Forgot your password?

+ - Researcher Finds Tor Exit Node Adding Malware to Downloads

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.

Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. Downloading any kind of file from the Internet is a dodgy proposition these days, and many users know that if they’re downloading files from some random torrent site in Syria or The Marshall Islands, they are rolling the dice. Malware runs rampant on these kinds of sites.

But the scenario that worries security experts much more involves an attacker being able to control the download mechanism for security updates, say for Windows or OS X. If an attacker can insert malware into this channel, he could cause serious damage to a broad population of users, as those update channels are trusted implicitly by the users’ and their machines. Legitimate software vendors typically will sign their binaries and modified ones will cause verification errors. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.

In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” he said via email."

+ - Employers Worried About Critical Thinking Skills->

Submitted by Nerval's Lobster
Nerval's Lobster (2598977) writes "Every company needs employees who can analyze information effectively, discarding what's unnecessary and digging down into what's actually useful. But employers are getting a little bit worried that U.S. schools aren't teaching students the necessary critical-thinking skills to actually succeed once they hit the open marketplace. The Wall Street Journal talked with several companies about how they judge critical-thinking skills, a few of which ask candidates to submit to written tests to judge their problem-solving abilities. But that sidesteps the larger question: do schools need to shift their focus onto different teaching methods (i.e., downplaying the need for students to memorize lots of information), or is our educational pipeline just fine, thank you very much?"
Link to Original Source

+ - Close Approach of Asteroid 2014 SC324->

Submitted by Anonymous Coward
An anonymous reader writes "Asteroid 2014 SC324 has an estimated size of 40 m — 90 m (based on the object's absolute magnitude H=24.1) and it will have a close approach with Earth at about 1.5 LD (Lunar Distances = ~384,000 kilometers) or 0.0038 AU (1 AU = ~150 million kilometers) at 1921 UT on 2014, October 24. This asteroid will reach the peak magnitude about +13.6 at close approach."
Link to Original Source

+ - Fiber-to-the-Home Creates New Digital Divide

Submitted by dkatana
dkatana (2761029) writes "Having some type of fiber or high-speed cable connectivity is normal for many of us, but in most developing countries of the world and many areas of Europe, the US, and other developed countries, access to "super-fast" broadband networks is still a dream.

Alternatives to fiber, such as cable (DOCSYS 3.0), are not enough, and they could be more expensive in the long run. The maximum speed a DOCSYS modem can achieve is 171/122 Mbit/s (using four channels), just a fraction the 273 Gbit/s (per channel) already reached on fiber."

Comment: Re:On the other hand... (Score 1) 687

by RavenLrD20k (#48206375) Attached to: FTDI Reportedly Bricking Devices Using Competitors' Chips.
Because of reasons that could lead to a very bad PR nightmare for FTDI if they attack unwitting consumers vs. taking counterfeiters more head on. You know, maybe instead of immediately bricking the entire system, how about being nice to their cash-flow by popping up an alert for the user to contact the manufacturer of their motherboard about a counterfeit part and letting them know that full functionality is not supported by FTDI as opposed to outright destroying the device?

Comment: Re:The good news (Score 2, Insightful) 687

by RavenLrD20k (#48206305) Attached to: FTDI Reportedly Bricking Devices Using Competitors' Chips.

Except there's a difference between this and your example. When you update your BIOS there are ways to verify that the BIOS you have is compatible with the update you are going to use. With this FTDI crap, if you physically examine the chip, it has all the markings of a legit FTDI chip, down to the model stamp. When you look at the chip driver in Windows before the update, it reports back chip information for a chip that's legitimate. Upon verifying these things, you go ahead and run Windows Update with the new FTDI driver... OOPS! Your chip was misrepresenting itself to you and now you have bricked hardware. If you're lucky, your hardware vendor will supply you with a new board under warranty, and hopefully they've verified that the chip is truly legit. If're screwed and FTDI just broke an otherwise perfectly working system that was paid for legally in good faith (that last bit is the important part when contemplating a lawsuit and who to go after; hint: same considerations for a BIOS update that goes awry because it misrepresented itself to the user/system prior to flashing).

The fact that this is an automatic Windows Update that can potentially brick a system without warning (thinking of the non-tech-savvy here), this can make for a very bad nightmare on FTDI's end. I wouldn't be surprised to hear something coming out of the FTC about this before long.

+ - Microsoft,, Oracle Latest To Be Sued Over No-Poach Deal->

Submitted by itwbennett
itwbennett (1594911) writes "Oracle, Microsoft and are facing suits alleging that they conspired to restrict hiring of staff. The suits appear to refer to a memo that names a large number of companies that allegedly had special arrangements with Google to prevent poaching of staff and was filed as an exhibit on May 17, 2013 in another class action suit over hiring practices. The former employees filing lawsuits against Microsoft, and Oracle have asked that the cases be assigned to Judge Koh as there were similarities with the case against Google, Apple and others — and it maybe doesn't hurt that Judge Koh thought the $324.5 million settlement in that case was too low."
Link to Original Source

+ - FTDI is intentionally bricking devices using competitors' chips. ->

Submitted by janoc
janoc (699997) writes "It seems that FTDI has started an outright war on cloners of their popular USB bridge chips. At first the clones stopped working with the official drivers and now they are being intentionally bricked, rendering the device useless. The problem? These chips are incredibly popular and used in many consumer products. Are you sure yours doesn't contain a counterfeit one before you plug it in? What are you going to do if your device gets trashed?

The article is on Hackaday:"

Link to Original Source

Comment: Re:Easy to solve - calibrate them to overestimate (Score 1) 397

by RavenLrD20k (#48199841) Attached to: Speed Cameras In Chicago Earn $50M Less Than Expected
Don't get me wrong, it's not always reliable as it depends on the municipality or county to draw the lines and how long to make them, and better funded means better adherence to the guideline, but generally that is what can be found in Georgia, especially on more well traveled thoroughfares; and yes, their primary purpose is to discourage lane changes in the junction. The lines however are visibly longer the higher the speed limits of the roadway, and in most intersections applying the brakes just outside the bounds of the solid line will allow the vehicle to come to a nice easy stop at the stop line without much of any inertial throwback.

Comment: Re:Easy to solve - calibrate them to overestimate (Score 1) 397

by RavenLrD20k (#48198247) Attached to: Speed Cameras In Chicago Earn $50M Less Than Expected

Travel on a US Highway in Georgia out between the towns (generally 30 - 60 miles between each). It's not uncommon where you have two major US or State Highways cross (not interstates) with a traffic light where the speed limits are 55 - 65 mph. As I stated somewhere above, the white lines that divide the lanes will go from dashed to solid at a point where if you're within the solid white lines while traveling within 5 mph of the speed limit, and the light turns yellow, the light should be timed properly that your vehicle can make it all the way through the intersection before the light turns red. Understand that this is for your average passenger vehicle. Busses, RV's and Semi's need to take special care and gauge their own safe stopping distance. These guidelines were written into State Law, and I've yet to see any small town communities violate this, since the State Department of Public Safety (DPS) is known to perform spot checks and actually fine the municipalities in violation.

Speed traps are a whole different story. Yes there are requirements in State Law dictating officer visibility, the use of speed detection equipment including the old two posts and a stopwatch method, minimum speed violation before a municipality can write a ticket (no less than 10 mph above the limit, and since equipment is rated to an accuracy of +/-1, reasonable doubt gives a total 11 mph buffer [State Patrol has no such limit, only County, Municipal, and Private officers]) as well as minimum notice between speed limit changes. However a lot of smaller communities can operate outside of these laws without being detected for quite a while, but woe to them if they're ever caught by DPS through court challenge of a ticket (often requiring appeal to the State system after losing in the local court, which would prompt investigation) or by State Patrol/Department of Drivers Services witnessing a violation. Communities can be fined by the State, lose their license to operate speed detection altogether, or, in some extreme cases of municpal corruption, have lost their ability to operate their own police departments for several years, having policing measures being taken over directly by the State Patrol (A division of DPS) in the interim.

Comment: Re:Easy to solve - calibrate them to overestimate (Score 1) 397

by RavenLrD20k (#48197649) Attached to: Speed Cameras In Chicago Earn $50M Less Than Expected

I can't speak for everywhere, but many of the towns in Georgia the solid white lines that divide lanes before a stop light (as opposed to the normal white dashed lane dividing lines) are generally painted to a length where if you're outside of this region when the light turns yellow and you're travelling the speed limit you will need to stop. If you're inside the region of the solid line at the start of the yellow, you should have enough time to get through the intersection safely before the light changes (note I did not say get past the stop line, but through the entire intersection. It is illegal to be under the light when it turns red in Georgia, unless road conditions required it, which is difficult to prove.) Obviously if your speed is above or below the speed limit the safe distance is proportionately longer or shorter, respectively.

Comment: Re:And this is why Linux will never win the deskto (Score 1) 549

by RavenLrD20k (#48196241) Attached to: Debian's Systemd Adoption Inspires Threat of Fork

They don't care about specs really, they don't care about merit. They care about branding and imagine (sic).

WRONG. They care about *tasks* and *activities*.


Notice that there's no mention of "Process random data at 50 gigaflops of megabuttz over a DDR3 EEPROM Ivy Bridge SSD, with WiMax Bluetooth EDR 4.0?"

Specs don't matter to the average computer user... apparently missed the context of the parent completely. You even quoted the parent, called him wrong, then made the focus of your statement a point that agreed specifically with the part of the parent that you quoted; and all through that you completely did not show how the statement you quoted was in any way wrong.

The main focus of the parent that he showed examples of is on the sentence "They care about branding and image." Your rebuttal included the list of things that people use a computer to accomplish:

- Edit that spreadsheet from work;
- Send an email to their kid in college 500 miles away;
- Listen to some music or watch a movie (or both);
- Edit some photos then upload them to Facebook;
- Browse the web;
- Write a paper;

All of those things can be done on Windows, Linux, or Mac OS X. Which one a person uses is based completely on branding or image. The parent went into what most users would use based on their perceptions of specific brands. Most users would use MS Windows because that is "Normal" and "Conforms" to what they believe they should be using based on the requirements on the side of the box of the software they want to use for whatever they want to do. The ones who would use Mac OS tend to be the "hipster" type that want to appear different and call themselves superior to those who use Windows, even though they need to do all about the same things as their Windows brethren. The Linux/BSD crowd tend to be more independent thinkers than the above two, though they very well fall into conforming with themselves (for example, those who say "I use Debian. Yes it's Linux, but you'd never catch me dead using Gentoo." and vice versa.) These too will also get the tools to do all of the above functions from their package manager of choice, and have the heart and fearlessness to perhaps tinker with software under the hood

Your post did not make any claim that refutes any of these points that the parent made and I have outlined... therefore you did not prove how you thought he was wrong in his statement that you quoted.

+ - The One App You Need on Your Resume if You Want a Job at Google

Submitted by (3830033) writes "Jim Edwards writes at Business Insider that Google is so large and has such a massive need for talent that if you have the right skills, Google is really enthusiastic to hear from you — especially if you know how to use MatLab, a fourth-generation programming language that allows matrix manipulations, plotting of functions and data, implementation of algorithms, creation of user interfaces, and interfacing with programs written in other languages, including C, C++, Java, Fortran and Python. The key is that data is produced visually or graphically, rather than in a spreadsheet. According to Jonathan Rosenberg , Google's former senior vice president for product management, being a master of statistics is probably your best way into Google right now and if you want to work at Google, make sure you can use MatLab. Big data — how to create it, manipulate it, and put it to good use — is one of those areas in which Google is really enthusiastic about. The sexy job in the next ten years will be statisticians. When every business has free and ubiquitous data, the ability to understand it and extract value from it becomes the complimentary scarce factor. It leads to intelligence, and the intelligent business is the successful business, regardless of its size. Rosenberg says that "my quote about statistics that I didn't use but often do is, 'Data is the sword of the 21st century, those who wield it the samurai.'""

Comment: Re:Remove It (Score 2) 519

by RavenLrD20k (#48170883) Attached to: Debian Talks About Systemd Once Again

On my servers, the current business week is in plain text and not compressed and archived until 11pm Sunday night for the next week. I keep a month's worth of archived logs. Now here's why: If a system goes down for some reason, the only logs that are going to have anything immediately useful are going to be the uncompressed ones that can easily be cat dumped or vi'd for initial troubleshooting. You're most likely going to need only the last few lines of the log just to find out what went wrong. If troubleshooting is greater than that and you find a longer history of problems that culminated in the panic, any liveCD distro will have the tools necessary to crack open your archives.

Binary log systems are a Disaster Recovery nightmare. The only reason you have a log system is that something went wrong and you need to do some form of troubleshooting/recovery. If your core system is still working fine and the native systemd is able to read the binary, great. What happens when a system partition crashes and won't boot back up? Please enlighten me on how a binary log file can be read on a system that won't boot itself? Can any liveCD using a systemd based distro read the binary file and translate it to a human readable format? Also, it's been said that using a config file, the journal system of systemd can write to a plaintext file. Please explain how that works? Using the config file, does the journal system completely turn off and each component individually writes to syslog, generating their own log file or adding to one of the already created pertinent log files, as it does with System V? Or, does each program send it's message to the journal system and it's this system that sends a message to syslog to write? If it's this latter case, what happens if during a system panic the journal system corrupts the data being written? What if the journal system itself craps out in a failure?

These are all questions that I legitimately do not have an answer to yet, and I haven't had time to research into it. Before I consider updating my systems to a systemd based distribution these questions MUST be answered satisfactorily, and it will be as I draw closer to that point that I will be making time to research it. I don't have time for FUD, fanboyisms, or anything else as such from either side. I have specific requirements that must be completely answered. If the answers are not forthcoming, I, and many many many sysadmins like me, will be keeping System V init systems on my servers by whatever means necessary.

+ - Debian talks about systemd begins once again->

Submitted by Anonymous Coward
An anonymous reader writes "A couple of months ago the TC of Debian decided for systemd. This is now subject for discussion once again and Ian Jackson has stated that he wants a general resolution, so every developer within the Debian project can decide. After a short time the required amount of supportes has been reached and the discussion can start once again."
Link to Original Source

In any formula, constants (especially those obtained from handbooks) are to be treated as variables.