Slashdot Mirror

An anonymous reader writes: "A bug in the iOS WebView component allows an attacker to force someone's iPhone to dial any number, while also locking the user's interface for a few moments, preventing him to cancel the outgoing call," reports BleepingComputer. "The bug was at the heart of the recent accidental DDoS of 911 call centers across the U.S." At the heart of the issue is a Safari bug reported in 2008, which was fixed in iOS 3.0. The same bug also exists in the WebView component used by app makers to show web pages inside other apps. The researcher that found the bug writes in a blog post: "If you think automatically dialing a phone number after clicking a link in an app is not a big issue think again. DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen. [...] Apple should change the default behavior of WebViews to exclude execution of TEL URIs and make it an explicit feature to avoid this kind of issues in the future."

quaith writes "The New Scientist reports on a simulation just published in the American Journal of Physics that shows how the sky would appear in the vicinity of a black hole — if an observer could actually get near one. Using real positions of around 118,000 stars, the simulation shows how the bending of light, the frequency shift, and the magnification caused by gravitational lensing and aberration in the vicinity of the black hole affect the sky's appearance. The simulation is interactive and allows the user to explore the stellar sky around the black hole. The simulation offers a couple of modes: 'quasi static' or 'freely falling' and the sample videos are quite spectacular. The New Scientist has a writeup, with an embedded video . The original article citation is here (abstract only). The simulation, which runs on Linux or Windows, as well as sample videos, can be downloaded from the University of Stuttgart website."

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

Knacklappen asks: "On August 5th, vascoda, Germany's new central access point for comprehensive scientific information, goes online. It will incorporate 23 virtual libraries and 4 scientific information networks, and offer these information for free. For the paying customer, there will also be access to electronic journals. What freely accessible scientific information portals do you use? I usually turn to the following when searching for articles: arxiv.org, AVEL, CiteSeer, dissonline.de, DOE Information Bridge, DSpace, ETD, NDLTD, OAIster, OPUS, TheO. Are there any others that you can recommend?"

An anonymous reader writes "The Atlanta Journal & Constitution is fronting a lengthy piece on the USAF's new F-22 and its upcoming shootout with the existing fleet of F-15's & 16's. One line in the article really jumped out at me: 'When avionics problems crop up now, pilots must restart the entire system as if rebooting a personal computer.' I did some googling, and this is about as much as I could find: The hardware backbone for the system is the Hughes Common Integrated Processor, which, in turn, appears to be built around the Intel i960 CPU. I couldn't find a name for the operating system, but it appears to be written in about one and a half million lines of Ada code; more on the Ada hardware integration and Ada i960 compilers is here. Any Slashdotters working on this project? If so, why do you need the inflight reboot? PS: Gamers will be interested to learn that nVidia's Quadro2 Go GPU and Wind River's VxWorks Operating System are melded in the F-22's Multi-Function Display."

Aaron writes "Versions of the Apache HTTP Server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. In some cases it may be possible to cause a child process to terminate and restart, which consumes a non-trivial amount of resources. See the official announcement and stay tuned here for updated versions." This is in response to the rather uninformed and questionable security notice by ISS X-Force, about a bug that has already been mentioned on the public mailing lists for Apache and is fixed in CVS for Apache 2.0. I am also told that their patch doesn't fully solve the problem. I am sure though that by awaking us to the problem they will get a lot of great press just like any of the other companies currently using useless bug announcements as press releases.

cjpez writes: "The people at the Honeynet have issued another challenge on the Bugtraq mailing list. Instead of hacking into a box, though, this time your goal is to submit the best analysis of a binary file they'll post on Monday, May 6th. Think you're good at reverse engineering? Then try it out! They're even offering actual prizes, so you can get something besides the feeling of personal fulfillment for your trouble. The post hasn't quite made it to SecurityFocus' Bugtraq Archive yet, but I did find it at another Bugtraq archive in Germany (slashdottings abound!). The URL included in the email, http://project.honeynet.org/reverse/, doesn't seem to be active yet, so presumably we can assume it'll go up on Monday. The post fails to address other concerns, though: will the winner be in violation of the DMCA? :P The challenge was also issued, obviously enough, on SecurityFocus' Honeypot mailing list."" In a later note, he points out that the announcement has finally made it to the Bugtraq archive page." (And that URL is active now.)

Many of the IRC servers on IRCnet are going to lock out all of their users from 12:00 on Friday the 7th of April to 20:00 on Saturday the 8th of April 2000 (time given in UTC+0200) to protest denial of service attacks. It's a tactic that's been employed before, but hopefully people will learn. Considering the attacks on so many services on the Web, I bet we'll see this more. Course that might just encourage the script kiddies.

johnathan spectre wrote in to tell us about these really cool plasma shoelaces. plasticPaddy wrote in to tell us about SkyBird, a nifty remote-control ornithopter. Fire up the flux capacitor, because feebeling wrote in about this WWW guide, circa 1993. seizer told us about some crazy guy TCP/IP tunneling through E-mail: now that's dedication. Speaking of crazy people, Green Monkey scared me with his submission, a Web site devoted to Pokémon butts. From the self-referential bucket, the Webby Awards have nominated Slashdot in the 'Community' and 'Print and Zines' categories. Go Vote and we get some trophy or something. _damnit_ wrote in with a nice little piece on the Ides of March. In case you're in the greater Boston area, Rob 'CmdrTaco' Malda will be speaking at the Geek Pride Festival at the end of the month.

kris writes "German Computer Magazine c't just pointed to an article about German Students developing a crypto chip. The device will do 168 MBit/sec DES, 50 key exchanges in 768 bit RSA and will the VHDL will be published as Open Source. Alcatel will build the beast." The original article is in German, but kris also sent us a rough translation which I've attached below.

Stuttgart students develop crypto chip

The eight head team "pg99" at the computer science dept of stuttgart university under guidance from Dipl-Ing Gundolf Kiefer has developed a complete crypto chip, which can do RSA (768 bit) and DES. With DES, with is intended for large data volumes, the chip can to 168 MBit/sec. The higher level RSA is being used mainly for DES key exchange, for authentication and for digital signatures. The chip will to ~50 keys/sec in RSA. Communication with the environment can be done via a parallel interface (8, 16 or 32 bit) or via two-wire I2C bis, which can be found on many current motherboards (Intel calls this SMB).

The 100,000 gate chip will be produced by Alcatel in 0.35 m technology (compare this to the 134,000 gates in an 80286). Officially the chip will be unveiled at the 8th of July at the computer science faculty, where the VHDL source of the design will be made availabe as Open Source.

kris writes "German Computer Magazine c't just pointed to an article about German Students developing a crypto chip. The device will do 168 MBit/sec DES, 50 key exchanges in 768 bit RSA and will the VHDL will be published as Open Source. Alcatel will build the beast." The original article is in German, but kris also sent us a rough translation which I've attached below.

Stuttgart students develop crypto chip

The eight head team "pg99" at the computer science dept of stuttgart university under guidance from Dipl-Ing Gundolf Kiefer has developed a complete crypto chip, which can do RSA (768 bit) and DES. With DES, with is intended for large data volumes, the chip can to 168 MBit/sec. The higher level RSA is being used mainly for DES key exchange, for authentication and for digital signatures. The chip will to ~50 keys/sec in RSA. Communication with the environment can be done via a parallel interface (8, 16 or 32 bit) or via two-wire I2C bis, which can be found on many current motherboards (Intel calls this SMB).

The 100,000 gate chip will be produced by Alcatel in 0.35 m technology (compare this to the 134,000 gates in an 80286). Officially the chip will be unveiled at the 8th of July at the computer science faculty, where the VHDL source of the design will be made availabe as Open Source.