Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Submission + - How Does One Verify Hard Drive Firmware? 1

Submitted by Anonymous Coward
An anonymous reader writes: In light of recent revelations from Kaspersky Labs about the Equation Group and persistent hard drive malware, I was curious about how easy it might be to verify my own system's drives to see if they were infected. I have no real reason to think they would be, but I was dismayed by the total lack of tools to independently verify such a thing. For instance, Seagate's firmware download pages provide files with no external hash, something Linux distributions do for all of their packages. Neither do they seem to provide a utility to read off the current firmware from a drive and verify its integrity.

Are there any utilities to do such a thing? Why don't these companies provide such a thing to users? Has anyone compiled and posted a public list of known-good firmware hashes for the major hard drive vendors and models? This seems to be a critical hole in PC security.

I did contact Seagate support asking for hashes of their latest firmware; I got a response stating that '...If you download the firmware directly from our website there is no risk on the file be tampered with." [their phrasing, not mine]. Methinks somebody hasn't been keeping up with world events lately.
Security

Blu-Ray Players Hackable Via Malicious Discs 107

Posted by Soulskill from the physical-media-increasingly-sketchy dept.
An anonymous reader writes: Some Blu-Ray disc interactive features use a Java variant for UIs and applications. Stephen Tomkinson just posted a blog discussing how specially created Blu-Ray discs can be used to hack various players using exploits related to their Java usage. He hacked one Linux-based, network-connected player to get root access through vulnerabilities introduced by the vendor. He did the same thing against Windows Blu-Ray player software. Tomkinson was then able to combine both, along with detection techniques, into a single disc.
Privacy

NSA Spying Wins Another Rubber Stamp 87

Posted by Soulskill from the once-more-unto-the-privacy-breach dept.
schwit1 sends this report from the National Journal: A federal court has again renewed an order allowing the National Security Agency to continue its bulk collection of Americans' phone records, a decision that comes more than a year after President Obama pledged to end the controversial program. The Foreign Intelligence Surveillance Court approved this week a government request to keep the NSA's mass surveillance of U.S. phone metadata operating until June 1, coinciding with when the legal authority for the program is set to expire in Congress. The extension is the fifth of its kind since Obama said he would effectively end the Snowden-exposed program as it currently exists during a major policy speech in January 2014. Obama and senior administration officials have repeatedly insisted that they will not act alone to end the program without Congress.

Submission + - A step closer to explaining high-temperature superconductivity? (sciencemag.org)

Submitted by sciencehabit
sciencehabit writes: For years some physicists have been hoping to crack the mystery of high-temperature superconductivity—the ability of some complex materials to carry electricity without resistance at temperatures high above absolute zero—by simulating crystals with patterns of laser light and individual atoms. Now, a team has taken—almost—the next-to-last step in such "optical lattice" simulation by reproducing the pattern of magnetism seen in high-temperature superconductors from which the resistance-free flow of electricity emerges.
Science

Is That Dress White and Gold Or Blue and Black? 420

Posted by timothy from the enoy-your-lovely-ochre-sky dept.
HughPickens.com writes Color scientists already have a word for it: Dressgate. Now the Washington Post reports that a puzzling thing happened on Thursday night consuming millions — perhaps tens of millions — across the planet and trending on Twitter ahead of even Jihadi John's identification. The problem was this: Roughly three-fourths of people swore that this dress was white and gold, according to BuzzFeed polling but everyone else said it's dress was blue. Others said the dress could actually change colors. So what's going on? According to the NYT our eyes are able to assign fixed colors to objects under widely different lighting conditions. This ability is called color constancy. But the photograph doesn't give many clues about the ambient light in the room. Is the background bright and the dress in shadow? Or is the whole room bright and all the colors are washed out? If you think the dress is in shadow, your brain may remove the blue cast and perceive the dress as being white and gold. If you think the dress is being washed out by bright light, your brain may perceive the dress as a darker blue and black.

According to Beau Lotto, the brain is doing something remarkable and that's why people are so fascinated by this dress. "It's entertaining two realities that are mutually exclusive. It's seeing one reality, but knowing there's another reality. So you're becoming an observer of yourself. You're having tremendous insight into what it is to be human. And that's the basis of imagination." As usual xkcd has the final word. It would make the comments more informatively scannable if you include your perceived color pair in the title of any comments below.
Education

Microsoft, Amazon, Google, Facebook Press WA For $40M For New UW CS Building 102

Posted by timothy from the why-not-build-10,000-garages? dept.
theodp (442580) writes "Nice computer industry you got there. Hate to see something bad happen to it." That's the gist of a letter sent by Microsoft, Amazon, Facebook, Google, Code.org, and other tech giants earlier this week asking the WA State Legislature to approve $40M in capital spending to help fund a new $110M University of Washington computer science building ($70M will be raised privately). "As representatives of companies and businesses that rely on a ready supply of high quality computer science graduates," wrote the letter's 23 signatories, "we believe it is critical for the State to invest in this sector in a way that ensures its vibrancy and growth. Our vision is for Washington to continue to lead the way in technology and computer science, but we must keep pace with the vast demand." The UW Dept. of Computer Science & Engineering profusely thanked tech leaders for pressing for a new building, which UW explained "will accommodate a doubling of our enrollment." Coincidentally, the corporate full-press came not long after the ACM Education Council Diversity Taskforce laid out plans "to get companies to press universities to use more resources to create more seats in CS classes" to address what it called "the desperate gap between the rising demand for CS education and the too-few seats available.

Submission + - Google Taking Over New TLDs (sealedabstract.com)

Submitted by bobo the hobo
bobo the hobo writes: In the corner of the internet where people care about DNS, there is a bit of an uproar at Google's application for over a hundred new top-level domains, including .dev, .lol, .app, .blog, .cloud and .search. Their application includes statements such as:
By contrast, our application for the .blog TLD describes a new way of automatically linking new second level domains to blogs on our Blogger platform – this approach eliminates the need for any technical configuration on the part of the user and thus makes the domain name more user friendly.

And also limiting usage of .dev to Google only:
Second-level domain names within the proposed gTLD are intended for registration and use by Google only, and domain names under the new gTLD will not be available to the general public for purchase, sale, or registration. As such, Charleston Road Registry intends to apply for an exemption to the ICANN Registry Operator Code of Conduct as Google is intended to be the sole registrar and registrant.
Communications

Vandalism In Arizona Shuts Down Internet and Phone Service 133

Posted by Soulskill from the can't-stop-the-signal-unless-you-have-wiresnips dept.
schwit1 sends news that vandalism on the outskirts of Phoenix, Arizona knocked out internet and telephone service for hours across much of the state's northern region. ATMs, credit card functionality, and emergency services were all affected. Officers are trying to determine who cut through a pipe containing a fiber-optic cable on the outskirts of the city, leading to the outage on Wednesday, which hit northern Phoenix and large parts of the north of Arizona. ... The four-inch-thick pipe, which carries a CenturyLink cable, was found sliced through in an area where it is exposed to the elements as it crosses a desert wash about a quarter of a mile from a residential area, Holmes said. Police said the investigation is in its early stages, but that the pipe may have been vandalized by thieves looking to steal metal.
Portables

Lenovo Saying Goodbye To Bloatware 210

Posted by Soulskill from the time-to-start-demanding-other-vendors-follow-suit dept.
An anonymous reader writes: "Lenovo today announced that it has had enough of bloatware. The world's largest PC vendor says that by the time Windows 10 comes out, it will get rid of bloatware from its computer lineups. The announcement comes a week after the company was caught for shipping Superfish adware with its computers. The Chinese PC manufacturer has since released a public apology, Superfish removal tool, and instructions to help out users. At the sidelines, the company also announced that it is giving away 6-month free subscription to McAfee LiveSafe for all Superfish-affected users.

Submission + - Pharming Attack Targets Home Router DNS Settings (threatpost.com)

Submitted by msm1267
msm1267 writes: Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email.

Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies.

Submission + - EFF Unearths Evidence of Possible Superfish-style Attacks in the Wild (arstechnica.com)

Submitted by Anonymous Coward
An anonymous reader writes: It's starting to look like Superfish and other software containing the same HTTPS-breaking code library may have posed more than a merely theoretical danger to Internet users. For the first time, researchers have uncovered evidence suggesting the critical weakness may have been exploited against real people visiting real sites, including Gmail, Amazon, eBay, Twitter, and Gpg4Win.org, to name just a few.

In a blog post published Wednesday, Researchers Joseph Bonneau and Jeremy Gillula wrote:

        We searched the Decentralized SSL Observatory for examples of certificates that Komodia should have rejected, but which it ended up causing browsers to accept, and found over 1600 entries. Affected domains included sensitive websites like Google (including mail.google.com, accounts.google.com, and checkout.google.com), Yahoo (including login.yahoo.com), Bing, Windows Live Mail, Amazon, eBay (including checkout.payments.ebay.com), Twitter, Netflix, Mozilla’s Add-Ons website, www.gpg4win.org, several banking websites (including mint.com and domains from HSBC and Wells Fargo), several insurance websites, the Decentralized SSL Observatory itself, and even superfish.com.

        While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did. Thus it’s possible that Komodia’s software enabled real MitM attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys.

Submission + - How Google avoids downtime

Submitted by Brandon Butler
Brandon Butler writes: Google has an innovative way of attempting to keep its services — like its cloud platform and apps — up and running as much as possible. The man in charge of it is Ben Trenyor, who runs Google's Site Reliability Engineer (SRE) team.

Each Google product has a service level agreement (SLA) that dictates how much downtime the product can have in a given month or year. Take 99.9% uptime, for example: That allows for 43 minutes of downtime per month, or about 8 hours and 40 minutes per year. That 8 hours and 40 minutes is what is referred to at Google as an “error budget.”

Google product managers don’t have to be perfect — they just have to be better than their SLA guarantee. So each product team at Google has a “budget” of errors it can make.
If the product adheres to the SLA’s uptime promise, then the product team is allowed to launch new features. If the product is outside of its SLA, then no new features are allowed to be rolled out until the reliability improves.

In a traditional site reliability model there is a fundamental disconnect between site reliability engineers (SREs) and the product managers. Product managers want to keep adding services to their offerings, but the SREs don’t like changes because that opens the door to more potential problems.

This “error budget” model addresses that issue by uniting the priorities of the SREs and product teams. The product developers want to add more features, so they architect reliable systems. It seems to work; according to tracking company CloudHamrony, Google had one of the most reliable IaaS clouds among the major vendors in 2014.
Patents

Patent Trolls On the Run But Not Vanquished Yet 56

Posted by samzenpus from the don't-forget-the-fire dept.
snydeq writes Strong legislation that will weaken the ability of the trolls to shake down innovators is likely to pass Congress, but more should be done, writes InfoWorld's Bill Snyder. "The Innovation Act isn't an ideal fix for the program patent system. But provisions in the proposed law, like one that will make trolls pay legal costs if their claims are rejected, will remove a good deal of the risk that smaller companies face when they decide to resist a spurious lawsuit," Snyder writes. That said, "You'd have to be wildly optimistic to think that software patents will be abolished. Although the EFF's proposals call for the idea to be studied, [EFF attorney Daniel] Nazer doesn't expect it to happen; he instead advocates several reforms not contained in the Innovation Act."

Submission + - How I Got My Photos From The Department of Homeland Security

Submitted by gallifreyan99
gallifreyan99 writes: Like every foreigner who flies into the US (and an increasing number of Americans, too) Tor Project contributor Runa Sandvik is tracked by Homeland Security with a series of photos taken at the border. When she filed an FOIA request to get hold of those images, what emerged was a weird, Big Brotherish take on time lapse photography.
Facebook

Facebook's Colonies 53

Posted by Soulskill from the sun-always-sets-on-the-facebook-empire dept.
sarahnaomi writes: Facebook this week released a major report on global internet access, as part of the company's Internet.org campaign, which aims to bring cheap internet to new markets in partnership with seven mobile companies. Facebook says 1.39 billion people used its product in December 2014, and it's natural for the company to try to corral the other four-fifths of the planet. But aside from ideals and growth markets, the report highlights a tension inherent to the question of access: When Facebook sets sail to disconnected markets, what version of the internet will it bring? In its report, Facebook advocates for closing the digital divide as quickly as we can, which is a good thing. But when Facebook argues that, "as use of the internet continues to expand, it will exert a powerful effect on the global economy, particularly in the developing world," it's arguing that any increase in access is inherently good, which isn't necessarily the case.

Slashdot Top Deals

"Engineering without management is art." -- Jeff Johnson

Close