Slashdot Mirror

Zothecula writes "The decidedly low tech white cane is still one of the most commonly used tools to help the visually impaired get around without bumping into things. Now, through their project called NAVI (Navigation Aids for the Visually Impaired), students at Germany's Universität Konstanz have leveraged the 3D imaging capabilities of Microsoft's Kinect camera to detect objects that lie outside a cane's small radius and alert the wearer to the location of obstacles through audio and vibro-tactile feedback." In addition, Kinect is being used to "manipulate medical images during surgery without having to leave the operating room and scrub back in," and in more artistic ways as well.

blixtech writes "Virtually unchallenged in the portable media player market, Apple's iPod Touch is set to receive a pretty strong competitor at CES 2011. Samsung has just announced they will showcase an Android-powered PMP called the Galaxy Player, featuring almost the same hardware as the Galaxy S smartphone."

Daetrin writes "Last weekend Google received the next statue in the sweets-themed series that commemorates the major updates of the Android OS. In the past this has meant that the release of the next SDK was right around the corner. However this time there's some doubt as to what the version number will actually be. Many sites (including Slashdot) have assumed that 'Gingerbread' was synonymous with '3.0,' but now there's some evidence that everyone may have jumped the gun and the next version will actually be 2.3."

itwbennett writes "Peter Smith is blogging about an article in the San Jose Mercury News leaking news that Apple is 'almost ready to take the wraps off a new system to support subscriptions. The terms, if the leaks are accurate, sound less than ideal for publishers though. Apple will take 40% of advertising revenue, and 30% of subscription fees from participating publishers. In return, Apple will offer consumers the ability to opt-in to sharing their data with the publishers.' Apple isn't commenting on the speculation. 'In somewhat related news, Apple has released iOS 4.2 to developers. This is the version of iOS that will let iPads, iPhones and iPad Touches print to a WiFi-enabled or shared printer on a local network, via the new AirPrint service. It sounds like you'll be able to print articles from your digitally delivered newspaper before too long,' says Smith."

eldavojohn writes "On June 17th, the X.org team was notified by Invisible Things Lab of a critical security flaw (PDF) that affected both x86_32 and x86_64 platforms. The flaw deals with escalated privileges of a user process that has access to the X server. The founder of ITL said of the flaw, 'The attack allows a (unpriviliged) user process that has access to the X server (so, any GUI application) to unconditionally escalate to root (but again, it doesn't take advantage of any bug in the X server!). In other words: any GUI application (think e.g. sandboxed PDF viewer), if compromised (e.g. via malicious PDF document) can bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system.' This has apparently been a security flaw since kernel 2.6 was released. From the article, 'On 13 August, Linus Torvalds committed an initial fix, but several patches were added afterward for various reasons. The problem has been addressed in versions 2.6.27.52, 2.6.32.19, 2.6.34.4 and 2.6.35.2 of the kernel.'"

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Kilrah_il writes "Wikipedia recently added an option to create a book from your chosen entries: 'That's it, the book creator has gone live in the English Wikipedia! A few hours ago, the book creator has been made available to all users of the English Wikipedia. This feature, which allows all readers to create books from Wikipedia articles, has been until now only available to logged-in users. It has been available in other Wikipedias for a longer time, it's now available on the English Wikipedia, for all, without restrictions.' You can either download the book in PDF format for free or have it printed and sent to you via PediaPress with 10% of the total going to the Wikimedia Foundation."

Frequent Slashdot contributor Bennett Haselton writes "An estimated 200,000 Hotmail users currently have their auto-reply set to a message spamming an advertisement for Chinese scam websites, which sell "discounted" electronics. Presumably the spammers compromised a large number of Hotmail accounts to pull this off, but wouldn't it be pretty easy for Hotmail to query for which users have that set as their auto-reply, and turn the auto-reply off for them?" Read below for Bennett's thoughts.

After a recent mailing that I sent out to a subset of my proxy mailing list, I got back 18 auto-replies from Hotmail users, all substantially similar to this:

Dear friend:
We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

Please visit our website: www.wedosale.com

Email: wedosale@vip.188.com .
MSN: wedosale@hotmail.com .

Looking forward to your contact and long cooperation with us!

Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on.

Welcome to visit our website!

Some of the spam auto-replies advertised different websites, and the wording varied between the different auto-responses, but they were all similar advertisements for Chinese electronics "retailers." (And so, I assume, the websites are all fronts for the same company -- if multiple spammers had independently hacked Hotmail users' accounts to set their auto-replies, it would be vanishingly unlikely that those spammers would all happen to be electronics hawkers.) This was from a mailing that I sent to a set of subscribers that included about 26,000 users with "hotmail.com" e-mail addresses. If 18 out of 26,000 users in my sample have had their accounts hacked to send spam auto-replies, then this must be happening to a large number of Hotmail users -- not a large proportion (only one in 1,500, in my sample), but with about 300 million Hotmail users, that would still be a large absolute number.

The same spammers have apparently been spamming through Hotmail auto-replies for at least 11 months, according to this post in the Windows Live Help community forum from January 2009. At first, some pundits seemed to have assumed that spammers had created these accounts themselves and subscribed the accounts to people's lists, in order to spam the list owners (and, if it's a list that accepts subscriber posts, broadcast the spam to the other list readers). However, looking at the addresses in my proxy mailing list that were sending the spam auto-replies, I noticed that (1) our records show that the auto-reply-spamming subscribers joined the mailing list by various means, signing up through different Circumventor websites, not indicative of how a spammer would have joined the list by automated means, and (2) many of their email addresses are associated with legitimate-looking Myspace and Facebook accounts. Thus it looks as if these were real users who joined the list legitimately, and then got their accounts hacked by the spammers, who set those users' accounts to send the spam as an auto-response.

(If you happened to look at the spammers' www.wedosale.com website, at this point you might be thinking: I don't want to give money to spammers, but can I really get a Blackberry for only $295? Couldn't I just order from the website, and then if the goods don't show up or they're not as advertised, I can dispute the charge on my credit card? Well, I signed up for a dummy account on the www.wedosale.com page and got as far as the order page, and the only payment types that they accept are wire transfer, Western Union, and Moneygram -- precisely those types where you cannot get the money back or dispute fraudulent charges. If you've already gone and ordered a Blackberry, don't hold your breath.)

If my 26,000 users were a representative sample of the 300 million current Hotmail users, then with 1 out of 1,500 users in my sample being "infected," I could estimate that about 200,000 Hotmail users (1/1500 times 300 million) are currently set to send spam auto-replies. Hotmail claims to process 3 billion non-spam e-mails per day, for an average of about 10 non-spam e-mails per Hotmail user. That's the average for all users; what's the average for the infected users? Some factors would tend to lead to a lower average for infected users -- if they have lots of friends sending them mail, it's more likely that one of their friends would have told them about the auto-reply spam and told them to turn it off, so perhaps the users still sending the spams are the ones who don't receive a lot of messages from their friends. On the other hand, some of the infected accounts may be receiving more (non-spam) e-mail than average; one reason people sometimes abandon webmail accounts is that they're getting too much mail, even from newsletters like the Circumventor list that they had legitimately subscribed to. So, figuring that factors in both directions roughly cancel out, if each infected user is receiving the average number of 10 emails per day and sending 10 auto-reply spams in response, that's still a total of 2 million outgoing spams per day shilling for nonexistent Chinese iPhones.

These are just back-of-the-envelope calculations, but even I'm overestimating by a whole order of magnitude, that's still 0.2 million auto-reply spams per day, or about 70 million spams that will be sent by this one company through Hotmail's servers in the coming year, if Hotmail doesn't stop it. (And closer to a billion spams in the coming year if I'm not overestimating.)

And it's actually worse than that, because these spams are less likely than average to be filtered, since they're coming from Hotmail's servers. Normally you'd think that the content-based module of a spam filter would have no problem catching a message like the one at the top of this article, especially if millions of similar messages have been spewed out over the past year. However, messages from Hotmail's servers, regardless of content, are less likely to be blocked, since their network has a good reputation for sending little spam overall (due to measures such as requiring users to fill out a CAPTCHA when signing up, blocking each account from sending more than 500 messages per day, etc.). When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.) However, of the infected Hotmail accounts that did send a spam auto-reply, 100% of those auto-reply spams were delivered to my inbox. (Apparently, Hotmail's spam filter usually assumes that messages from other Hotmail users can't possibly be spam.) Only Yahoo Mail's spam filter, when I sent a test message to the infected users from my Yahoo Mail account, blocked all of the auto-replies as junk mail.

For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.

So this is basically what's happening, but it still leaves some unanswered questions, such as: Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services. Whatever the spammers did to gain control of so many Hotmail accounts, if it was profitable for them, why didn't they do the same thing for Yahoo Mail? And, why did only one spammer do this? If they're sending between 1 and 10 million spams per day for free, they're probably making money at it. Whatever they did to hack those accounts, why wouldn't other spammers figure out the same method and copy them?

Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service. If it was done via a security hole in Hotmail that the spammers discovered, then that would explain why the spammer's methods only worked for Hotmail accounts, and also why no other spammers have copied their techniques. (A phishing attack, on the other hand, would be easy to modify for other webmail services, and would also be easy for other spammers to emulate, so that's not consistent with the observed evidence so far.) I also found this post from blogger Stuart Shelton describing how his account was hacked by Chinese spammers -- and from the blog post, it's clear that he's very tech-savvy and would have been unlikely to fall for a run-of-the-mill password phish. If the attack happened even to people who know what they're doing, that seems to make the security hole explanation more likely.

Perhaps others can come up with some theories about what happened. It's easy to come up with guesses, but the hard part is to reconcile them with the fact that it has only affected Hotmail users so far, and no other spammer seems to have figured out how to copy the same technique yet.

But there's a much simpler question too: Why doesn't Microsoft just turn off the auto-replies for these users' accounts? They can query to see exactly which users have these messages in their auto-replies, and then un-set the auto-reply automatically. Yes, I know that even for a simple database operation like that, there's always more to it when you're managing hundreds of millions of accounts across multiple servers -- but if it will stop this one sender from sending between 50 million and 500 million spams (that in many cases will bypass people's spam filters) from Hotmail's servers in the coming year, isn't it probably worth it?

And even if it wasn't a phishing attack this time, sooner or later some other spammer will probably capture tens or hundreds of thousands of Hotmail accounts using a phish or some other method, and try spamming through auto-replies as well. So if Hotmail "fixes" this batch of auto-reply spam for practice, then the next time it happens, they'll know exactly what to do to take care of it.

I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?

Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics."I called SpeakEasy and they confirmed that they knew Hotmail was blocking all mail from their users (although for "security reasons," SpeakEasy couldn't tell me what they were trying to do about it). The block wasn't lifted until about November 28th, when my messages started getting through again.

If SpeakEasy, which has been in business for 15 years, has annual revenues of $60 million, and was bought in 2007 by Best Buy, can't even get through to Microsoft in less than 10 days to tell them to stop blocking all mail from their servers, then Microsoft should first fix their postmaster trouble ticket system, so that people are not blocked from writing to their friends and family members at Hotmail for a week and a half. Then get to work on the spam auto-responders.

tsu doh nimh writes "Alan Ralsky, the 64-year-old dubbed the 'Godfather of Spam,' was sentenced to 51 months in prison on Monday, the Washington Post's Security Fix blog reports. According to anti-spam group Spamhaus.org, Ralsky has been spamming since at least 1997, using dozens of aliases and tens of thousands of 'zombies' or hacked PCs to relay junk e-mail. Also sentenced — to 40 months in jail — was Ralsky's 48-year-old son-in-law, Scott K. Bradley, and two other men named last year in a 41-count indictment for wire fraud, mail fraud, money laundering and violations of the CAN-SPAM Act." And eldavojohn writes "19-year-old Dmitriy Guzner, Anonymous member and Scientology DDoS attacker, received one year and one day in jail for his admitted crime. His sentence could have been a maximum ten years. According to the Church of Scientology, Anonymous has harassed and attacked them with '8,139 threatening phone calls, 3.6 million e-mails, 141 million hits on its website, ten acts of vandalism against its property, 22 bomb threats, and eight death threats against Church leaders.'"

An anonymous reader writes "A NASA probe found that cosmic ray intensities in 2009 had increased by almost 20 percent beyond anything seen in the past 50 years. Such cosmic rays arise from distant supernova explosions and consist mostly of protons and heavier subatomic particles — just one cosmic ray could disable unlucky satellites or even put a mission to Mars in jeopardy."

Flea of Pain writes "Fable III is finally in the works! 'Peter Molyneux revealed that his team is working on Fable III, which will arrive in late 2010, two years after the release of Fable II. The game will give you the primary task of becoming Albion's king and leading the people to happiness and the kingdom to glory. Fable III will be something bold and different, Molyneux promises, stating that story and drama will play a major part in it. New things will be done with the dog and the bread-crumb-trails mechanic, which were present in the second game, and you will be offered complete control of your actions and your people's actions, as you will be the king of Albion. ... [Y]ou will need to balance many things, including poverty and greed, tyranny and compassion or progress and tradition, all in order to keep your subjects happy. Furthermore, you will be able to set taxes and decide how you will rule your subjects. Your spouse, be it a king or a queen, will also point you into various directions over the course of the game. It seems that you will start as a son or daughter of the hero from Fable II and then progress until the halfway point of the game when you will be named king or queen of Albion. This means that you need to keep your save data from Fable II in order for a higher degree of customization.'"

Jack Spine writes "UK intelligence agency MI5 has admitted that its website security was breached by hacker group Team Elite. A member of the hacker forum posted details of the hack last week, which took advantage of a cross-site scripting vulnerability in the site's Google embedded search. MI5 admitted the breach on Wednesday, but said that the flaw had not been exploited maliciously."

bl8n8r writes "Apparently, Virtualbox 3.0 released today (2009-07-01) brings with it 'OpenGL 2.0 for Windows, Linux and Solaris guests; and experimental support for Direct3D 8/9 applications on Windows guests.' Maybe we can finally game in a VM?"

Hugh Pickens writes "Cosmologist Adrian Mellott has an article in Seed Magazine discussing his search for the mechanism behind the mass extinctions in earth's history that seem to occur with a period of about 62 million years. Scientists have identified nearly 20 mass extinctions throughout the fossil record, including the end-Permian event about 250 million years ago that killed off about 95 percent of life on Earth. Mellott notes that as our solar system orbits the Milky Way's center, it oscillates through the galactic plane with a period of around 65 million years. 'The space between galaxies is not empty. It's actually full of rarefied hot gas,' says Mellott. 'As our galaxy falls into the Local Supercluster, it should disturb this gas and create a shock wave, like the bow shock of a jet plane,' generating cascades of high-energy subatomic particles and radiation called 'cosmic rays.' These effects could cause enhanced cloud formation and depletion of the ozone layer, killing off many small organisms at the base of the food chain and potentially leading to a population crash. So where is the earth now in the 62-million year extinction cycle? '[W]e are on the downside of biodiversity, a few million years from hitting bottom,' writes Mellott."

Jeff Shantz writes "A 17-year-old Romanian girl is dead after being electrocuted while tweeting in the bath tub. Apparently, she plugged in her laptop after her battery started to die, and it is unclear as to whether or not she dropped the laptop in the water, or simply dripped enough water on the device to cause the shock. Needless to say, it is probably good advice not to tweet in the tub."

Byzantine writes "The Mississippi Legislature has passed MS House Bill 1461 which would amend the state's tax laws specifically to charge sales tax on 'electrically transferred digital products,' including products bought via mail-order. The bill is currently on the governor's desk awaiting signature." Softpedia claims that 20 states have enacted download taxes of one sort or another — most of them for iTunes music — and that New York is considering taxing downloads of all kinds.

Pizzutz writes "Softpedia reports that Ubuntu 9.04 Boots in 21.4 Seconds using the current daily build and the newly supported EXT4 file system. From the article: 'There are only two days left until the third Alpha version of the upcoming Ubuntu 9.04 (Jaunty Jackalope) will be available (for testing), and... we couldn't resist the temptation to take the current daily build for a test drive, before our usual screenshot tour, and taste the "sweetness" of that evolutionary EXT4 Linux filesystem. Announced on Christmas Eve, the EXT4 filesystem is now declared stable and it is distributed with version 2.6.28 of the Linux kernel and later. However, the good news is that the EXT4 filesystem was implemented in the upcoming Ubuntu 9.04 Alpha 3 a couple of days ago and it will be available in the Ubuntu Installer, if you choose manual partitioning.' I guess it's finally time to reformat my /home partition..."

99BottlesOfBeerInMyF writes "Yesterday Apple quietly slipped out an update to their Safari Web browser to version 3.2. The notable feature is that it finally adds anti-phishing technology, an area where Safari has lagged behind competitors. Aside from that, it provides some security fixes, improved JavaScript performance, and a slightly newer version of Webkit, pulling their Acid3 score up to 77." Apple forums across the Net are reporting frequent crashes in Safari 3.2, some possibly caused by 3rd-party add-ons, others perhaps related to the anti-phishing feature.

esocid writes "A team of European scientists has deliberately triggered electrical activity in thunderclouds for the first time by aiming high-power pulses of laser light into a thunderstorm. At the top of South Baldy Peak in New Mexico during two passing thunderstorms, the researchers used laser pulses to create plasma filaments that could conduct electricity. No air-to-ground lightning was triggered because the filaments were too short-lived, but the laser pulses generated discharges in the thunderclouds themselves up to several meters long. Triggering lightning strikes is an important tool for basic and applied research because it enables researchers to study the mechanisms underlying lightning strikes. Moreover, triggered lightning strikes will allow engineers to evaluate and test the lightning-sensitivity of airplanes and critical infrastructure such as power lines. Research into laser-triggered lightning has been going on for some years. Until now, no experiment was able to produce a long enough plasma channel to affect the electrical activity inside clouds."

00_NOP writes "According to a report on Softpedia, citing Net Applications, Linux usage on the desktop doubled in 2006 — 07: though from a miserable 0.37% to a still not brilliant 0.81%. Given that Linux is free, is based on peer reviewed source (and so inherently more secure in the longer term) and that hardware support is now pretty good, how long are we going to have to wait for the big breakthrough?" Of course the focus of the article is that Vista is kicking butt over Mac/Linux, which is not particularly surprising.

Late-Eight writes "Scientists at the Georgia Institute of Technology are working on a new type of nanogenerator that could draw necessary energy from flowing blood in the human body. The hope is to incorporate the new nanogenerator into biosensors, environmental monitoring devices and even personal electronics that will require no fuel source, internal or external. Once completed, this new cellular engine could find various applications, even beyond medicine."

greengrass writes "Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company."

hcmtnbiker writes with news of a logic flaw shared by IE 7 and Firefox 2.0. IE 5.01, IE 6, and Firefox 1.5.0.9 are also affected. The flaw was discovered by Michal Zalewski, and is easily demonstrated on IE7 and Firefox. The vulnerability is not platform-specific, but these demonstrations are — they work only on Windows systems. (Microsoft says that IE7 on Vista is not vulnerable.) From the vulnerability description: "In all modern browsers, form fields (used to upload user-specified files to a remote server) enjoy some added protection meant to prevent scripts from arbitrarily choosing local files to be sent, and automatically submitting the form without user knowledge. For example, '.value' parameter cannot be set or changed, and any changes to .type reset the contents of the field... [in this attack] the keyboard input in unrelated locations can be selectively geared toward input fields by the attacker."

s31523 writes "With over 1 billion cell phone users worldwide, and with so many business travelers, using the cell phone on the airplane has been a recent hot topic. Emirate airlines is announcing they will give the OK for cell phone use on their planes, making them the first airline to do so. The FCC and FAA still ban the use, but are working to determine safety implications, if any."

jefu writes "As you may know, the 2006 Tour de France finished yesterday with an American, Floyd Landis, the overall winner. This years Tour had a very nice live website, including frequent news postings and a flash interface that showed the gaps between the lead riders updated every couple of minutes. The site was taking up to 35,000 hits per minute. There is lots of technology involved in this race, including carbon fiber bikes, serious aerodynamic studies to improve the bikes, the helmets and even the riders. There are also bike transponders, GPS trackers , fancy radio systems to connect the riders to the team cars, online database access to race statistics, and probably lots more."

thebaboon writes "Bill Gates announced that the Xbox 360 will have an HD-DVD drive, just not for launch. From the article: "According to the statements made by Bill Gates in Japan, Xbox 360, the new gaming console, will include HD-DVD drives. Considering that such a decision would postpone the launching date, Microsoft will equip the initial models with classic DVD drives, and only after the new HD-DVD are ready, the Xbox will incorporate them."

An anonymous reader writes "Speaking to a packed auditorium at Stanford University in Palo Alto, Calif., on May 12, Ballmer trumpeted the ripe opportunities around Microsoft's sprawling business and questioned the ability of Google to maintain its edge. Clearly alluding to Microsoft's key Internet search rival, Ballmer said: 'The hottest company right now -- the one nobody thinks can do any wrong -- may just be a one-hit wonder.' According to concept developed by Ballmer, the online search engines represent the key points of the future technology, and the leader in this domain, none other than Google, is destined to perish in less than five years. These predictions belong exclusively to Microsoft's CEO who sounds a little like Bill Gates announcing iPod's death."

Michael S writes sent in a good story which sumarizes the current status of the battle between Blu-Ray & HD-DVD. There still isn't really a clear victor... or is there? I for one can't wait for this crap to get settled out so we can just enjoy having huge discs.

Michael S writes sent in a good story which sumarizes the current status of the battle between Blu-Ray & HD-DVD. There still isn't really a clear victor... or is there? I for one can't wait for this crap to get settled out so we can just enjoy having huge discs.

cripkd writes "Although two days passed already I am proud to announce that a Romanian team launched a sub-orbital unmanned flight. Demonstrator 2 is a prototype to the actual shuttle they will enter in the X-Prize competition, build with 30,000 USD, pocket money, as they say, compared to the other projects. The project's home site is here and an article about the launch can be found here. PS. And it's all ecological as they produce oxygen and water vapours :)"