Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Submission + - MIT Thinks It Has Discovered the 'Perfect' Solar Cell (vice.com)

Submitted by Daniel_Stuckey
Daniel_Stuckey writes: A new MIT study offers a way out of one of solar power's most vexing problems: the matter of efficiency, and the bare fact that much of the available sunlight in solar power schemes is wasted. The researchers appear to have found the key to perfect solar energy conversion efficiency—or at least something approaching it. It's a new material that can accept light from an very large number of angles and can withstand the very high temperatures needed for a maximally efficient scheme.

Conventional solar cells, the silicon-based sheets used in most consumer-level applications, are far from perfect. Light from the sun arrives here on Earth's surface in a wide variety of forms. These forms—wavelengths, properly—include the visible light that makes up our everyday reality, but also significant chunks of invisible (to us) ultraviolet and infrared light. The current standard for solar cells targets mostly just a set range of visible light.

Comment Re:Maybe? (Score 1) 81

by quantaman (#48047327) Attached to: Xen Cloud Fix Shows the Right Way To Patch Open-Source Flaws

I mean, some open source projects don't actually have anyone doing live support and a patch happens when someone "gets around to it".

True but a delayed publication of the bug isn't really going to affect them.

And some exploits are out there whether you say anything or not. Slashdot users pretty regularly complain about this with bumper sticker wisdom about "security through obscurity".

I'm not sure that specific complaint is that common. Certainly if a project sits on a security bug for months, or even years, then the security through obscurity criticism is valid. But the vast majority seem to feel it's alright to wait a couple weeks to get a patch together and inform the major users, that seems to be the fastest way to protect the most people as quickly as possible.

And just because the deployments are all fixed, doesn't mean someone has used that. Heartbleed(cited in the summary) was fixable within a couple days on every major linux distro with a simple update. That didn't mean no one got hacked.

All-in-all, sure it's a good policy, but not the magic perfect, oh-lets-all-be-like-xen thing the summary makes it out to be.

AFAIK Heartbleed was fixed before the disclosure, but the multiple discoveries caused OpenSSL to push up the disclosure timeline so not every distro had time to get a patch together.

On the contrary I think Shellshock was bungled a bit, I can't find a firm timeline of who discovered what when but the bug went public before there was even a working patch, much less one pushed out to the major distros. It was definitely the wrong way to do things.
Security

Building a Honeypot To Observe Shellshock Attacks In the Real World 41

Posted by timothy from the distract-them-with-fresh-targets dept.
Nerval's Lobster writes A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven't wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits. One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, "is_shellshock," that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it's just a matter of time before someone finds a particular ShockPot machine. And that was definitely the case, as a honeypot set up by a Dice (yes, yes, we know) tech writer captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.

Submission + - Building a Honeypot to Observe Shellshock Attacks in the Real World (dice.com)

Submitted by Nerval's Lobster
Nerval's Lobster writes: A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven’t wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits. One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, “is_shellshock,” that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it’s just a matter of time before someone finds a particular ShockPot machine. And that was definitely the case, as a honeypot set up by a Dice (yes, yes, we know) tech writer captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that’s a lot for a machine no one knows anything about; on the other, it indicates that attackers haven’t wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.

Submission + - Intel drops sponsorship of Gamasutra in response to feminist articles

Submitted by Anonymous Coward
An anonymous reader writes: Processor firm Intel has withdrawn its advertising from Gamasutra in response to the site's decision to carry feminist articles. The articles had drawn the ire of the self-described "Gater" movement, a grass-roots campaign to discredit prominent female games journalists. Intel was apparently so inundated with criticism for sponsoring the Gamasutra site that it had no choice but to withdraw support. An Intel spokesperson explained that "We take feedback from our customers very seriously especially as it relates to contextually relevant content and placements" and as such Gamasutra was no longer an appropriate venue for their products.

Submission + - Hacking USB firmware

Submitted by Anonymous Coward
An anonymous reader writes: Now the NSA isn't the only one who can hack your USB firmware:

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

Personally, I always thought it was insane that USB drives don't come with physical write-protect switches to keep them from being infected by malware.

Comment Re:FP? (Score 1) 942

by angel'o'sphere (#48047141) Attached to: David Cameron Says Brits Should Be Taught Imperial Measures

And your point?

Metric is only relevant for "meters", hence the name.

Neither time, nor weight nor power nor voltage nor amperes etc. are metric, they might be decimal or more precisely "base ten", but not metric. And: as we figured, time is not base ten and not metric either :D

Actually I read a SF novel, but forgot which one it was, where the author used kilo and mega seconds for longer time spans ... in the beginning I tried to convert that into something meaningful, but later I just kept on reading :D

Submission + - End of an era: After a 30 year run, IBM drops support for Lotus 1-2-3 (theregister.co.uk)

Submitted by klubar
klubar writes: Although it has been fading for years, the final death knell came recently for the iconic Lotus 1-2-3. In many ways, Lotus 1-2-3 launched the PC era (and ensured the Apple II success), and once was a serious competitor for Excel (and prior to that Multiplan and VisiCalc). Although I doubt if anyone is creating new Lotus 1-2-3 spreadsheets, I'm sure there are spreadsheets still being used who trace their origin to Lotus 1-2-3, and even Office 2013 still has some functions and key compatibility with Lotus 1-2-3. Oh, how far the mighty have fallen.

Comment Re:FP? (Score 1) 942

by angel'o'sphere (#48047043) Attached to: David Cameron Says Brits Should Be Taught Imperial Measures

There wont be a "metric" version of time. And you should call it decimal version and not metric.
It would complicate everything time and location related. There is a reason we have 24h ... and the reason has nothing to do with divide ability. That is an american myth :D How often do you actually have the need to "divide" times or durations?

You know: 24 / 12 is 2 ... it remains 2h regardless if you get it by dividing 24 by 12 or by simply counting 1, 2. A child in third class can divide 10 by 3, 4, 6 or 12. For that mankind invented rational numbers. Usually we say: "we meet in 1/4 hour" or "in 1 1/2h", it is rare that we say, "lets meet in 90 minutes", however a soccer game lasts "90 minutes" ;D

Comment Re:Wrong on two counts (Score 1) 174

by angel'o'sphere (#48046919) Attached to: Apple Fixes Shellshock In OS X

"many eyes make all bugs shallow" is logically correct. No it is not. Bugs are usually found after they manifest themselves. Then the bug is searched for. Before that, it happens extremely rarely that a bug gets found in the source code.

It is a statistically higher probability that a bug *has the potential* to be identified quicker and/or fixed quicker with FOSS than with closed source. If that would be the case, we would hear regularly about such bug fixes :D

Btw, "professionals"? Are you serious? You seriously think that FOSS developers are inferior in their competency compared to a developer who works at a company? I mentioned "hobbyists" did, I not? Of course there are plenty of professional developers in the FOSS area. But there are also plenty of very bad developers.

E.g. look at the source code of lucene: http://lucene.apache.org/ half of it is completely unmaintainable.

Before opening your mouth so wide you should perhaps stop simply "using" FOSS but look into the sourcecode or debug it.

I saw plenty of "bad code" form professionals ... however I saw no real prime example of good code in FOSS.

The reason why many OSS is _good_ and has relatively low bugs is because a small core team of _professionals_ is crafting it. Not because it is FOSS or because many eyes are looking on it.

Comment Re:People who who work with kids also use fake nam (Score 1) 280

by swillden (#48046901) Attached to: Facebook Apologizes To Drag Queens Over "Real Name" Rule

Teachers and counsellors often don't want the kids they work with to be able to easily find them on facebook, so they use fake names. I have many friends who do this. So far they haven't been affected by any rule enforcement.

Well, that's one solution. Another is for them to use their real name on Facebook and a fake name in class... some hilarious options come to mind.

Slashdot Top Deals

To the systems programmer, users and applications serve only to provide a test load.

Close