical work habit that makes it all happen, but I doubt there really is any. Especially as the work habits I had wrt the kernel and Git have been so different.
With Git, I think it was a lot about coming at a problem with fresh eyes (not having ever really bought into the traditional SCM mindset), and really trying to think about the issues, and spending a fair amount of time thinking about what the real problems were and what I wanted the design to be. And then the initial self-hosting code took about a day to write (ok, that was "self-hosting" in only the weakest sense, but still).
And with Linux, obviously, things were very different - the big designs came from the outside, and it took half a year to host itself, and it hadn't even started out as a kernel to begin with. Clearly not a lot of thinking ahead and planning involved ;). So very different circumstances indeed.
What both the kernel and Git have, and what I think is really important (and I guess that counts as a "work habit"), is a maintainer that stuck to it, and was responsive, responsible and sane. Too many projects falter because they don't have people that stick with them, or have people who have an agenda that doesn't match reality or the user expectations.
But it's very important to point out that for Git, that maintainer was not me. Junio Hamano really should get pretty much all the credit for Git. Credit where credit is due. I'll take credit for the initial implementation and design of Git - it may not be perfect, but ten years on it still is very solid and very clearly the same basic design. But I'll take even _more_ credit for recognizing that Junio had his head screwed on right, and was the person to drive the project. And all the rest of the credit goes to him.
Of course, that kind of segues into something else the kernel and Git do have in common: while I still maintain the kernel, I did end up finding a lot of smart people to maintain all the different parts of it. So while one important work habit is that "stick to it" persistence that you need to really take a project from a not-quite-usable prototype to something bigger and better, another important work-habit is probably to also "let go" and not try to own and control the project too much. Let other people really help you - guide the process but don't get in their way.
init system
by lorinc
There wasn't a decent unix-like kernel, you wrote one which ultimately became the most used. There wasn't a decent version control software, you wrote one which ultimately became the most love. Do you think we already have a decent init system, or do you have plan to write one that will ultimately settle the world on that hot topic?
Linus: You can say the word "systemd", It's not a four-letter word. Seven letters. Count them.
I have to say, I don't really get the hatred of systemd. I think it improves a lot on the state of init, and no, I don't see myself getting into that whole area.
Yeah, it may have a few odd corners here and there, and I'm sure you'll find things to despise. That happens in every project. I'm not a huge fan of the binary logging, for example. But that's just an example. I much prefer systemd's infrastructure for starting services over traditional init, and I think that's a much bigger design decision.
Yeah, I've had some personality issues with some of the maintainers, but that's about how you handle bug reports and accept blame (or not) for when things go wrong. If people thought that meant that I dislike systemd, I will have to disappoint you guys.
Can Valve change the Linux gaming market?
by Anonymous Coward
Do you think Valve is capable of making Linux a primary choice for gamers?
Linus: "Primary"? Probably not where it's even aiming. I think consoles (and all those handheld and various mobile platforms that "real gamers" seem to dismiss as toys) are likely much more primary, and will stay so.
I think Valve wants to make sure they can control their own future, and Linux and ValveOS is probably partly to explore a more "console-like" Valve experience (ie the whole "get a box set up for a single main purpose", as opposed to a more PC-like experience), and partly as a "second source" against Microsoft, who is a competitor in the console area. Keeping your infrastructure suppliers honest by making sure you have alternatives sounds like a good strategy, and particularly so when those suppliers may be competing with you directly elsewhere.
So I don't think the aim is really "primary". "Solid alternative" is I think the aim. Of course, let's see where it goes after that.
But I really have not been involved. People like Greg and the actual graphics driver guys have been in much more direct contact with Valve. I think it's great to see gaming on Linux, but at the same time, I'm personally not really much of a gamer.
The future of RT-Linux?
by nurhussein
According to Thomas Gleixner, the future of the realtime patchset to Linux is in doubt, as it is difficult to secure funding from interested parties on this functionality even though it is both useful and important: What are your thoughts on this, and what do you think we need to do to get more support behind the RT patchset, especially considering Linux's increasing use in embedded systems where realtime functionality is undoubtedly useful.
Linus: So I think this is one of those things where the markets decide how important rtLinux ends up being, and I suspect there are more than enough companies who end up wanting and using rtLinux that the project isn't really going anywhere. The complaints by Thomas were - I think - a wake-up call to the companies who end up wanting the extended hard realtime patches.
So I suspect there are companies and groups like OSADL that end up funding and helping with rtLinux, and that it isn't going away.
Rigor and developments
by hcs_$reboot
The most complex program running on a machine is arguably its OS, especially the kernel. Linux (kernel) reached the top level in terms of performance, reliability and versatility. You have been criticized quite a few times for some virulent mails addressed to developers. Do you think Linux would be where it is without managing the project with an iron fist? To go further, do you think some other main OSS project would benefit from a more rigorous management approach?
Linus: One of the nice things about open source is how it allows people to really concentrate on what they are good at, and it has been a huge advantage for Linux that we've had people who are interested in the marketing side and selling Linux, as well as the legal side etc.
And that is all in addition, of course, to the original "we're motivated by the technology" people like me. And even within that "we're motivated by technology" group, you most certainly don't need to find _everything_ interesting, you can find the area you are passionate about and really care about and want to work on.
That's _fundamentally_ how open source works.
Now, if somebody is passionate about some "good management" thing, go wild, and try to get involved, and try to manage things. It's not what _I_ am interested in, but hey, the proof is in the pudding - anybody who thinks they have a new rigorous management approach that they think will help some part of the process, go wild.
Now, I personally suspect that it wouldn't work - not only are tech people an ornery lot to begin with (that whole "herding cats" thing), just look at all the crazy arguments on the internet. And ask yourself what actually holds an open source project like the kernel together? I think you need to be very oriented towards the purely technical solutions, simply because then you have tangible and real issues you can discuss (and argue about) with fairly clear-cut hard answers. It's the only thing people can really agree on in the big picture.
So the Linux approach to "management" has been to put technology first. That's rigorous enough for me. But as mentioned, it's a free-for-all. Anybody can come in and try to do better. Really.
And btw, it's worth noting that there are obviously specific smaller development teams where other management models work fine. Most of the individual developers are parts of teams inside particular companies, and within the confines of that company, there may well be a very strict rigorous management model. Similarly, within the confines of a particular productization effort there may be particular goals and models for that particular team that transcend that general "technical issues" thing.
Just to give a concrete example, the "development kernel" tree that I maintain works fundamentally differently and with very different rules from the "stable tree" that Greg does, which in turn is maintained very differently from what a distribution team within a Linux company does inside its maintenance kernel team.
So there's certainly room for different approaches to managing those very different groups. But do I think you can "rigorously manage" people on the internet? No.
Functional languages?
by EmeraldBot
While historically you've been a C and Assembly guy (and the odd shell scripting and such), what do you think of functional languages such as Lisp, Closure, Haskell, etc? Do you see any advantages to them, or do you view them as frivolous and impractical? If you decide to do so, thanks for taking the time to answer my question! You're a legend at what you do, and I think it's awesome that the significantly less interesting me can ask you a question like this.
Linus: I may be a fan of C (with a certain fondness for assembly, just because it's so close to the machine), but that's very much about a certain context. I work at a level where those languages make sense. I certainly don't think that tools like Haskell etc are "frivolous and impractical" in general, although on a kernel level (or in a source control management system) I suspect they kind of are.
Many moons ago I worked on sparse (the C parser and analyzer), and one of my coworkers was a Haskell fan, and did incredible example transformations in very simple (well, to him) code - stuff that is just nasty to write in C because it's pretty high-level, there's tons of memory management, and you're really talking about implementing fairly abstract and high-level rules with pattern matching etc.
So I'm definitely not a functional language kind of guy - it's not how I learnt programming, and it really isn't very relevant to what I do, and I wouldn't recognize Haskell code if it bit me in the ass and called me names. But no, I wouldn't call them frivolous.
Critical software to the use of Linux
by TWX
Mr. Torvalds, For many uses of Linux such as on the desktop, other software beyond the kernel and the base GNU tools are required. What other projects would you like to see given priority, and what would you like to see implemented or improved? Admittedly I thought most about X-Windows when asking this question; but I don't doubt that other daemons or systems can be just as important to the user experience. Thank you for your efforts all these years.
Linus: Hey, I don't really have any particular project I would want to champion, largely because we all have so different requirements on the desktop. There's just no single thing that stands out as being hugely more important than others to me.
What I do wish particularly desktop developers cared about is "consistency of experience". And by that I don't mean some kind of enforced visual consistency between different applications to make things "look coherent". No, I'm just talking about the pain and uncertainty users go through with upgrades, and understanding that while your project may be the most important project to *you* (because it's what you do), to your users, your project is likely just a fairly small and irrelevant part of their experience, and it's not very central at all, and they've learnt the quirks about that thing they don't even care about, and you really shouldn't break their expectations. Because it turns out that that is how you really make people hate their desktop.
This is not at all Linux-specific, of course - just look at the less than enthusiastic reception that other operating system redesigns have received. But I really wish that we hadn't had *both* of the major Linux desktop environments have to learn this (well, I hope they learnt) the hard way, and both of them ending up blaming their users rather than themselves.
"anykernel"-style portable drivers?
by staalmannen
What do you think about the "anykernel" concept (invented by another Finn btw) used in NetBSD? Basically, they have modularized the code so that a driver can be built either in a monolithic kernel or for user space without source code changes ( rumpkernel.org ). The drivers are highly portable and used in Genode os (L4 type kernels), minix etc... Would this be possible or desirable for Linux? Apparently there is one attempt called "libos"...
Linus: So I have bad experiences with "portable" drivers. Writing drivers to some common environment tends to force some ridiculously nasty impedance matching abstractions that just get in the way and make things really hard to read and modify. It gets particularly nasty when everybody ends up having complicated - and differently so - driver subsystems to handle a lot of commonalities for a certain class of drivers (say a network driver, or a USB driver), and the different operating systems really have very different approaches and locking rules etc.
I haven't seen anykernel drivers, but from past experience my reaction to "portable device drivers" is to run away, screaming like little girl. As they say in Swedish "Bränt barn luktar illa".
Processor Architecture
by swv3752
Several years ago, you were employed by Transmeta designing the Crusoe processor. I understand you are quite knowledgeable about cpu architecture. What are your thoughts on the Current Intel and AMD x86 CPUs particularly in comparison with ARM and IBM's Power8 CPUs? Where do you see the advantages of each one?
Linus: I'm no CPU architect, I just play one on TV.
But yes, I've been close to the CPU both as part of my kernel work, and as part of a processor company, and working at that level for a long time just means that you end up having fairly strong opinions. One of the things that my experiences at Transmeta convinced me of, for example, was that there's definitely very much a limit to what software should care about. I loved working at Transmeta, I loved the whole startup company environment, I loved working with really smart people, but in the end I ended up absolutely *not* loving to work with overly simple hardware (I also didn't love the whole IPO process, and what that did to the company culture, but that's a different thing).
Because there's only so much that software can do to compensate.
Something similar happened with my kernel work on the alpha architecture, which also started out as being an overly simplified implementation in the name of being small and supposedly running really fast. While I really started out liking the alpha architecture for being so clean, I ended up detesting how fragile the architecture implementations were (and by the time that got fixed in the 21264, I had given up on alpha).
So I've come to absolutely detest CPU's that need a lot of compiler smarts or special tuning to go fast. Life is too short to waste on in-order CPU's, or on hardware designers who think software should take care of the pieces that they find to be too complicated to handle themselves, and as a result just left undone. "Weak memory ordering" is just another example.
Thankfully, most of the industry these days seems to agree. Yes, there are still in-order cores, but nobody tries to make excuses for them any more: they are for the truly cheap and low-end market.
I tend to really like the modern Intel cores in particular, which tend to take that "let's not be stupid" really to heart. With the kernel being so threaded, I end up caring a lot about things like memory ordering etc, and the Intel big-core CPU's tend to be in a class of their own there. As a software person who cares about performance and looks at instruction profiles etc, it's just so *nice* to see that the CPU doesn't have some crazy glass jaw where you have to be very careful.
GPU kernels
by maraist
Is there any inspiration that a GPU based kernel / scheduler has for you? How might Linux be improved to better take advantage of GPU-type batch execution models. Given that you worked transmeta and JIT compiled host-targeted runtimes. GPUs 1,000-thread schedulers seem like the next great paradigm for the exact type of machines that Linux does best on.
Linus: I don't think we'll see the kernel ever treat GPU threads the way we treat CPU threads. Not with the current model of GPU's (and that model doesn't really seem to be changing all that much any more).
Yes, GPU's are getting much better, and now generally have virtual memory and the ability to preempt execution, and you could run an OS on them. But the scheduling latencies are pretty high, and the threads are not really "independent" (ie they tend to share a lot of state - like the virtual address space and a large shared register set), so GPU "threads" don't tend to work like CPU threads. You'd schedule them all-or-nothing, so if you were to switch processes, you'd treat the GPU as one entity where you switch all the threads at once.
So it really wouldn't look like a thousand threads to the kernel. The GPU would still be scheduled as one single entity (or maybe a couple of entities depending on how the GPU is partitioned). The fact that that single entity works by doing a lot of things in massive parallelism is kind of immaterial for the kernel that doesn't end up seeing that parallelism as separate threads.
alleged danger of Artificial Intelligence
by peter303
Some computer experts like Marvin Minsky, Larry Page, Ray Kuzweil think A.I. will be a great gift to Mankind. Others like Bill Joy and Elon Musk are fearful of potential danger. Where do you stand, Linus?
Linus: I just don't see the thing to be fearful of.
We'll get AI, and it will almost certainly be through something very much like recurrent neural networks. And the thing is, since that kind of AI will need training, it won't be "reliable" in the traditional computer sense. It's not the old rule-based prolog days, when people thought they'd *understand* what the actual decisions were in an AI.
And that all makes it very interesting, of course, but it also makes it hard to productize. Which will very much limit where you'll actually find those neural networks, and what kinds of network sizes and inputs and outputs they'll have.
So I'd expect just more of (and much fancier) rather targeted AI, rather than anything human-like at all. Language recognition, pattern recognition, things like that. I just don't see the situation where you suddenly have some existential crisis because your dishwasher is starting to discuss Sartre with you.
The whole "Singularity" kind of event? Yeah, it's science fiction, and not very good SciFi at that, in my opinion. Unending exponential growth? What drugs are those people on? I mean, really..
It's like Moore's law - yeah, it's very impressive when something can (almost) be plotted on an exponential curve for a long time. Very impressive indeed when it's over many decades. But it's _still_ just the beginning of the "S curve". Anybody who thinks any different is just deluding themselves. There are no unending exponentials.
Is the kernel basically a finished project?
by NaCh0
Aside from adding drivers and refactoring algorithms when performance limits are discovered, is there anything left for the kernel? Maybe it's a failure of tech journalism but we never hear about the next big thing in kernel land anymore.
Linus: I don't think there's much of a "next big thing" in the kernel.
I wouldn't say that there is nothing but drivers (and architectures are kind of "CPU drivers) and improving scalability left, because I'm constantly amazed by how many new things people figure out are still good ideas. But they tend to still be pretty incremental improvements. An OS kernel doesn't look *that* radically different from what it was 40 years ago, and that's fine. I think radical new ideas are often overrated, and the thing that really matters in the end is that plodding detail work. That's how technology evolves.
And judging by how our kernel releases are going, there's no end in sight for that "plodding detail work". And it's still as interesting as it ever was. -
Surveillance Court: NSA Can Resume Bulk Surveillance
An anonymous reader writes: We all celebrated back in May when a federal court ruled the NSA's phone surveillance illegal, and again at the beginning of June, when the Patriot Act expired, ending authorization for that surveillance. Unfortunately, the NY Times now reports on a ruling from the Foreign Intelligence Surveillance Court, which concluded that the NSA may temporarily resume bulk collection of metadata about U.S. citizens's phone calls. From the article: "In a 26-page opinion (PDF) made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said that the Second Circuit was wrong, too. 'Second Circuit rulings are not binding' on the surveillance court, he wrote, 'and this court respectfully disagrees with that court's analysis, especially in view of the intervening enactment of the U.S.A. Freedom Act.' When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying that it would be prudent to see what Congress did as Section 215 neared its June 1 expiration." -
What If You Could See Asteroids In the Night Sky?
An anonymous reader writes: As part of Asteroid Day a 360-degree video rendering the night sky with the population of near-earth asteroids included has been created by 'Astronogamer' Scott Manley. The video shows how the Earth flies through a cloud of asteroids on its journey around the sun, and yet we've only discovered about 1% of the near earth asteroid population. -
Interviews: Brian Krebs Answers Your Questions
A few weeks ago you had a chance to ask Brian Krebs about security, cybercrime and what it's like to be the victim of Swatting. Below you will find his answers to your questions. Cowards as affiliates
by japa
You appear dedicated on continuing reporting on cybercrime, even though it may result to harm you (swatting etc). How often have you come into situation where someone you work with states they don't want to work with you any longer as association to you may result them to being target for criminals or some such?
Krebs: I don't think I've had anyone unfriend me or stop talking to me because of what you describe, but it happens fairly often that I hear from strangers who have some information to impart but who are nervous about anyone finding out it was them who shared it.
Mostly, this comes from researchers who say they want to share some findings about something -- a specific cybercrime actor, site or service -- but in no way do they wish to be named, cited, credited or in any way referenced. It's impossible to know how many people decide it's not worth reaching out because of such concerns, but I hope it's not many.
Long term solutions?
by mlts
Right now, security is a purely defensive battle, at best we have the enemy at a stalemate, where their attacks are foiled. There is no way to "win", since the attacker usually is located in a country with little to no cyber-crime laws, or even in a hostile country that rewards it. At best, we tread water.
Would a long term solution be creating private networks like SIPRNet or NIPRNet, so that the barrier for entry is raised, so an attacker has to get onto that private network, and this might be something where physical access is needed. Not 100% secure, but it raises the bar so that attackers have to have "boots on the ground".
If not, what would be workable, other than just air-gapping as much as possible? Would it be wise for each nation to mimic China and have their own Great Firewall, so attacks have the ability to be be stopped well away from their intended targets?
Krebs: I think I understand the premise of your question, and the desire to wall everything off and/or start over. And do I detect what may be a passing reference to the money quote from Joshua in the excellent 1983 film War Games: "Strange game. The only winning move is not to play."
But, I'd have to respectfully agree with several of the commenters here in saying that I think creating a whole bunch more secret or separate networks is very much not the answer here. As someone already stated, this is actually the reality that we have today with corporate intranets, which everyone seems to have and these don't seem to do much to stop the data (s)pillage or malicious hackers getting in and having their way with the target and all of its information.
What would be wise is if the United States made it a national goal to become the world leader in developing software that is far more secure and robust than anywhere else. Unfortunately, this will probably never happen unless the market demands it, and the market generally responds to what consumers want, which is usually convenience (ease-of-use) over security.
Anyways...how about a nice game of chess?
Public Disclosure
by Anonymous Coward
Brian, Are you generally in the Responsible Disclosure camp or the Full Disclosure camp? And why? (I recognize that you may handle this on a case by case basis. In that event, what determines your approach?)
Krebs: Yeah, this definitely depends. I find it endlessly fascinating and frustrating at the same time to watch how differently organizations respond to reports about security vulnerabilities in their products, services and their own infrastructure. How they respond speaks volumes about their security maturity. Companies and organizations that lack a mature process for handling and responding to threats and vulnerabilities tend to react negatively -- lashing out at the individual reporting the weakness, ignoring the reporter, or even taking legal steps against the researcher.
Companies that have a mature process for handling this kind of thing can comparatively be a joy to work with, and are quite often grateful for anyone who privately reports their findings. The best manifestation of this is the bug bounty program, versions of which many companies are now beginning to embrace to varying degrees.
It seems like the the phrases "responsible disclosure" and "full disclosure" are sort of loaded terms at this point in the debate. It's the journalistic equivalent of framing the abortion debate in camps of "anti-abortion" and "pro-rights". Disclosure is a two-way street, and it starts with organizations taking responsibility for security holes in software and hardware that they create, sell and/or give away. When companies fail to do this in a timely manner, I think it's perfectly reasonable for researchers to disclose what they've found -- hopefully exercising a modicum of restraint in the process. The disclosure debate usually kicks into high gear when a company responsible for a serious bug in widely-used software behaves like a child when presented with research into a vulnerability in its products.
I've been fortunate enough to be a fly on the wall, if you will, in several of these vulnerability reports, watching in disbelief as the vendor hems and haws and generally stalls for time, protesting that the bug is not remotely exploitable or isn't that big of a deal for such-and-such reasons, etc. That's frustrating and again speaks to the maturity level of the organization. In my experience, most security researchers are quite content to be agreeable on disclosure timelines if they feel like the vendor is taking seriously the time and effort the researcher has spent on his findings.
Granted, there's a great deal of room for debate over what constitutes a "reasonable" amount of time to wait for the vendor to respond before going public, but I do think it's important to give the vendor at least a few weeks to respond. However, in cases where the vulnerability is actively being exploited, disclosing immediately, publicly and completely is always in the public interest.
Should We Trust Kaspersky?
by Kagato
As we seem to be heading back down into the familiar territory of the cold war I often wonder if nationalism is something we should consider when thinking about security. For instance I believe that Kaspersky is a very talented company but I can't help but to feel that they would be quite willing to turn a blind eye to malware from their own government. I hear commercials for Kaspersky threat detection software all the time but I would be hard pressed to actually use any of it. It certainly seems China, Russia and parts of Europe are taking country of origin into account when evaluating American security products. Am I wearing a tin-foil hat in feeling we should think twice about trusting Kaspersky?
Krebs: I don't think you necessarily have a tin-foil hat on. I should preface my remarks by saying that I'm sure every security firm has all kinds of dirty laundry they would prefer never saw the light of day. And I personally know many of the security researchers at Kaspersky and find them to be some of the best at what they do, and very good people as well. If it means anything, I have, for many years, used Kaspersky's software to protect my own networks. It's about the best at what it does.
That said, allow me to share an observation that really struck me on my visit to Moscow in 2011. I was a guest of Kaspersky Lab and they were very gracious and hospitable. However, I went there in large part in the hopes of rounding out some information I'd compiled about several big time cybercriminals that I was tracking at the time -- probably a dozen or so guys that I knew were definitely in Moscow and would almost certainly be known to anyone even moderately interested in cybercrime (on either side). I sat down with probably 8 or 9 different researchers at Kaspersky and in my interviews with them asked each about various individuals who were quite well known in the hacker scene in Russia but also abroad. To my surprise, nobody there would talk to me about these individuals. I have no idea if this was because of a corporate policy about it or what, but I found it singularly amazing that these experts would have so little interest in the actors who were so clearly operating under their noses.
Internet of Things
by Dr J. keeps the nerd
Hi Brian, Thanks for joining us. What are the worst mistakes we are already making on connected devices, and what should we be doing to make them less desirable as targets?
Krebs: You mean, besides connecting them in the first place? Seriously, the main reason I keep a software firewall installed on one of my machines is to learn which programs or gadgets on my home network are phoning home or who-knows-where. For the most part, we've shown ourselves to be incapable of designing or at least releasing software for mass commercial use that is not Swiss Cheese from a security perspective. So why should we expect things to be any different when we talk about network-aware devices and embedded appliances? All we've done in that case is take the buggy software and stuffed it into something that is even more difficult (if not impossible) to update.
What should we be doing to make all these devices less desirable as targets? Quit connecting them to the internet! Seriously. It would be nice if more companies that shipped devices made them disconnected from the Internet by default, or at least minimally so. But in most cases the opposite is true; the thing tries to get an IP address and you have to remember to disable a raft of features in said thing.
A lot of security is determined by the default settings, because the vast majority of users/customers never alter the defaults. With stuff that falls under the "internet of things" category, we'd all be much better off if they were more like "things with internet optional."
White vs Grey Hat
by Midnight_Falcon
Hey Brian, I'm wondering what side of the fence you think you are on. Your readership and affiliations seem to be the mainstream "white-hat" security community; but many of your tactics can be described as grey-hat at best -- e.g. doxxing hackers/malware authors/spammers, using social engineering to obtain information, etc. It seems as though this is justified because it is used against targets you perceive as being immoral, unethical, and/or worthy of such intrusion. My question is: do you feel you are a white-hat hacker, or do you think your use of black-hat tactics against black hats makes you something different?
Krebs: Not sure specifically what "grey hat" and "black hat" techniques you're referring to in particular. Also, I take issue with your assertion that I somehow practice social engineering to gain information. I'll admit to once or twice useing Spooftel to get someone who is dodging my calls to answer the phone, but I've never misrepresented myself or what I'm doing. In all of my reporting and investigation -- even with black hats -- I am up front about who I am and what I'm after.
Now, it is true that some of my reporting has been based on hacked cybercrime forums and hacked cybercriminals, but I can't recall an instance wherein I was the one responsible for the hacking. My first book, "Spam Nation," would not have been possible if two of the biggest cybercrime kingpins had not employed their top spammers and cybercrooks to break into each other’s networks and steal several years’ worth of banking and customer data, and then leak that data to Yours Truly and to the authorities. In my experience, the only thing cybercrooks like better than breaking into databases and stealing/selling data for financial gain is hacking each other for profit/amusement/insert reason here.
If I approach people on cybercrime forums, it is always just to learn more about the services and products they have to offer and are quite willing to talk about. Will I register on cybercrime forums under my own name? Of course not! Then again, nobody on those forums does that!
Actually, I *did* try to do that several years back, in two different cases. In one instance, when I told the admin in charge that I wanted the nickname "briankrebs," he laughed and said basically, "good one!" The other time I tried to claim that nickname, it was already taken.
I'll confess, though, that I've been guilty of a certain schadenfreude when it comes to writing about the arrest, conviction and or other demise of people who have -- apparently apropos of nothing -- targeted me and/or my family publicly and at the same time hidden behind an assumed veil of anonymity. These kinds of cowards consistently ruin the Internet for everyone, and I won't apologize for calling them out.
On a more philosophical note, I find it fascinating that so many involved in black hat activities online are so horrible at operational security. That probably has more to do with the general lack of consequences for most actors involved in this type of activity -- particularly those in certain Eastern European countries.
defining "computer security" for your clients
by globaljustin
Mr. Krebs, thank you for the time. My question is about defining "computer security" in relation to public perceptions vs technical facts. It was reported in 2006 that the NSA was keeping massive databases of American's phone calls and metadata. Obviously, Snowden's revelations were much more heavily reported, and contained more info, but the public was shocked at information that was already public. When it comes to cyber security customers, how do you explain and contextualize what service you are providing given the vast differences in perception of "security"?
Krebs: I try, as much as I am able, to focus on reporting stories that you won't find anywhere else. As an independent reporter, I have the luxury of not spending a great deal of time chasing other reporters' stories. Also, I try not to practice "churnalism," which is just regurgitating stories that other reporters have written. As for a "service" I might be offering, all I can say is that my goal is to communicate in as simple and straightforward way as I can news that is not getting enough attention or is not being well served by other outlets.
To your question about the differences in perception about security, I couldn't agree more. But to paraphrase Tip O'Neil, all security is local: Security as a news subject means little unless you can communicate the complex stuff in a way that mere mortals can comprehend, appreciate and do something about. If I am able to do that well and consistently, I hope that's a service of a kind. -
Uber France Leaders Arrested For Running Illegal Taxi Company
An anonymous reader writes: Two Uber executives were arrested by French authorities for running an illegal taxi company and concealing illegal documents. This is not the first time Uber has run into trouble in France. Recently, taxi drivers started a nation-wide protest, blocking access to Roissy airport and the nation's interior minister issued a ban on UberPop. A statement from an Uber spokesperson to TechCrunch reads: "Our CEO for France and General Manager for Western Europe were invited to a police hearing this afternoon; following this interview, they were taken into custody. We are always available to answer all the questions on our service, and available to the authorities to solve any problem that could come up. Talks are in progress. In the meantime, we keep working in order to make sure that both our customers and drivers are safe following last week’s turmoils." -
Uber France Leaders Arrested For Running Illegal Taxi Company
An anonymous reader writes: Two Uber executives were arrested by French authorities for running an illegal taxi company and concealing illegal documents. This is not the first time Uber has run into trouble in France. Recently, taxi drivers started a nation-wide protest, blocking access to Roissy airport and the nation's interior minister issued a ban on UberPop. A statement from an Uber spokesperson to TechCrunch reads: "Our CEO for France and General Manager for Western Europe were invited to a police hearing this afternoon; following this interview, they were taken into custody. We are always available to answer all the questions on our service, and available to the authorities to solve any problem that could come up. Talks are in progress. In the meantime, we keep working in order to make sure that both our customers and drivers are safe following last week’s turmoils." -
Interviews: Ask Steve Jackson About Designing Games
Since starting his own company in 1980, Steve Jackson, founder and editor-in-chief of Steve Jackson Games, has created a number of hits, starting with Car Wars . . . followed shortly by Illuminati, and later by GURPS, the "Generic Universal Roleplaying System." In 1983, he was elected to the Adventure Gaming Hall of Fame - the youngest person ever so honored. He has personally won 11 Origins Awards. In the early 90's, Steve got international press due to the Secret Service's invasion of his office. The EFF helped make it possible for SJ Games to bring suit against the Secret Service and the U.S. government and win more than $50,000 in damages. His Ogre kickstarter a couple of years ago brought in close to a million dollars. His current hits are Munchkin, a very silly card game about killing monsters and taking their stuff, and Zombie Dice, in which you eat brains and try not to get shotgunned. His current projects include a variety of Munchkin follow-ups, and the continuing quest to get his games translated into digital form. Steve has agreed to put down the dice and answer any questions you may have. As usual, ask as many as you'd like, but please, one per post. -
When a Company Gets Sold, Your Data May Be Sold, Too
An anonymous reader writes: A new report points out that many of the top internet sites have language in their privacy policies saying that your private data might be transferred in the event of an acquisition, bankruptcy sale, or other transaction. They effectively say, "We won't ever sell your information, unless things go bad for us." 85 of the top 100 websites in the U.S. (ranked by Alexa), had this sort of language, including Amazon, Apple, Facebook, Google, Hulu, and LinkedIn. (RadioShack did this recently.) "The potential ramifications of the fire sale provisions became clear two years ago when True.com, a dating site based in Plano, Tex., that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers' names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more. Because the site's privacy policy had promised never to sell or share members' personal details without their permission, Texas was able to intervene to stop the sale of customer data, including intimate details on about two million Texans." But with this new language, users no longer enjoy that sort of protection. Only 17 of the top 100 sites even say they will notify customers of the data transfer. Only a handful allow users to opt out. -
Solar Impulse, Continuing World-Spanning Trip, Attempts To Cross The Pacific
The BBC reports that Solar Impulse has resumed its 'round-the-world attempt, having taken off today from Nagoya, Japan for what is intended to be a 120-hour voyage to Hawaii. [If pilot Andre Borschberg] succeeds, it will be the longest-duration solo flight in aviation history, as well as the furthest distance flown by a craft that is powered only by the Sun. The Pacific crossing is the eighth leg of Solar Impulse's journey around the world. But this stage has proven to be the most difficult, and has been hit by weeks of delays." The circumnavigation attempt began earlier this year. -
FB Reveals Woeful Diversity Numbers
theodp writes: There's more work to do," said Facebook's Global Director of Diversity Maxine Williams, who issued a straight-out-of-How-to-Lie-With-Statistics diversity update on Thursday that essentially consisted of a handful of bar charts labeled with only percentages for select measures of the social networking giant's current demographics. In search of real numbers, the Guardian turned to Facebook's most recent Equal Employment Opportunity report filing, which showed that the ranks of black employees swelled by a grand total of seven (7) (1 woman) in the year covered by the filing, during which time Facebook saw an overall headcount increase of 1,231. Comparing Facebook's new bar charts of US tech employees to those issued last year shows the proportion of Hispanic and Black employees remained flat at 3% and 1% respectively, while a decline in the proportion of white employees from 53% to 51% was offset by an increase in the proportion of Asian employees from 41% to 43%. -
Samsung To Stop Blocking Automatic Windows Updates
A few days ago, we mentioned that a piece of (nominally) utility software from Samsung was blocking critical security updates. Understandably, this isn't what users typically want. The Register reports that Samsung has now back-pedaled, though, and will be issuing a patch in the next few days to fix the glitch. (Users were able to manually install the updates anyhow, but the expected, automatic updates were blocked.) However, as the Register notes: The thought of a computer manufacturer disabling Windows Update will have had the Microsoft security team on edge. But there's also Windows 10 to consider. When the new operating system comes out, Windows Update will feed in fixes continuously, and if you're not a business customer those updates are going to be coming over the wires constantly. Enterprise users get Windows Update for Business, which allows them to choose when to patch, presumably after the plebs have beta-tested them. -
Drone Diverts Firefighting Planes, Incurring $10,000 Cost
An anonymous reader writes: Fire is raging through thousands of acres of forest in California. A few days ago we discussed how a man's personal drone was shooed away from a fire site. Now, the drone situation has gotten worse. The U.S. Forest Service is helping to fight the fire by sending planes full of fire retardant to drop on the surrounding area. Unfortunately, one of the missions had to be diverted because a private drone had encroached upon the planes's airspace. The mission involved three planes, all loaded with retardant. One was large enough to find another target on which to drop its payload, but the other two simply had to jettison and return to base. Officials say the failed mission wasted at least $10,000. They're now having to spend extra time keeping an eye out for these drones and trying to educate operators on the temporary restrictions in place around forest fires. -
NIST Updates Random Number Generation Guidelines
An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as we've learned that government agencies are keeping an eye on us and a lot of our security tools aren't as foolproof as we've thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number — crucial in many types of encryption. The update (as expected) removes a recommendation for the Dual_EC_DRBG algorithm. It also adds extra options for CTR_DRBG and points out examples for implementing SP 800-90A generators. The full document (PDF) is available online. -
After Protest, France Cracks Down On Uber
An anonymous reader writes: Just a day after taxi drivers began a high-profile protest of Uber in France, the nation's interior minister has issued a ban on the car-sharing service UberPop. The minister stated that the service was illegal, and ordered police to begin seizing vehicles defying the order. French president Francois Hollande agrees that UberPOP "should be dismantled," but says the state isn't legally permitted to seize cars itself without court authorization. "UberPOP is a car-sharing service offered by Uber, which brings together customers and private drivers at prices lower than those charged by both traditional taxi firms and even other Uber services. UberPOP differs because it allows non-professional drivers to register their car and transport other passengers. It has been illegal in France since January, but the law has proved difficult to enforce and the service continues to operate, AFP news agency reports." -
My United Airlines Website Hack Gets Snubbed
Bennett Haselton writes: United Airlines announced that they will offer up to 1 million air miles to users who can find security holes in their website. I demonstrated a way to brute-force a user's 4-digit PIN number and submitted it to them for review, emailing their Bugs Bounty contact address on three occasions, but I never heard back from them. Read on for the rest. If you've had a different experience with the program, please chime in below.United Airlines announced the program in May (also specifying rules which specifically prohibited hacking in-flight systems, but which included "[t]he ability to brute-force reservations, MileagePlus numbers, PINs or passwords".) I poked around on their website and discovered that on their "Forgot your MileagePlus number?" page, you can request a reset of your password by submitting your first and last name, AND any ONE of the following:
- your e-mail address
- your street address
- your phone number
- your PIN
- your password
- your "old MileagePlus number"
And after submitting your information, the page will tell you whether your information matched an existing MilagePlus customer record.
This means that if you know a user's first and last name, you can guess their PIN, and the MileagePlus site will tell you whether you got it right or not. If the site doesn't limit your number of guesses, you can write a script that iterates through all 10,000 possibilities for the PIN until it finds the right one.
I wrote a script that did exactly that, and brute-forced my own account's PIN in a few hours (submitting one guess at a time, and running at 2 a.m. so as not to impact any other users). This means that United's website is not limiting the number of guesses per IP address, or showing a CAPTCHA after some number of failed attempts, or limiting the number of guesses per hour on a particular account, or any other countermeasures that you might expect. (The Bugs Bounty Program rules state, "[W]e do not allow execution of brute-force attacks on other users," which I interpreted to mean that brute-forcing your own account ought to be fine.)
So, United, if you're reading this, the immediate fix should be to disable the "PIN" option on the "Forgot your MileagePlus Number?" page. Keep the option to retrieve your account number by submitting your password, since even weak passwords are far harder to guess than 4-digit PIN numbers. But get rid of the PIN option.
I mentioned other possible countermeasures, including limiting requests per IP address and showing a CAPTCHA, but I actually don't think either of these would be effective. If you limit requests per IP address, any serious adversary will have a botnet of machines that they can use to submit requests from different addresses. If you make the user type in a CAPTCHA to submit a request, an attacker can hire workers online to read and type in the CAPTCHAs for a penny apiece. If you limit the number of reset attempts per hour on a particular account, that will slow down the attacker's attempts to brute-force the PIN for a particular account. However, if the attacker has a database of 1000 customer names and wants to find PINs for all of them, on Day 1 they could try 10 PINs for customer 1, then 10 PINs for customer 2, and so on up to customer 1000, and then on Day 2 they could try the next set of 10 PINs on customer 1, customer 2, etc. The attacker can't find any particular customer's PIN quickly, but they will be able to recover all of the customers' PINs slowly -- even though they never did more than 10 PIN authentication attempts on any particular account in the same day. Without a safe countermeasure, then, simply getting rid of PIN authentication would be the best fix.
It's because of attacks like this that I would argue that 4-digit PINs should never be used by themselves for authentication, if there's any possibility of a brute-force attack. They should only ever be used (a) for authentication in conjunction with something else, like a password (for example, if you're already logged in to a financial services account, you could require an additional 4-digit PIN to transfer money to another user); or (b) in a scenario where a brute-force attack is infeasible (for example, if you call tech support and a live human operator asks you to authenticate yourself with a 4-digit PIN).
The same attack is probably possible on the MileagePlus login page, since you can log in using your 4-digit PIN as an alternative to your password. However, this is less of a glaring security hole, because to brute-force a someone's PIN number on that page, you would have to at least know their MileagePlus number. The "Forgot Your MileagePlus Number?" page, on the other hand, allows you to brute-force someone's PIN number when all you know is their name.
As is often the case with stolen PINs and passwords, the most harmful effect here would probably not be the compromising of the user's MileagePlus account. The biggest problem is that most users use the same PINs and passwords for multiple accounts, and the attacker now has the 4-digit PIN that the user probably uses for their voicemail password, their ATM card, their burglar alarm, and who knows what else.
I first sent sent two emails about this to United's bug bounty email address reporting the issue on May 23, a few hours apart, and then followed up on June 1 asking if anyone had seen the first messages. I still have not receive a response.
So why didn't United reply? Have they just been receiving too many submissions by email? About 18 months ago I wrote about a researcher who emailed a security hole to Google and never heard back from them, even after they fixed the issue (although Google apologized and paid him his reward after the article ran). I suggested that if email submissions sometimes get back-logged, it would be a more effective approach to have email submissions reviewed by a lower-paid, less-experienced team of interns than by senior security researchers. The principle is that while it takes experience to find and fix security holes, it only takes some simple logical reasoning skills to evaluate whether a particular discovery constitutes a security hole, so the work can be farmed out to interns who want to gain work experience. By having each submission reviewed by, say, 3 randomly chosen interns from your pool of evaluators, you can churn through the submissions faster and reduce the chances of a legitimate bug falling through the cracks.
I'm sure some of the submissions are crap, and it's not United's fault if they initially got behind because they got more mails than they expected. But as soon as they realized they were getting swamped, they should have put more people on it -- even if those extra people were IT interns with just enough computer experience to read a bug description and tell if it was legit.
And one of the interns could also proofread the submission guidelines. Currently, under "things we will pay 250,000 miles for", the program page lists: "Brute-force attacks." Under "things that will result in criminal prosecution," the same page lists: "Brute-force attacks." If United keeps both promises, I hope my air miles don't expire before I get out of jail.
-
Foxconn CEO Backpedals On Planned Robot Takeover
itwbennett writes: For years now, Foxconn has been talking up plans to replace pesky humans with robot workers in its factories. Back in February, CEO Terry Gou said he expected the automation to account for 70 percent of his company's assembly line work in three years. But in the company's shareholder meeting Thursday, Gou said he had been misquoted and that "it should be that in five years, the robots will take over 30 percent of the manpower." -
OneWeb Secures "Largest Ever" Rocket Acquisition For Satellite Internet Launch
Mickeycaskill writes: Virgin, Airbus and Qualcomm-backed satellite Internet venture OneWeb has acquired 65 rockets and $500 million in funding to launch its satellites by 2019. OneWeb has partnered with Airbus to produce 900 microsatellites which will provide "affordable", fast, low-latency Internet to remote parts of the world and to ships, planes and oil rigs. It has also been suggested the network will be a cheaper way for mobile operators to expand coverage in rural areas. Other partners include Bharti Enterprises, Hughes Network Systems, Intelsat, Coca-Cola and Totalplay, all of whom have committed financial, technical or manufacturing support to the project. -
Average Duration of Hiring Process For Software Engineers: 35 Days
itwbennett writes: Despite the high demand for tech workers of pretty much all stripes, the hiring process is still rather drawn out, with the average time-to-hire for Software Engineers taking 35 days. That's one of the findings of a new study from career site Glassdoor. The study, led by Glassdoor's Chief Economist Dr. Andrew Chamberlain, analyzed over 340,000 interview reviews, covering 74,000 unique job titles, submitted to the site from February 2009 through February 2015. Glassdoor found that the average time-to-hire for all jobs has increased 80% (from 12.6 days to 22.9 days) since 2010. The biggest reason for this jump: The increased reliance on screening tests of various sorts, from background checks and skills tests to drug tests and personality tests, among others. -
Interview: Ask Linus Torvalds a Question
samzenpus writes: Linus Torvalds, the man behind the development of the Linux kernel, needs no introduction to Slashdot readers. Recently, we talked about his opinion on C++, and he talked about the future of Linux when he's gone. It's been a while since we sat down with Linus to ask him questions, so he's agreed to do it again and answer any you may have. Ask as many questions as you'd like, but please keep them to one per post. -
Interview: Ask Linus Torvalds a Question
samzenpus writes: Linus Torvalds, the man behind the development of the Linux kernel, needs no introduction to Slashdot readers. Recently, we talked about his opinion on C++, and he talked about the future of Linux when he's gone. It's been a while since we sat down with Linus to ask him questions, so he's agreed to do it again and answer any you may have. Ask as many questions as you'd like, but please keep them to one per post. -
Interview: Ask Linus Torvalds a Question
samzenpus writes: Linus Torvalds, the man behind the development of the Linux kernel, needs no introduction to Slashdot readers. Recently, we talked about his opinion on C++, and he talked about the future of Linux when he's gone. It's been a while since we sat down with Linus to ask him questions, so he's agreed to do it again and answer any you may have. Ask as many questions as you'd like, but please keep them to one per post. -
Interview: Ask Linus Torvalds a Question
samzenpus writes: Linus Torvalds, the man behind the development of the Linux kernel, needs no introduction to Slashdot readers. Recently, we talked about his opinion on C++, and he talked about the future of Linux when he's gone. It's been a while since we sat down with Linus to ask him questions, so he's agreed to do it again and answer any you may have. Ask as many questions as you'd like, but please keep them to one per post. -
New Google and CMU Moonshot: the 'Teacherless Classroom'
theodp writes: At the behest of Google, Carnegie Mellon University will largely replace formal lectures in a popular introductory Data Structures and Algorithms course this fall with videos and a social networking tool to accommodate more students. The idea behind the multi-year research project sponsored by Google — CMU will receive $200,000 in the project's first year — is to find a way to leverage existing faculty to meet a growing demand for computer science courses, while also expanding the opportunities for underrepresented minorities, high school students and community college students, explained Jacobo Carrasquel, associate teaching professor of CS. "As we teach a wider diversity of students, with different backgrounds, we can no longer teach to 'the middle,'" Carrasquel said. "When you do that, you're not aiming at the 20 percent of the top students or the 20 percent at the bottom." The move to a "teacherless classroom" for CS students at CMU [tuition $48K] comes on the heels of another Google CS Capacity Award-inspired move at Stanford [tuition $45K], where Pair Programming was adopted in a popular introductory CS class to "reduce the increasingly demanding workload for section leaders due to high enrollment and also help students to develop important collaboration skills." -
The Open Container Project and What It Means
An anonymous reader writes: Monday saw the announcement of the Open Container Project in San Francisco. It is a Linux Foundation project that will hold the specification and basic run-time software for using software containers. The list of folks signing up to support the effort contains the usual suspects, and this too is a good thing: Amazon Web Services, Apcera, Cisco, CoreOS, Docker, EMC, Fujitsu Limited, Goldman Sachs, Google, HP, Huawei, IBM, Intel, Joyent, the Linux Foundation, Mesosphere, Microsoft, Pivotal, Rancher Labs, Red Hat, and VMware. In this article Stephen R. Walli takes a look at what the project means for open source. -
Learn-to-Code Program For 10,000 Low-Income Girls
theodp writes: In a press release Tuesday, the National Center for Women & Information Technology (NCWIT) announced it was teaming with Lifetime Partner Apple and the U.S. Department of Housing and Urban Development (HUD) on its Clinton Global Initiative (CGI) Commitment to engage 10,000 girls in learning computing concepts. "Currently, just 25 states and the District of Columbia allow computer science to count as a math or science graduation requirement," explained the press release. "Because boys get more informal opportunities for computing experience outside of school, this lack of formal computing education especially affects girls and many youth of color." HUD, the press release added, has joined the Commitment to Action to help extend the program's reach in partnership with public housing authorities nationwide and provide computing access to the 485,000 girls residing in public housing. "In this Information Age, opportunity is just a click on a keyboard away. HUD is proud to partner with NCWIT to provide talented girls with the skills and experiences they need to reach new heights and to achieve their dreams in the 21st century global economy," said HUD Secretary Julian Castro, who coincidentally is eyed as a potential running mate for Hillary Clinton, whose daughter Chelsea is the Clinton Foundation's point-person on computer science. Last year, Chelsea Clinton gave a keynote speech at the NCWIT Summit and appeared with now-U.S. CTO Megan Smith to help launch Google's $50 million girls-only Made With Code initiative. -
Learn-to-Code Program For 10,000 Low-Income Girls
theodp writes: In a press release Tuesday, the National Center for Women & Information Technology (NCWIT) announced it was teaming with Lifetime Partner Apple and the U.S. Department of Housing and Urban Development (HUD) on its Clinton Global Initiative (CGI) Commitment to engage 10,000 girls in learning computing concepts. "Currently, just 25 states and the District of Columbia allow computer science to count as a math or science graduation requirement," explained the press release. "Because boys get more informal opportunities for computing experience outside of school, this lack of formal computing education especially affects girls and many youth of color." HUD, the press release added, has joined the Commitment to Action to help extend the program's reach in partnership with public housing authorities nationwide and provide computing access to the 485,000 girls residing in public housing. "In this Information Age, opportunity is just a click on a keyboard away. HUD is proud to partner with NCWIT to provide talented girls with the skills and experiences they need to reach new heights and to achieve their dreams in the 21st century global economy," said HUD Secretary Julian Castro, who coincidentally is eyed as a potential running mate for Hillary Clinton, whose daughter Chelsea is the Clinton Foundation's point-person on computer science. Last year, Chelsea Clinton gave a keynote speech at the NCWIT Summit and appeared with now-U.S. CTO Megan Smith to help launch Google's $50 million girls-only Made With Code initiative. -
Samsung Cripples Windows Update To Prevent Incompatible Drivers
jones_supa writes: A file called Disable_Windowsupdate.exe — probably malware, right? It's actually a "helper" utility from Samsung, for which their reasoning is: "When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates." Too bad that the solution means disabling all critical security updates as well. This isn't the first time an OEM has compromised the security of its users. From earlier this year, we remember the Superfish adware from Lenovo, and system security being compromised by the LG split screen software. -
Samsung Cripples Windows Update To Prevent Incompatible Drivers
jones_supa writes: A file called Disable_Windowsupdate.exe — probably malware, right? It's actually a "helper" utility from Samsung, for which their reasoning is: "When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates." Too bad that the solution means disabling all critical security updates as well. This isn't the first time an OEM has compromised the security of its users. From earlier this year, we remember the Superfish adware from Lenovo, and system security being compromised by the LG split screen software. -
Your Next Allstate Inspector Might Be a Drone
New submitter cameronag writes: Following on the heels of EasyJet's plan to inspect planes with drones, insurance giant Allstate has received FAA clearance to test drones for insurance inspections. The company plans to use drones to inspect roofing, weather damage, and collapsed structures, among other things, and says the technology will ultimately speed up claims processing. -
US Securities and Exchange Commission Hunting Insider Trading Hackers
An anonymous reader writes: The U.S. Securities and Exchange Commission is actively investigating the FIN4 financial hacking group identified by FireEye last December, according to a Reuters report. In an unprecedented extension of its usual practice, the SEC is soliciting information about security breaches from private companies, who are not obliged to reveal them unless the breach enters into categories covered by federal law. Former SEC Head of Internet Enforcement John Reed Stark describes the proactive stance of the organization as an "absolute first." -
Hackers Exploit MacKeeper Flaw To Spread OS X Malware
An anonymous reader writes: Controversial OS X 'clean-up utility' MacKeeper is being exploited by cybercriminals to diffuse Mac malware OSX/Agent-ANTU, according to the BAE cyber security unit. A single line of JavaScript on a malicious web-page is enough to hand over control of the user's system via MacKeeper. Lead security researcher Sergei Shevchenko said 'attackers might simply be 'spraying' their targets with the phishing emails hoping that some of them will have MacKeeper installed, thus allowing the malware to be delivered to their computers and executed,' The malware enables remote control over commands, uploads and downloads, and the setting of execution permissions, as well as granting access to details of VPN connections, user names, and lists of processes and statuses. -
New Snowden Leaks Show NSA Attacked Anti-Virus Software
New submitter Patricbranson writes: The NSA, along with its British counterpart Government Communications Headquarters (GCHQ), spent years reverse-engineering popular computer security software in order to spy on email and other electronic communications, according to the classified documents published by the online news site The Intercept. With various countries' spy agencies trying to make sure computers aren't secure (from their own intrusions, at least), it's no wonder that Kaspersky doesn't want to talk about who hacked them. -
Microsoft Attempts To Clarify the Windows 10 For Everyone Rumor
Ammalgam writes: Over the weekend, Microsoft caused a web explosion by seeming to imply that they were going to relax their licensing rules and offer Windows 10 for free to everyone. This caused an uproar of controversy online that Microsoft had to address. The company issued a statement in an attempt to clarify the Windows 10 licensing situation. The language is still a little confusing so on Windows10update.com, Onuora Amobi tries to simplify the language and sort out the distinction between users on the Windows Insider Program and non Windows Insiders. -
New Freescale I.MX7 Processor Line Takes Aim At IoT
DeviceGuru writes: Freescale has unveiled a new i.MX7 embedded processor family. The family launches with two parts having one or two Cortex-A7 cores, along with Cortex-M4 microcontroller cores, and boasts much lower power consumption than the company's popular i.MX6 embedded processors, making it ideal for power constrained Internet of Things applications. The i.MX7 is Freescale's second i.MX family to use Coretex-A7 cores, and its first to move backward in performance, although significantly upward in power efficiency — a testament to how IoT is impacting the semiconductor business. Like the recently introduced i.MX6 UltraLite, the initial i.MX7 parts are limited to 2D image processing in hardware. An ARMv8 Cortex-A53 based i.MX8 line is also under development, and is expected to be announced next year with 2016 or 2017 availability. -
Swedish Investigators Attempt Assange Interview; Wikileaks Makes Major Release
cold fjord writes: It seems Julian Assange rates his own section (The Assange Matter) on a Swedish government website related to the investigation. It contains some FAQs on points that seem to keep coming up in Slashdot discussions. The website isn't completely up to date at the moment since it doesn't discuss the recent attempt by Swedish investigators to interview Assange in the Ecuadorian embassy in London. Unfortunately that attempt failed since the government of Ecuador didn't give permission to the Swedish delegation to enter their embassy. That is quite odd given the years of demands for this. Concurrent with this, Wikileaks has started releasing what is reported to be more than 500,000 leaked Saudi Arabian diplomatic documents that are sure to stir up some controversies. Most are in Arabic so it may take some time for their contents to filter out. -
Mayday PAC's Benjamin Singer Explains How You can Help Reform American Politics (Video)
Larry Lessig's Mayday PAC is a SuperPac that is working to eliminate the inherent corruption of having a government run almost entirely by people who manage to raise -- or have their "non-connected" SuperPACs raise -- most of the money they need to run their campaigns. The Mayday PAC isn't about right or left wing or partisan politics at all. It's about finding and supporting candidates who are in favor of something like last year's Government by the People Act. As we noted in our Mayday Pac interview with Larry Lessig last June, a whole panoply of tech luminaries, up to and including Steve Wozniak, are in favor of Mayday PAC.
This interview is being posted, appropriately, just before the 4th of July, but it's also just one day before the Mayday PAC Day of Action to Reform Congress. They're big on calling members of Congress rather than emailing, because our representatives get email by the (digital) bushel, while they get comparatively few issue-oriented phone calls from citizens. So Mayday PAC makes it easy for you to call your Congressional representatives and even, if you're too shy to talk to a legislative aide in person, to record a message Mayday PAC will leave for them after hours.
The five specific pieces of legislation Mayday PAC currently supports are listed at the RepsWith.US/reforms page. Two are sponsored by Republicans, two by Democrats, and one by an Independent. That's about as non-partisan as you can get, so no matter what kind of political beliefs you hold, you can support Mayday PAC with a clear conscience. (Note: the transcript has more information than the video, which is less than six minutes long.) -
Cyberattack Grounds Planes In Poland
itwbennett writes: While the alleged hacking of in-flight systems has been much discussed recently, "there are many more areas of vulnerability to address in the aviation industry," says Tim Erlin of security firm Tripwire. "Like most industries today, aviation relies on a wide variety of interconnected systems, from air traffic control to reservations systems." Case in point: LOT Polish Airlines was forced to cancel 10 flights scheduled to depart from Warsaw's Chopin airport on Sunday after hackers attacked its ground computer systems. -
Apple To Pay Musicians For Free Streams, After All
vivaoporto writes: As reported on Re/code, Apple media boss Eddy Cue appears to have capitulated and Apple Music will be paying music owners for streaming even during customers's free trial period. He says Taylor Swift's letter, coupled with complaints from indie labels and artists, did indeed prompt the change.
Cue says Apple will pay rights holders for the entire three months of the trial period. He explains that it can't be at the same rate that Apple is paying them after free users become subscribers, since Apple is paying out a percentage of revenues once subscribers start paying. Instead, he says, Apple will pay rights holders on a per-stream basis.
No word from Swift or her camp about whether Apple's move is enough to get her to put "1989," her newest album, on Apple Music. On Twitter, she says, "I am elated and relieved. Thank you for your words of support today. They listened to us." -
Are Girl-Focused Engineering Toys Reinforcing Gender Stereotypes?
theodp writes: VentureBeat's Ruth Read casts a skeptical eye at the current rage of toy segregation meant to inspire tomorrow's leaders in STEM: "Toys geared at girls serve to get them interested in coding and building when they're young, hopefully inspiring their educational interests down the road. But these gendered toys may be hurting women by perpetuating a divide between men and women." Read concludes, "Ultimately, girls (who will become women) are going to have to learn and work in a world where genders are not segregated; as will men. That means they need to learn how to interact with one another as much as they need to be introduced to the same educational opportunities. If STEM education is as much for girls as it is for boys, perhaps we should be equally concerned with getting boys and girls to play together with the same toys and tools, as we are with creating learning opportunities for girls." -
Are Girl-Focused Engineering Toys Reinforcing Gender Stereotypes?
theodp writes: VentureBeat's Ruth Read casts a skeptical eye at the current rage of toy segregation meant to inspire tomorrow's leaders in STEM: "Toys geared at girls serve to get them interested in coding and building when they're young, hopefully inspiring their educational interests down the road. But these gendered toys may be hurting women by perpetuating a divide between men and women." Read concludes, "Ultimately, girls (who will become women) are going to have to learn and work in a world where genders are not segregated; as will men. That means they need to learn how to interact with one another as much as they need to be introduced to the same educational opportunities. If STEM education is as much for girls as it is for boys, perhaps we should be equally concerned with getting boys and girls to play together with the same toys and tools, as we are with creating learning opportunities for girls." -
Dallas Police Falsely Credit TrapWire System For Arrests
In April, the Texas Department of Public Safety told a reporter for the Dallas Morning News, inspired by information leaked by Wikileaks to ask about ways that the agency might be compromising citizen's privacy and other rights, that the TrapWire behavioral analysis system employed in combination with surveillance equipment posted at various high-profile locations around the state had resulted in 44 arrests. However, after numerous public records requests for more information about those claimed arrests, the agency admitted that the true figure is somewhat lower: namely, zero. The story naturally involves "millions" of dollars (though an exact figure for the zero-arrest system isn't named), and Austin-based Stratfor, a company that's been named a few times here on Slashdot. -
Dallas Police Falsely Credit TrapWire System For Arrests
In April, the Texas Department of Public Safety told a reporter for the Dallas Morning News, inspired by information leaked by Wikileaks to ask about ways that the agency might be compromising citizen's privacy and other rights, that the TrapWire behavioral analysis system employed in combination with surveillance equipment posted at various high-profile locations around the state had resulted in 44 arrests. However, after numerous public records requests for more information about those claimed arrests, the agency admitted that the true figure is somewhat lower: namely, zero. The story naturally involves "millions" of dollars (though an exact figure for the zero-arrest system isn't named), and Austin-based Stratfor, a company that's been named a few times here on Slashdot. -
Dallas Police Falsely Credit TrapWire System For Arrests
In April, the Texas Department of Public Safety told a reporter for the Dallas Morning News, inspired by information leaked by Wikileaks to ask about ways that the agency might be compromising citizen's privacy and other rights, that the TrapWire behavioral analysis system employed in combination with surveillance equipment posted at various high-profile locations around the state had resulted in 44 arrests. However, after numerous public records requests for more information about those claimed arrests, the agency admitted that the true figure is somewhat lower: namely, zero. The story naturally involves "millions" of dollars (though an exact figure for the zero-arrest system isn't named), and Austin-based Stratfor, a company that's been named a few times here on Slashdot. -
Dallas Police Falsely Credit TrapWire System For Arrests
In April, the Texas Department of Public Safety told a reporter for the Dallas Morning News, inspired by information leaked by Wikileaks to ask about ways that the agency might be compromising citizen's privacy and other rights, that the TrapWire behavioral analysis system employed in combination with surveillance equipment posted at various high-profile locations around the state had resulted in 44 arrests. However, after numerous public records requests for more information about those claimed arrests, the agency admitted that the true figure is somewhat lower: namely, zero. The story naturally involves "millions" of dollars (though an exact figure for the zero-arrest system isn't named), and Austin-based Stratfor, a company that's been named a few times here on Slashdot. -
Mauna Kea Telescope Construction Slated To Resume
After an earlier halt to the work of constructing the "world's most advanced and powerful telescope" (and subsequent loss of support from an organization acting on behalf of native Hawaiians,) the Thirty Meter Telescope is again in "on again" mode. From the Associated Press article as carried by U.S. News & World Report: The Mauna Kea site provides a clear view of the sky for 300 days a year, with little air and light pollution. The telescope project was developed as a collaboration between U.S. and Canada universities and the national institutes of Japan, China and India. Gov. David Ige in April said the Thirty Meter Telescope board is legally entitled to "use its discretion to proceed with construction." He said he respected the rights of protesters to appeal in court. -
Mauna Kea Telescope Construction Slated To Resume
After an earlier halt to the work of constructing the "world's most advanced and powerful telescope" (and subsequent loss of support from an organization acting on behalf of native Hawaiians,) the Thirty Meter Telescope is again in "on again" mode. From the Associated Press article as carried by U.S. News & World Report: The Mauna Kea site provides a clear view of the sky for 300 days a year, with little air and light pollution. The telescope project was developed as a collaboration between U.S. and Canada universities and the national institutes of Japan, China and India. Gov. David Ige in April said the Thirty Meter Telescope board is legally entitled to "use its discretion to proceed with construction." He said he respected the rights of protesters to appeal in court. -
Two Years After Snowden Leaks, Encryption Tools Are Gaining Users
Patrick O'Neill writes: It's not just DuckDuckGo — since the first Snowden articles were published in June 2013, the global public has increasingly adopted privacy tools that use technology like strong encryption to protect themselves from eavesdroppers as they surf the Web and use their phones. The Tor network has doubled in size, Tails has tripled in users, PGP has double the daily adoption rate, Off The Record messaging is more popular than ever before, and SecureDrop is used in some of the world's top newsrooms. -
Samsung Fixes Cellphone Keyboard Vulnerability
An anonymous reader writes: Several days ago, news broke that Samsung's keyboard software on their Galaxy series of cell phones had a glaring security issue that left 600 million devices vulnerable to attackers. The company has now fixed the flaw internally, and is making plans to roll out security updates to affected devices. They say the likelihood of an actual attack is low, because a particular set of conditions need to be met before any damage could be done. -
Windows 10 Will Be Free To Users Who Test It
An anonymous reader writes: Microsoft has been making a big push to change its business model for Windows — likely due to the low/no cost updates you can get for competing operating systems. The company surprised everyone when it said legit copies of Windows 7 and 8 would be supplied with free upgrades, but now they're extending that even further: anyone who tests the Windows 10 Technical Preview will get a free upgrade to the full version of Windows 10 when it comes out. In a blog post, Microsoft's Gabe Aul said, "As long as you are running an Insider Preview build and connected with the [Microsoft account] you used to register, you will receive the Windows 10 final release build and remain activated. Once you have successfully installed this build and activated, you will also be able to clean install on that PC from final media if you want to start over fresh." -
Open Source Hardware Pioneer Ladyada Interviews the New MakerBot CEO
ptorrone writes: Open source hardware pioneer and founder of Adafruit Limor "Ladyada" Fried sat down and interviewed the new CEO of MakerBot, Jonathan Jaglom. She asked some really tough questions had some suggestions for them, too, if they're going to turn things around. Discussed: Is there a desire for MakerBot to patch things up with the open source community? Jaglom wants to assure the 3D-printing community there are not any plans for filament DRM, and it was nice to hear him say "patents are not the way to win." Lastly, Fried suggested the open-sourcing of some specific elements of the MakerBot to get back to its open-source hardware roots.