Forgot your password?

Slashdot is powered by your submissions, so send in your scoop


Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd 136

Posted by timothy
from the learning-to-attack-the-unpronounceable dept.
An anonymous reader writes "Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning — ESET's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers. Researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites." Here's the researchers' original report.
Data Storage

WD Explains Its Windows-Only Software-Based SSHD Tech 286

Posted by timothy
from the horse-before-the-cart dept.
crookedvulture writes "Seagate and Toshiba both offer hybrid hard drives that manage their built-in flash caches entirely in firmware. WD has taken a different approach with its Black SSHD, which instead uses driver software to govern its NAND cache. The driver works with the operating system to determine what to store in the flash. Unfortunately, it's Windows-only. You can choose between two drivers, though. WD has developed one of its own, and Intel will offer a separate driver attached to its upcoming Haswell platform. While WD remains tight-lipped on the speed of the Black's mechanical portion, it's confirmed that the flash is provided by a customized SanDisk iSSD embedded on the drive. The iSSD and mechanical drive connect to each other and to the host system through a Serial ATA bridge chip, making the SSHD look more like a highly integrated dual-drive solution than a single, standalone device. With Intel supporting this approach, the next generation of hybrid drives appears destined to be software-based."
Security Resets All Passwords Following Security Breach 35

Posted by timothy
from the hope-the-email-went-to-the-right-place dept.
An anonymous reader writes "Internet registrar on Wednesday revealed it was hit by a security breach. The company sent an email to its customers informing them that their usernames, email addresses, passwords, and credit card account information "may have been accessed by unauthorized individuals.""

Ask Slashdot: What Would You Look For In a Prosthetic Hand? 173

Posted by Soulskill
from the swiss-army-fingers dept.
Arglebarf writes "A family member is recovering from a serious illness and, unfortunately, the medication that saved her life will probably cost her hands and feet. She is an artist by trade, so this is a pretty big deal. Replacement prostheses might restore a degree of independence, as well as enabling her to continue with her creative passions. Do any Slashdotters have experience with replacement hands? What features do you look for? Do any models allow you tweak the software for fine tuning? Beyond the day-to-day uses, she will want something that can hold small objects precisely (e.g. a paintbrush)."
The Almighty Buck

Integer Overflow Bug Leads To Diablo III Gold Duping 160

Posted by Soulskill
from the many-foreheads-were-slapped dept.
Nerval's Lobster writes "Online economies come with their own issues. Case in point is the Auction House for Diablo III, a massively multiplayer game in which players can pay for items in either in-game gold or real-world dollars. Thanks to a bug in the game's latest patch, players could generate massive amounts of virtual gold with little effort, which threatened to throw the in-game economy seriously out of whack. Diablo series publisher Blizzard took corrective steps, but the bug has already attracted a fair share of buzz on gaming and tech-news forums. 'We're still in the process of auditing Auction House and gold trade transactions,' read Blizzard's note on the forums. 'We realize this is an inconvenience for many of our players, and we sincerely apologize for the interruption of the service. We hope to have everything back up as soon as possible.' Blizzard was unable to offer an ETA for when the Auction House would come back. 'We'll continue to provide updates in this thread as they become available.' Diablo's gold issue brings up (however tangentially) some broader issues with virtual currencies, namely the bugs and workarounds that can throw an entire micro-economy out of whack. But then again, 'real world' markets have their own software-related problems: witness Wall Street's periodic 'flash crashes' (caused, many believe, by the rise of ultra-high-speed computer trading)." It seems likely the gold duping was due to a simple integer overflow bug. A late change added to the patch allowed users to sell gold on the Real Money Auction House in stacks of 10 million rather than stacks of 1 million. On the RMAH, there exists both a cap ($250) and a floor ($0.25) for the value of auctions. With stacks of 1 million and a floor of $0.25, a seller could only enter 1 billion gold (1,000 stacks) while staying under the $250 cap. When the gold stack size increased, the value of gold dropped significantly. At $0.39 per 10 million, a user could enter values of up to 6.4 billion gold at a time. Unfortunately, the RMAH wasn't designed to handle gold numbers above 2^31, or 2,147,483,648 gold. Creating the auction wouldn't remove enough gold, but canceling it would return the full amount.

Ubuntu Developing Its Own Package Format, Installer 466

Posted by Soulskill
from the anything-they-can-do-we-can-do-better dept.
An anonymous reader writes "While complementing Debian APT/DPKG, Canonical is now developing their own package format. The new package format has promised highlights of having no dependencies between applications, each package would install to its own directory, root support wouldn't always be required, and overall a more self-contained and easier approach for developers than it stands now for Debian/Ubuntu packages. The primary users of the new packaging system would be those distributing applications built on the Ubuntu Touch/Phone SDK. The initial proof-of-concept package management system is written in Python and uses JSON representation." This quote from the post by Canonical's Colin Watson bears repeating: "We'll continue to use dpkg and apt for building the Ubuntu operating system, syncing with Debian, and so on."

First Observations of Short-lived Pear-shaped Atomic Nuclei 64

Posted by Soulskill
from the sounds-delicious dept.
An anonymous reader sends this quote from a press release at CERN: "An international team at the ISOLDE radioactive-beam facility at CERN has shown that some atomic nuclei can assume asymmetric, 'pear' shapes (abstract). The observations contradict some existing nuclear theories and will require others to be amended. ... Most nuclei have the shape of a rugby ball. While state-of-the-art theories are able to predict this behaviour, the same theories have predicted that for some particular combinations of protons and neutrons, nuclei can also assume asymmetric shapes, like a pear. In this case there is more mass at one end of the nucleus than the other."

Sleep Deprivation Lowers School Achievement In Children 272

Posted by Soulskill
from the i-couldn't-agree-moZzzzzzzzzzzzzzzzzzz dept.
New submitter josedu writes:"Sleep deprivation is a great, hidden problem that afflicts a great percentage of children in affluent countries. About 73% of 9- and 10-year-old children in the U.S. are sleep deprived, as are 80% of 13- and 14-year-olds. The new study thinks this is linked to the increased access to devices such as mobile phones and laptops late at night. One of the researchers put it very simply: 'Our data show that across countries internationally, on average, children who have more sleep achieve higher in maths, science and reading.' This disruption is also causing schools to dumb-down their instruction to accomodate the reduced capacity of these kids. Thus, even the kids who are getting enough sleep will suffer. The long-term impact of sleep deprivation on nationwide education levels is enormous."

Honeywords — Honeypot Passwords 110

Posted by Soulskill
from the oh-bother dept.
CowboyRobot writes "Businesses should seed their password databases with fake passwords and then monitor all login attempts for use of those credentials to detect if hackers have stolen stored user information. That's the thinking behind the 'honeywords' concept first proposed this month in 'Honeywords: Making Password-Cracking Detectable (PDF),' a paper written by Ari Juels, chief scientist at security firm RSA, and MIT professor Ronald L. Rivest (the 'R' in 'RSA'). Honeywords aren't meant to serve as a replacement for good password security practices. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users' passwords have been compromised."
The Military

USAF Strips 17 Officers of Nuclear Launch Authority 173

Posted by Soulskill
from the push-button-bad-guys-go-boom dept.
Freshly Exhumed writes "In an unprecedented action, a United States Air Force commander has stripped 17 of his officers of their authority to control and launch nuclear missiles. After a string of failings that the group's deputy commander said stemmed from 'rot' within the ranks, the suspensions followed a March inspection of the 91st Missile Wing at Minot Air Force Base, North Dakota, that resulted in a 'D' grade for the team tested on its mastery of the Minuteman III missile launch operations system. The 17 are being assigned to intensive retraining courses of 60 to 90 days, according to Lt. Col. John Dorrian, an Air Force spokesman."

US DOJ Say They Don't Need Warrants For E-Mail, Chats 457

Posted by Soulskill
from the you-can-trust-us dept.
gannebraemorr writes "The U.S. Department of Justice and the FBI believe they don't need a search warrant to review Americans' e-mails, Facebook chats, Twitter direct messages, and other private files, internal documents reveal. Government documents obtained by the American Civil Liberties Union and provided to CNET show a split over electronic privacy rights within the Obama administration, with Justice Department prosecutors and investigators privately insisting they're not legally required to obtain search warrants for e-mail."

Meet the Sehome Seamonsters FRC (First Robotics Competition) Team 2605 (Video) 18

Posted by Roblimo
from the slide-to-the-left-slide-to-the-right-forward-backwards-fight-robot-fight dept.
We've seen FIRST robotics competitions on Slashdot before. But Kraken-themed FIRST robots? And a good look at what goes into making a competitive robot? For that, Timothy went to Sehome High School in Bellingham, Washington, where members of their Seamonsters robotics team (AKA FIRST Robotics Competition team # 2605; it's a team number, not a date) gave him a good look at their robot's guts, along with showing him how it's controlled and how they organize the 25+ people who work to build and run their robot(s). If you're thinking about joining or starting a FIRST team, this video is essential viewing for you. It's also essential if you just like the idea of robots competing with each other at pyramid-climbing and Frisbee-style disc-throwing. Go, bots, go! Update: 05/08 22:16 GMT by T : Correction: I didn't go to the high school — much simpler, I met the robot creators (and their disk-chucking robot) at LinuxFest Northwest, where they had an impressive demo room set up.

China's Allwinner Outsold Intel, Qualcomm In Tablet Processors In 2012 121

Posted by Unknown Lamer
from the allwinner-takes-all dept.
An anonymous reader writes "ARM licensee Allwinner sold more application processors for tablet computers in 2012 than Intel and Qualcomm put together, according to this EE Times article that references market researcher Strategy Analytics. Overall one in five tablet processors was provided by a Chinese vendor in 2012, according to the article, partly because they sell chips at half the price of similarly specified chips from better known vendors."

Mars One Has 78,000 Applicants 355

Posted by Unknown Lamer
from the send-me-to-space dept.
An anonymous reader writes "Mars One reports that 78,000 people have volunteered for a one-way ticket to Mars. A quick calculation shows that this means people lined up coast-to-coast in a line with only 40cm per person! (As Robert Zubrin already predicted). If you want, you can still go and sign up (or sign up your worst enemy). Or you can just look at some videos of the would-be travelers."

Help the OED Find a Lost Book 91

Posted by Unknown Lamer
from the doesn't-everyone-have-that-book dept.
New submitter imlepid writes "The Oxford English Dictionary is currently undergoing a complete overhaul which includes a reexamination of the 300,000+ entries and citations for those entries. Understandably for a work which is over 150 years old, some of the sources have become hard to find. One such example is a book titled 'Meanderings of Memory' by Nightlark, which is cited 49 times in the OED, including for some rare words. The OED's editorial team has appealed to the public, 'Have you seen a copy of this book?'"

Former Demonoid Members Receive Email Claiming Resurrection, Get Malware Instead 62

Posted by Unknown Lamer
from the probably-riaa-conspiracy dept.
New submitter giveen1 writes "I recieved this email as a former user. I tried to go to the website and link is dead. ... 'Dear Demonoid Community Member, We have all read the same news stories: The Demonoid servers shut down and seized in the Ukraine. The Demonoid admin team detained in Mexico. The domain snatched and put up for sale. The Demonoid trackers back online in Hong Kong, but then disappearing. ... Now for some good news: The heart and soul of Demonoid lives on! Through an amazing sequence of unlikely events, the data on those Ukrainian servers has made its way into the safe hands of members of our community and has now been re-launched as'" But it turns out that the site was distributing malware, hosted on an American VPS, and quickly shut down after the provider discovered this. No word yet on how the Demonoid user database was acquired, but if you did make the mistake of trying to log in Torrent Freak warns: "New information just in suggests that if you logged into the fake Demonoid and used the same user/password combo on any other site (torrent, email, Steam, PayPal) you should change them immediately."

Coursera Partners With Chegg To Offer Gratis, DRMed Textbooks for Courses 91

Posted by Unknown Lamer
from the first-hit-free dept.
An anonymous reader writes with news on Coursera partnering with publishers to give students access to more textbooks. From the article: "Online learning startup Coursera on Wednesday announced a partnership with Chegg, a student hub for various educational tools and materials, as well as five publishers to offer students free textbooks during their courses. Professors teaching courses on Coursera have previously only been able to assign content freely available on the Web, but as of today they will also be able to provide an even wider variety of curated teaching and learning materials at no cost to the student." Zero cost, but not without cost: "Starting today, publishers Cengage Learning, Macmillan Higher Education,Oxford University Press SAGE, and Wiley will experiment with offering versions of their e-textbooks, delivered via Chegg’s DRM-protected e-Reader, to Coursera students. We are also actively discussing pilot agreements and related alliances with Springer and other publishers. ... The publisher content will be free and available for enrolled students for the duration of the class. If you wish to use the e-textbook before or after the course, they will be available for purchase."

Cylance Hacks Google Office Building Management System 46

Posted by Unknown Lamer
from the ghost-in-the-machine dept.
Gunkerty Jeb writes "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question. This vulnerability in Tridium's Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that 'there are over 245,000 instances of the Niagara Framework deployed worldwide.' Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet."

India Rolls Out Central Monitoring System To Snoop On All Communications 87

Posted by Unknown Lamer
from the electric-eye dept.
hypnosec tipped us to news that India is rolling out a new intrusive monitoring system, using the authority of a 2000 telecom law. Quoting The Times of India: "However, Pavan Duggal, a Supreme Court advocate specialising in cyberlaw, said the government has given itself unprecedented powers to monitor private Internet records of citizens. 'This system is capable of abuse,' he said. The Central Monitoring System, being set up by the Centre for Development of Telematics, plugs into telecom gear and gives central and state investigative agencies a single point of access to call records, text messages, and emails as well as the geographical location of individuals." Privacy advocates are worried about abuse, partially because India has no effective privacy legislation, and the "...Indian government under PM Manmohan Singh has taken an increasingly uncompromising stance when it comes to online freedoms, with the stated aim usually to preserve social order and national security or fight 'harmful' defamation."
Open Source

OpenStreetMap Launches a New Easy To Use HTML5 Editor 53

Posted by Unknown Lamer
from the map-freely-and-now-conveniently dept.
SWroclawski writes "On the heels of the news that OpenStreetMap is allowing anonymous contributions with its 'note system,' the project has launched a new in-browser editor called iD, which is not only easier to use, but written completely in JavaScript, using the D3 library for rendering. With all these improvements, OpenStreetMap is gaining popularity and has started a new donation campaign for additional hardware to support all the new contributors." This replaces a flash based editor (really great news!). The code is, naturally, available (under the WTFPL).
The Military

Are Some of North Korea's Long-Range Missiles Fakes? 322

Posted by Soulskill
from the it's-a-faaaaaake! dept.
gbrumfiel writes "North Korea has not been shy in announcing plans to destroy the United States, but questions remain over whether it has the nukes or the missiles to do so. Now NPR reports on open-source intelligence showing that one of the North's most 'advanced' weapons might actually be a decoy. Six KN-08 missiles were paraded last year, but each showed differences in the way they were assembled. Is it all a bluff? Or are the missiles part of a real program?"

Dissecting RSA's 'Watering Hole' Traffic Snippet 69

Posted by Soulskill
from the you-can-tell-by-the-bits dept.
rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"

German Court Rejects Apple's Privacy Policy 124

Posted by Soulskill
from the privacy-policies-need-more-than-one-button dept.
redletterdave writes "A German court rejected eight out of 15 provisions in Apple's general privacy policy and terms of data use on Tuesday, claiming that the practices of the Cupertino, Calif. company deviate too much from German laws (Google translation of German original). According to German law, recognized consumer groups can sue companies over illegal terms and conditions. Apple asks for 'global consent' to use customer data on its website, but German law insists that clients know specific details about what their data will be used for and why."
The Courts

Feds Drop CFAA Charges Against 'Hacker' Who Exploited Poker Machines 144

Posted by Soulskill
from the judge-who-know-what's-up dept.
FuzzNugget writes "According to Wired, the two CFAA charges that were laid against the man who exploited a software bug on a video poker machine have been officially dismissed. Says Wired: '[U.S. District Judge Miranda] Du had asked prosecutors to defend their use of the federal anti-hacking law by Wednesday, in light of a recent 9th Circuit ruling that reigned in the scope of the CFAA. The dismissal leaves John Kane, 54, and Andre Nestor, 41, facing a single remaining charge of conspiracy to commit wire fraud.' Kane's lawyer agreed, stating, 'The case never should have been filed under the CFAA, it should have been just a straight wire fraud case. And I'm not sure its even a wire fraud. I guess we'll find out when we go to trial.'"

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN