Slashdot Mirror

macslocum writes "Nat Torkington begins sketching out an open data process that borrows liberally from open source tools: 'Open source discourages laziness (because everyone can see the corners you've cut), it can get bugs fixed or at least identified much faster (many eyes), it promotes collaboration, and it's a great training ground for skills development. I see no reason why open data shouldn't bring the same opportunities to data projects. And a lot of data projects need these things. From talking to government folks and scientists, it's become obvious that serious problems exist in some datasets. Sometimes corners were cut in gathering the data, or there's a poor chain of provenance for the data so it's impossible to figure out what's trustworthy and what's not. Sometimes the dataset is delivered as a tarball, then immediately forks as all the users add their new records to their own copy and don't share the additions. Sometimes the dataset is delivered as a tarball but nobody has provided a way for users to collaborate even if they want to. So lately I've been asking myself: What if we applied the best thinking and practices from open source to open data? What if we ran an open data project like an open source project? What would this look like?'"

solanum writes "On March 2nd Crossover 9.0 was released. CrossOver 9 features a new user interface that focuses on making installation of Windows software quicker and easier than previous versions. Another new feature is CrossOver's ability to download installation 'recipes' directly from CodeWeavers online Compatibility Database. 'If another CrossOver user has figured out how to use CrossOver to install a Windows application, they can upload that installation recipe to our database,' said Jeremy White, CodeWeavers chief executive officer. 'As we go forward, and build this online storehouse, CrossOver will begin to automatically install that same application for other users. This enables us to move closer to a world where CrossOver will begin to run the majority of Windows apps, and not just an officially supported subset. In other words, our diabolical plot for world domination is going exactly as planned,' he added. Early reviews and comments are positive, and my own experience is that many more Windows applications work in this new version than previously."

alphadogg writes "Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and e-commerce servers. RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. While guessing the 1,000-plus digits of binary code in a private key would take unfathomable hours, the researchers say that by varying electric current to a secured computer using an inexpensive purpose-built device they were able to stress out the computer and figure out the 1,024-bit private key in about 100 hours – all without leaving a trace. The researchers in their paper outline how they made the attack (PDF) on a SPARC system running Linux."

Frequent Slashdot contributor Bennett Haselton contributes the following piece on trying to get some measure of satisfaction in the struggle against pop-up ads, writing "The most annoying thing about some pop-up ads, is that you have no way of knowing which ad-serving network served them or who the responsible parties are. Could we reduce the incidence of illegal or deceptive pop-up ads, by giving users an easier way to trace their origin and figure out where to send complaints? Here's one way to do it with a simple right-click." Read on for the rest.

Occasionally while I'm surfing the web and a pop-up ad opens, my Norton Anti-Virus will alert me that it blocked an "attack" on my computer, and then in Norton's logs of recently blocked attacks, it gives the URL of the content inside the pop-up ad that was blocked. Sometimes it indicates whether the "threat" was blocked under the category "scareware" (an ad that mimics a program scanning your PC for viruses and then claiming to find "infections," which you have to remove by purchasing the advertiser's software) or "malware" (an advertiser's page that tries to infect your computer directly by using JavaScript tricks to get around the browser's security features). I'm glad that Norton blocks the malware attacks, since even though I always have all the latest security patches installed for Internet Explorer, it's always possible that an attacker could be using an exploit that hasn't been patched yet. I don't really care about blocking the "scareware" ads, because I'm not going to fall for an ad that claims to be scanning my PC for viruses, but most Norton customers probably appreciate blocking those ads as well.

The problem in both cases is that it's hard even for an experienced user, and almost impossible for a novice user, to know where to send a complaint about the content in a pop-up window. You can usually figure out the URL of the content in the pop-up window (just right-click the window content and pick "Properties" in Internet Explorer or "View Page Info" in Firefox), but often the content itself is being served from an IP address in a jurisdiction like China or Cyprus where malicious operators are hard to shut down. What you really want is for them to stop serving their dangerous ads on reputable websites through the ad network. You could complain to the owner of the website that you're browsing, and say that a pop-up ad window from their site got blocked by Norton as a "virus," but if their site rotates ads from different providers, the site owner would have no way of knowing which advertising network served the ad. Even if you know the URL of the malicious content that was in the pop-up window, that's not enough to tell which advertising network it was served from (because ad networks typically don't serve the ads from their own domain; they just serve a redirect, which causes the browser to load the pop-up ad's contents from the advertiser's domain).

And even if you know which advertiser network served the ad, and the URL that the malicious pop-up content was served from (say, http://www.evilsite.cn/popup.html), so you can take your complaint directly to the advertising network, that may still not be enough information for them to figure out which of their advertisers served the malicious content and needs to be booted out of the network. Because all the advertiser network has is a list of ad pages for their different advertisers (http://www.advertiser-1.com/ad.html, http://www.adveritser-2.com/ad.html, etc.) — the advertiser buys the right to show ads, and the ad network displays ads that load content from those ad content pages. If one of those pages — say, http://www.adveritser-2.com/ad.html — redirects the user's browser to http://www.evilsite.cn/popup.html, the advertiser network has no way of knowing which advertiser is doing that. They would have to go through and check the ad-serving pages (http://www.advertiser-1.com/ad.html, http://www.adveritser-2.com/ad.html, and so one one at a time) for each of their advertisers, to see which of those pages redirect to http://www.evilsite.cn/popup.html — and by the time they do that, the advertiser might have altered the page so that it no longer redirects to the malicious content. While it's pretty straightforward to figure out what URL the malicious content is being loaded from, it's very difficult to figure out the chain of events that redirected you there, and who the responsible parties are.

So here's an idea for a simple browser feature that would make it a lot easier to hold malicious advertisers accountable, and get them kicked out of honest ad-serving networks. Simply give the user a way to right-click on the top of a browser window, and pick "View window origin" or something similar. This would display the sequence of redirects that opened the window, something like this:

Browser was visiting http://www.cnn.com/
http://www.cnn.com/ loaded JavaScript from http://www.advertiser-network.com/ads.js
http://www.advertiser-network.com/ads.js redirected browser to http://www.advertiser-2.com/ad.html
http://www.advertiser-2.com/ad.html redirected browser to http://www.evilsite.cn/popup.html

Then, if the user views an ad that is obviously scareware (or if Norton blocks the contents from loading and gives that as a reason), then the user can just right-click on the window and see the list of redirects. The user could then e-mail that to the website owner with a suggestion to do something about it ("The ad network on your page, has been infiltrated by an advertiser who is using the ad network to serve malicious content"), or the user could take the complaint to the advertiser network. The advertiser network would be able to see from the log, exactly which of their advertisers' ad.html pages served the malicious content.

(Yes, this comes on the heels of my article arguing that we should allow more intrusive ads as a way to help pay for services that can't finance themselves with normal pop-up ads. This may strike some people as "ironic" who haven't thought about it very carefully. Getting users to give larger amounts of their attention in exchange for premium service, is an honest and mutually beneficial transaction; scaring users with deceptive ads, or using ad space to try to infect their computer, is not. I think that Starbucks has the right to charge whatever they want for coffee; that doesn't mean they have the right to pee in your coffee.)

In order for this window-history-tracing feature to make a difference, at least the following two conditions also have to be true:

• The advertiser network has to be honest (honest enough to kick out advertisers who they know are serving malicious content), or at least, be located in a jurisdiction where they have to worry about being sued or prosecuted if they don't kick bad apples out of their network.
• When the malicious ads are served, enough users have to complain about them that the advertiser network takes notice. You wouldn't want the advertiser network to take action just based on a single complaint, since then anyone with a grudge could file a phony complaint against an advertiser in order to get them shut down, but if complaints start coming in from several sources, then they should investigate.

Fortunately, these would be likely to be true in many if not most cases where malicious pop-up windows are being served. With regard to the first condition, I've dealt with several advertising networks to find ads to serve on the proxy sites that I run, and they were all based out of law-and-order countries (the U.S., Canada, Israel, i.e. not China or Kazahkstan). As for the second condition, the advertiser would probably have to serve the ad to many different users in order to achieve their goal -- whether their goal is to infect users' machines, or to get them to buy the advertiser's fake anti-virus software, or whatever -- and as long as a fixed percentage of users viewing the malicious ads are inclined to file complaints about them, then the more the ads are served, the more complaints will come in until the ads are taken out of rotation.

Of course, if the URL that's actually serving the malicious content, is located in a law-and-order country, you could always just complain to the admins of the network where the content is being hosted. But that's likely to be less effective, since (a) the actual URLs that I've seen serving the malicious content, usually are located in cybercrime-infested nations like China, and (b) even if you get one of those sites shut down, the advertiser can instantly rotate in other sites with the same content, and make that the new URL that users are redirected to.

It is also of course true that some pop-up ads are spawned not by websites, but by malicious programs that actually infect your machine and force your browser to display pop-up windows. If some browser maker adopted the feature I'm suggesting, and stored a user-viewable "history" associated with each pop-up window, then a malicious program running on your machine might even be able to spoof the history associated with a pop-up window, so that the user would right-click on it and think it came from http://www.cnn.com/ instead of being spawned by malware. Once the user has their machine infected by a rogue program, nothing that any other application tells them can really be trusted after that point. So an advertiser network would have to be careful not to take action against an innocent third party, just based on a flood of complaints that were sent in by people whose machines were infected by malware that spoofs the origin of the pop-up windows. Fortunately, if the allegedly malicious ad is still in rotation, it would be easy for the advertiser network to check the validity of the complaint, by simply going to the advertiser's ad-content page, and seeing if it redirects to the malicious content. If it does, then you have grounds to boot the advertiser out of the network.

(You'd want to check the page's content from some anonymous IP address not affiliated with the advertiser network though. Otherwise, the advertiser might try to fool the ad network people, by showing "innocent" content when the page is loaded from the IP addresses associated with the ad network's office, and serving the scareware content to everybody else. Just trying to think of everything here.)

I'm sure there are other counter-strategies and counter-counter-strategies that would have to be taken into account, and kinks to be worked out, but probably not fatal to the whole idea. If a pop-up window opens on the user's computer that is possibly illegal, it is probably a good thing to give the user the tools to figure out where the ad came from, and which advertiser network to complain to. Right now, the ad window just floats there, and it's maddening not to have any way of knowing which ad-serving network put it there, or even if you can identify the ad-serving network, which of their advertisers created the content.

The main obstacle standing in the way of a major browser maker implementing this, may be that it doesn't bring any particular benefit to the users of that browser. When Microsoft adds SmartScreen to Internet Explorer, they can now claim that IE users are better-protected than users of other browsers. On the other hand, if the Mozilla Foundation adds the pop-up window right-click-history feature to their browser, they can't legitimately claim that Firefox users are better protected, since this feature wouldn't actually block anything. Firefox users would simply be better equipped to complain about malicious pop-up windows, and increase the chances of those rogue advertisements being taken down, or at least kicked out of ad networks where they would do the most damage. However, the benefits of that increased policing, would accrue to all Internet users, not just Firefox users.

Still, abuse desks get so many complaints about spam and spammers, that there are apparently plenty of people out there who get enough satisfaction from complaining about net abuse, that they would make use of the pop-up window-tracing feature if they had it. I know that when I see a stupid ad pretending to "scan" my computer for viruses, I get unreasonably disgusted, not from seeing the ad itself (which I can easily ignore), but from knowing that the advertiser has probably fleeced people of thousands of dollars with that ad. It would be nice to be able to help stop them before they cheat the next person.

RogueyWon writes "Kotaku is reporting that Infinity Ward, the development studio behind Modern Warfare 2, has been at the center of strange events recently. Jason West and Vince Zampella, two lead developers, have been fired by parent company Activision for 'breaches of contract and insubordination.' Speculation is rife as to the reasons behind this; following Modern Warfare 2's spectacular sales figures, it seems unlikely that the studio's performance could be to blame."

strredwolf writes "Caltech has released a flexible solar array that converts 95% of single-wavelength incandescent light and 86% of all sunlight into electricity. Instead of being flat-panel, they stand thin silicon wires in a plastic substrate that scatters the light onto them. The total composition is 98% plastic, 2% wire — the amount of silicon used is 1/50th that of ordinary panels. So as soon as they can get these to market, solar could be very viable and cheap to produce." Update: 03/01 21:02 GMT by KD : Reader axelrosen points out evidence that the 80%+ efficiency figure is wrong. MIT's Tech Review, in covering the Caltech announcement, says that the new panel's efficiency is in the 15%-20% range — which is competitive with the current state of the art. And the Caltech panel should be far cheaper to manufacture.

eggboard writes "Martin Beck, who in 2008 co-wrote a paper describing a way to inject packets into a secured Wi-Fi system, is back with a more extensive exploit. His 'Enhanced TKIP Michael Attacks' still don't allow extraction of a key, and are limited to TKIP (not AES-CCMP) WPA-protected networks. Still, he's figured out how to put in large payloads, and to extract data sent from an access point to a client — all without cracking the network key. The attack requires proximity to sniff and inject data, but it's another crack in the older key standard (TKIP) that no one with serious security interests should still be using." Here is Beck's paper (PDF) describing the new attacks.

Hugh Pickens writes "The NY Times reports that an independent board of scientists will be appointed to review the workings of the world's top climate science panel, which has faced recriminations over inaccuracies in a 2007 report that included a prediction that Himalayan glaciers would vanish by 2035, although there is no scientific consensus to that effect. That brief citation — drawn from a magazine interview with a glaciologist who says he was misquoted — and sporadic criticism of the panel's leader have fueled skepticism in some quarters about the science underlying climate change. Nick Nuttall, a spokesman for the United Nations Environment Program, said the review body would be made up of 'senior scientific figures' who could perhaps produce a report by late summer for consideration at a meeting of the climate panel in October in South Korea. 'I think we are bringing some level of closure to this issue,' says Nuttall. One area to be examined is whether the panel should incorporate so-called gray literature, a term to describe nonpeer-reviewed science, in its reports. Many scientists say that such material, ranging from reports by government agencies to respected research not published in scientific journals, is crucial to seeking a complete picture of the state of climate science."

Niris writes "I'm currently taking a course called Advanced Java Programming, which is using the text book Absolute Java, 4th edition, by Walter Savitch. As I work at night as a security guard in the middle of nowhere, I've had enough time to read through the entire course part of the book, finish all eleven chapter quizzes, and do all of the assignments within a month, so all that's left is a group assignment that won't be ready until late April. I'm trying to figure out what else to read that's Java related aside from the usual 'This is how to create a tree. This is recursion. This is how to implement an interface and make an anonymous object,' and wanted to see what Slashdotters have to suggest. So far I'm looking at reading Beginning Algorithms, by Simon Harris and James Ross."

CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"

BioShock 2 launched today for the PS3, Xbox 360 and Windows, ending the wait for a sequel to the original 2007 blockbuster. The events in BioShock 2 take place 10 years after the story from the original game. This time around, players control a prototype Big Daddy in an attempt to overthrow the new leader of Rapture. Early reviews for the game are quite strong, though the developers were prepared for fan backlash over some of the changes they made. The Guardian's Nicky Woolf praises the new storyline, and adds that "there is a fundamentally excellent shooter here too, with some of the best combat dynamics in the business." Rock, Paper, Shotgun's Alec Meer also had good things to say about the combat: "I can't stress this enough – as a game about shooting people, it's very responsive and very rewarding." However, Meer expressed disappointment that some of the impressive new concept art didn't get used and that the story and environment couldn't match the novelty of the original game. "Part of Rapture's great wonder was that it was just believable enough, if you squinted your brain a bit (or a lot), but this lathers on so much wild sci-fi that it's much harder to connect to it. The Sisters are elevated from horrifying genetic/psychological experiment into all-powerful messiah figures capable of pulling any old deus ex machina out of the hat. Making them into so much reduces the power and the sadness of what they are. As a result, the concept feels too exhausted to ever be used again."

Pentagram writes "Professor Ince, writing in the Guardian, has issued a call for scientists to make the code they use in the course of their research publicly available. He focuses specifically on the topical controversies in climate science, and concludes with the view that researchers who are able but unwilling to release programs they use should not be regarded as scientists. Quoting: 'There is enough evidence for us to regard a lot of scientific software with worry. For example Professor Les Hatton, an international expert in software testing resident in the Universities of Kent and Kingston, carried out an extensive analysis of several million lines of scientific code. He showed that the software had an unacceptably high level of detectable inconsistencies. For example, interface inconsistencies between software modules which pass data from one part of a program to another occurred at the rate of one in every seven interfaces on average in the programming language Fortran, and one in every 37 interfaces in the language C. This is hugely worrying when you realise that just one error — just one — will usually invalidate a computer program. What he also discovered, even more worryingly, is that the accuracy of results declined from six significant figures to one significant figure during the running of programs.'"

A piece up at Mashable explores how some schools and universities are finding success at integrating social gaming into their education curriculum. Various game-related programs are getting assistance these days from sources like the government and the Bill & Melinda Gates Foundation. "For the less well-to-do educator, the Federation of American Scientists has developed a first-person shooter-inspired cellular biology curriculum. Gamers explore the fully-interactive 3D world of an ill patient and assist the immune system in fighting back a bacterial infection. Dr. Melanie Ann Stegman has been evaluating the educational impacts of the game and is optimistic about her preliminary findings. 'The amount of detail about proteins, chemical signals and gene regulation that these 15-year-olds were devouring was amazing. Their questions were insightful. I felt like I was having a discussion with scientist colleagues,' said Stegman. Perhaps more importantly, the video game excites students about science. Motivating more youngsters to adopt a science-related career track has became a major education initiative of the Obama administration. So desperate to find a solution that motivates students to become scientists, the government has even enlisted Darpa, the Department of Defense’s 'mad scientist' research organization, to figure out a solution."

A new report by Game Developer Research reveals that the number of developers working on games for the iPhone continues to rise, roughly doubling in number from last year. At the same time, the amount of work done on games for Nintendo's Wii dropped significantly: "Just over 70 percent of developers said they were developing at least one game for PC or Mac (including browser and social games), rising slightly from last year; 41 percent reported working on console games. Within that latter group, Xbox 360 was the most popular system with 69 percent of console developers targeting it, followed by 61 percent for PlayStation 3. While those console figures stayed within a few percent of last year's results, the change in Wii adoption was much more significant: reported developer support for the system dropped from 42 percent to 30 percent of console developers, supporting numerous publishers' claims of a recent softening of the Wii market."

ccktech writes "As reported by NPR and Chemistry world, the journal Science has a paper by David Ehre, Etay Lavert, Meir Lahav, and Igor Lubomirsky [note: abstract online; payment required to read the full paper] of Israel's Weizmann Institute, who have figured out a way to freeze pure water by warming it up. The trick is that pure water has different freezing points depending on the electrical charge of the surface it resides on. They found out that a negatively charged surface causes water to freeze at a lower temperature than a positively charged surface. By putting water on the pyroelectric material Lithium Tantalate, which has a negative charge when cooler but a positive change when warmer; water would remain a liquid down to -17 degrees C., and then freeze when the substrate and water were warmed up and the charge changed to positive, where water freezes at -7 degrees C."

MikeChino writes "A physicist at Tohoku University in Japan has figured out how to teleport energy from one point in the universe to another. The technique is based upon prior research that shows it's possible to teleport information from one location to another, and involves making a measurement on each [of] an entangled pair of particles. The measurement on the first particle injects quantum energy into the system, and then by carefully choosing the measurement to do so on the second particle, it is possible to extract the original energy. Heady stuff, but essentially it means that you can inject energy at one point in the universe and extract it from somewhere else without changing the energy of the system as a whole."

itwbennett writes "On Friday, George Hotz, best known for cracking Apple's iPhone, said he had managed to hack the PlayStation 3 after five weeks of work with 'very simple hardware cleverly applied, and some not so simple software.' Days later, he has now released the exploit, saying in a blog post that he wanted to see what others could do with it. 'Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released,' he wrote. 'I have a life to get back to and can't keep working on this all day and night.'" Reader MBCook points out an article written by Nate Lawson "explaining how the hack bypasses the hypervisor to gain unrestricted access to memory. It seems the trick is to use a pulse to glitch the hypervisor while it's unmapping memory, leaving a favorable page table entry."

itwbennett writes "A pamphlet distributed by blogger Cameron Laird's local high school proclaimed that 'Computer Science BS graduates can expect an annual salary from $54,000-$74,000. Starting salaries for MS and PhD graduates can be to up to $100,000' and 'employment of computer scientists is expected to grow by 24 percent from 2010 to 2018.' The pamphlet lists The US Federal Bureau of Labor Statistics as a reference, so how wrong can it be? 'This is so wrong, I don't know where to start,' says Laird. 'There are a lot of ways to look at the figures, but only the most skewed ones come up with starting salaries approaching $60,000 annually, and I see plenty of programmers in the US working for less,' says Laird. At issue, though, isn't so much inaccurate salary information as what is happening to programming as a career: 'Professionalization of programmers nowadays strikes chords more like those familiar to auto mechanics or nurses than the knowledge workers we once thought we were,' writes Laird, 'we're expected to pay for our own tools, we're increasingly bound by legal entanglements, H1B accumulates degrading tales, and hyperspecialization dominates hiring decisions.'"

lorenlal writes "The Supreme Court of the United States must have figured that restrictions on corporate support of candidates was a violation of free speech, or something like that." From the AP story linked above: "By a 5-4 vote, the court on Thursday overturned a 20-year-old ruling that said corporations can be prohibited from using money from their general treasuries to pay for campaign ads. The decision, which almost certainly will also allow labor unions to participate more freely in campaigns, threatens similar limits imposed by 24 states."

Barence writes "Firefox has just turned five, and it now accounts for 25% of the global market, according to figures from Net Applications. Its success has forced rivals to raise their game, and the past two years have seen Microsoft, Apple, and Opera close the features gap significantly. Google is the default homepage when Firefox first opens, and the default search engine when users type something into the 'awesome bar.' The deal, which runs until 2011, was worth $66 million to Mozilla in 2007, accounting for 88% of the foundation's revenues that year (the last year for which it had published accounts). But now that Google is a competitor as well as a partner, is it really wise for Mozilla to be so dependent on Google?"