Security

Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com) 35

"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security: The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
EU

Germany Cracks Down On Illegal Speech On Social Media. (smh.com.au) 197

ArmoredDragon writes: German police have raided 36 homes of people accused of using illegal speech on Facebook and Twitter. Much of it was aimed at political speech. According to the article, "Most of the raids concerned politically motivated right-wing incitement, according to the Federal Criminal Police Office, whose officers conducted home searches and interrogations. But the raids also targeted two people accused of left-wing extremist content, as well as one person accused of making threats or harassment based on someone's sexual orientation."

This comes just as a new law is being debated that can fine social media platforms $53 million for not removing 70% of illegal speech (including political, defamatory, and hateful speech) within 24 hours of it being posted, which Facebook argues will make it obligatory for them to delete posts and ban users for speech that isn't clearly illegal.

Open Source

Linus Explains What Surprises Him After 25 Years Of Linux (linux.com) 87

Linus Torvalds appeared in a new "fireside chat" with VMware Head of Open Source Dirk Hohndel. An anonymous reader writes: Linus explained what still surprises him about Linux development. "Code that I thought was stable continually gets improved. There are things we haven't touched for many years, then someone comes along and improves them or makes bug reports in something I thought no one used. We have new hardware, new features that are developed, but after 25 years, we still have old, very basic things that people care about and still improve... Our processes have not only worked for 25 years, we still have a very strong maintainer group... And as these maintainers get older and fatter, we have new people coming in."

Linus also says he's surprised by the widespread popularity of Git. "I expected it to be limited mostly to the kernel -- as it's tailored to what we do... In certain circles, Git is more well known than Linux." And he also shares advice if you want to get started as an open source developer. "I'm not sure my example is the right thing for people to follow. There are a ton of open source projects and, if you are a beginning programmer, find something you're interested in that you can follow for more than just a few weeks... If you can be part of a community and set up patches, it's not just about the coding, but about the social aspect of open source. You make connections and improve yourself as a programmer."

Linus also says that "I really like what I'm doing. I like waking up and having a job that is technically interesting and challenging without being too stressful so I can do it for long stretches; something where I feel I am making a real difference and doing something meaningful not just for me."
Privacy

State Legislators Want Surveillance Cameras To Catch Uninsured Drivers (arstechnica.com) 173

An anonymous reader quotes Ars Technica: A Rhode Island legislative committee has approved a bill that would greatly expand the surveillance state through the deployment of license plate readers. For the first time in the US, these devices would be attached along Rhode Island highways and roads for the stated purpose of catching uninsured motorists from any state... The legislation spells out that the contractor for the project would get 50 percent of the fines paid by uninsured motorists ensnared under the program. The state and the contractor would each earn an estimated $15 million annually. Fines are as high as $120.

Many police departments nationwide are using surveillance cameras tacked onto traffic poles and police vehicles to catch traffic violators and criminal suspects. The proceeds from traffic fines usually are divvied up with contractors. But according to the Rhode Island lawmaker sponsoring this legislation, it's time to put surveillance cameras to a new purpose -- fining uninsured motorists.

Hardware

Survey Says: Raspberry Pi Still Rules, But X86 SBCs Have Made Gains (linuxgizmos.com) 53

DeviceGuru writes: Results from LinuxGizmos.com's annual hacker-friendly single board computer survey are in, and not surprisingly, the Raspberry Pi 3 is the most desired maker SBC by a 4-to-1 margin. In other trends: x86 SBCs and Linux/Arduino hybrids have trended upwards. The site's popular hacker SBC survey polled 1,705 survey respondents and asked for their first, second, and third favorite SBCs from a curated list of 98 community oriented, Linux- and Android-capable boards. Spreadsheets comparing all 98 SBCs' specs and listing their survey vote tallies are available in freely downloadable Google Docs.
Other interesting findings:
  • "A Raspberry Pi SBC has won in all four of our annual surveys, but never by such a high margin."
  • The second-highest ranked board -- behind the Raspberry Pi 3 -- was the Raspberry Pi Zero W.
  • "The Raspberry Pi's success came despite the fact that it offers some of the weakest open source hardware support in terms of open specifications. This, however, matches up with our survey responses about buying criteria, which ranks open source software support and community over open hardware support."
  • "Despite the accelerating Raspberry Pi juggernaut, there's still plenty of experimentation going on with new board models, and to a lesser extent, new board projects."

Cloud

Should Your Company Switch To Microservices? (cio.com) 76

Walmart Canada claims that it was microservices that allowed them to replace hardware with virtual servers, reducing costs by somewhere between 20 and 50 percent. Now Slashdot reader snydeq shares an article by a senior systems automation engineer arguing that a microservices approach "offers increased modularity, making applications easier to develop, test, deploy, and, more importantly, change and maintain."

The article touts things like cost savings and flexibility for multiple device types, suggesting microservices offer increased resilience and improved scalabiity (not to mention easier debugging and a faster time to market with an incremental development model). But it also warns that organizations need the resources to deploy the new microservices quicky (and the necessary server) -- along with the ability to test and monitor them for database errors, network latency, caching issues and ongoing availability. "You must embrace devops culture," argues the article, adding that "designing for failure is essential... In a traditional setting, developers are focused on features and functionalities, and the operations team is on the hook for production challenges. In devops, everyone is responsible for service provisioning -- and failure."

The original submission ends with a question for Slashdot reader. "What cautions do you have to offer for folks considering tapping microservices for their next application?"
Bug

Researcher Finds Critical OpenVPN Bug Using Fuzzing (zdnet.com) 44

"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes: Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."

Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."
United Kingdom

UK Parliament Emails Closed After 'Sustained And Determined' Cyber-Attack (theguardian.com) 40

An anonymous reader quotes the Guardian: Parliament has been hit by a "sustained and determined" cyber-attack by hackers attempting to gain access to MPs' and their staffers' email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords... The estate's digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails...

The international trade secretary, Liam Fox, told ITV News the attack was a "warning to everyone we need more security and better passwords. You wouldn't leave your door open at night." In an interview with the BBC, he added: "We know that there are regular attacks by hackers attempting to get passwords. We have seen reports in the last few days of even Cabinet ministers' passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails."

One member of Parliament posted on Twitter "Sorry, no parliamentary email access today â" we're under cyber-attack from Kim Jong-un, Putin or a kid in his mom's basement or something." He added later, "I'm off to the pub."
Open Source

'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) 108

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

Books

Former Slashdot Contributor Jon Katz Believes He Can Talk To Animals (amazon.com) 158

Long-time Slashdot reader destinyland got a surprise when he visited his local bookstore: Jon Katz turns 70 this August, and he's published a new book called Talking to Animals: How You Can Understand Animals and They Can Understand You. Katz was a former newspaper reporter (and a contributing editor to Rolling Stone) who wrote for HotWired, the first online presence for Wired magazine in the mid-1990s, before becoming a controversial contributor to Slashdot during the site's early days. Katz left Manhattan in the 1990s to live on a farm "surrounded by dogs, cats, sheep, horses, cows, goats, and chickens," according to the book's description, an experience he writes about on his blog. His new book promises that Katz now "marshals his experience to offer us a deeper insight into animals and the tools needed for effectively communicating with them."
Stats

Phoronix Announces '2017 Linux Laptop Survey' (google.com) 56

Phoronix is hosting a 2017 Linux Laptop Survey. From their site: While Linux laptop compatibility is much better than where it was years ago, it's still not too uncommon to run into display/hybrid issues, shorter battery life under Linux than Windows or macOS, touchpad problems, and other occasional compatibility/performance shortcomings. So we've established this Linux Laptop Survey in conjunction with Linux stakeholders to hopefully gather more feedback that will be useful to many different parties...
The survey will be online until July 6th, after which the results will be publicly available, and will determine the most popular brands, distros, screen sizes, and GPUs, as well as common pain points and popular price points. And one particularly interestng question asks respondents what they'd like to see in a "dream Linux laptop."
The Almighty Buck

The People GoFundMe Leaves Behind (theoutline.com) 211

citadrianne shares a report from The Outline: President Donald Trump's proposed budget seeks to slash $54 billion from social services including programs like Medicaid and Meals on Wheels. As these resources dry up, crowdfunding websites will further entrench themselves as extra-governmental welfare providers in order to fill the gap. For a lucky few, these sites are a lifeline. For most people, they are worthless. Crowdfunding's fatal flaw is that not every campaign ends up getting the money it needs. A recent study published in the journal Social Science & Medicine found that more than 90 percent of GoFundMe campaigns never meet their goal. For every crowdfunding success story, there are hundreds of failures. "As many happy stories as there are in charitable crowdfunding, there are a lot of really worthy causes when you browse these platforms that nobody has given a cent to," Rob Gleasure, professor at the business school of the National University of Ireland, Cork told The Outline. "People haven't come across them." Feller and Gleasure's report highlighted how fickle crowdfunding can be. Of all the Razoo campaigns started in 2013, they found, more than a third didn't receive any funding at all. According to their report, donors are more likely to give to campaigns that feature lots of pictures and accompanying text.
Piracy

Sci-Hub Ordered To Pay $15 Million In Piracy Damages (torrentfreak.com) 150

An anonymous reader quotes a report from TorrentFreak: Two years ago, academic publisher Elsevier filed a complaint (PDF) against Sci-Hub and several related "pirate" sites. It accused the websites of making academic papers widely available to the public, without permission. While Sci-Hub is nothing like the average pirate site, it is just as illegal according to Elsevier's legal team, who obtained a preliminary injunction from a New York District Court last fall. The injunction ordered Sci-Hub's founder Alexandra Elbakyan to quit offering access to any Elsevier content. However, this didn't happen. Instead of taking Sci-Hub down, the lawsuit achieved the opposite. Sci-Hub grew bigger and bigger up to a point where its users were downloading hundreds of thousands of papers per day. Although Elbakyan sent a letter to the court earlier, she opted not engage in the U.S. lawsuit any further. The same is true for her fellow defendants, associated with Libgen. As a result, Elsevier asked the court for a default judgment and a permanent injunction which were issued this week. Following a hearing on Wednesday, the Court awarded Elsevier $15,000,000 in damages, the maximum statutory amount for the 100 copyrighted works that were listed in the complaint. In addition, the injunction, through which Sci-Hub and LibGen lost several domain names, was made permanent.
Space

FCC Grants OneWeb Approval To Launch Over 700 Satellites For 'Space Internet' (theverge.com) 85

OneWeb has been granted approval from the FCC to launch a network of internet-beaming satellites into orbit. FCC chairman Ajit Pai said in a statement: "Humans have long sought inspiration from the stars, from the ancient Egyptians orienting the pyramids toward certain stars to the Greeks using constellations to write their mythology. In modern times, we've done the same, with over 1,000 active satellites currently in orbit. Today, the FCC harnesses that inspiration as we seek to make the promise of high-speed internet access a reality for more Americans, partly through the skies..." The Verge reports: OneWeb plans to launch a constellation of 720 low-Earth orbit satellites using non-geostationary satellite orbit (NGSO) technology in order to provide global, high-speed broadband. The company's goal has far-reaching implications, and would provide internet to rural and hard-to-reach areas that currently have little access to internet connectivity. Additionally, OneWeb has a targets of "connecting every unconnected school" by 2022, and "bridging the digital divide" by 2027. According to OneWeb, the company plans to launch an initial 10 production satellites in early 2018, which, pending tests, will then be followed by a full launch as early as 2019.
Government

Obama Authorized a Secret Cyber Operation Against Russia, Says Report (engadget.com) 206

Jessica Conditt reports via Engadget: President Barack Obama learned of Russia's attempts to hack U.S. election systems in early August 2016, and as intelligence mounted over the following months, the White House deployed secrecy protocols it hadn't used since the 2011 raid on Osama bin Laden's compound, according to a report by The Washington Post. Apparently, one of the covert programs Obama, the CIA, NSA and other intelligence groups eventually put together was a new kind of cyber operation that places remotely triggered "implants" in critical Russian networks, ready for the U.S. to deploy in the event of a pre-emptive attack. The downed Russian networks "would cause them pain and discomfort," a former U.S. official told The Post. The report says CIA director John Brennan, Obama and other officials had at least four "blunt" conversations with Russian officials about its cyber intrusions beginning August 4th. Obama confronted Vladimir Putin in person during a meeting of world leaders in China this past September, the report says, and his administration even sent Russia a warning through a secure channel originally designed to help the two countries avoid a nuclear strike. Moscow apparently responded one week later -- after the U.S. election -- denying the accusation.

Slashdot Top Deals