Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

Comment Re:Exaggerated again ... (Score 1) 40

If Data and Lore had been configured with different host keys, a whole lot of anguish could have been avoided.

When a signal transmission is detected from Data's quarters, Wesley Crusher arrives to investigate. He finds Lore, now impersonating Data, who explains that he had to incapacitate his brother after being attacked. Wesley is doubtful, but since Lore and Data were misconfigured with identical host keys, he has little option but to pretend to accept the explanation.

Understanding Secure Shell Host Keys

Comment Re:Holy crap ... (Score 1) 66

The security difference between chip-and-signature and chip-and-PIN matters in only one case, and that is if your physical card is stolen from your wallet. Skimmers, data breaches, shoulder-surfing, all the hacking attacks won't yield the secret key inside the chip, preventing it from being counterfeited. If you don't like the security of your chip-and-signature card because you're afraid your card might be stolen, ask your bank to issue you a chip-and-PIN card instead. If your bank won't, there are plenty of other banks who will, and who will be grateful for your business.

Visa and the retailers originally figured U.S. customers would prefer chip-and-signature because it makes selling things "easy". But that's a pretty stupid attitude, because lots of people (including you and me) are wary about identity theft. Customers need to complain to their banks so that they learn we'd rather have PINs than signatures.

Overall credit card security will still remain terrible for a long time to come because static mag stripes still exist, and online card-not-present transactions still use static authentication data like CVV2 codes. What really needs to happen to actually improve security is that mag stripes and static numbers like CVV2 need to be flat-out outlawed. The recent "liability shift" is the opening salvo in the conversion, but we're probably still a decade away from actual security.

Comment Re:Works for me (Score 1) 136

Manufacturers have long made custom versions of products for specific store chains, and not just TV sets. Pots and pans, clothing, furniture, most products are available to any store that's willing to pay for them. Some stores (like Walmart) have a specific price point, so the manufacturers produce a model without the chrome-plated knobs, the low contrast screens, and use only the cheapest cloned capacitors and dubious quality power supplies.

There's a lot of marketing power in it, too. Not only do they get to offer big TVs for ridiculously low prices, it's also safe to tout benefits like a "150% price match guarantee", when they have the exclusive contract to sell that exact model.

Comment Re:What's Unusual? (Score 1) 91

This new piece of malware shows sophistication of design, but that's not unheard of. Older malware was often customized by compile time switches and definitions; this just abstracts some of that away.

Many people (i.e. journalists and managers) think of malware authors as pimple-faced script kiddies hacking in their mothers' basements. They think that large, well-designed projects require teams of skilled developers who would only do so for a fat paycheck.

What's happened now is that vulnerabilities are so profitable that the threat landscape is no longer the exclusive domain of the single hacker - criminal gangs want a piece of it. They can afford to pay team salaries to engineer a solution.

And malware authors have learned to avoid the biggest risks of getting caught. In the old days a virus writer would also be the distributor. Modern authors get paid by selling their exploit code, along with customization and support contracts, to gangs of attackers. The attackers take on the risks, the developers collect fat checks. In some cases of vertical attacks (ATM skimmers for example), the "owner" of the malware uses cryptography to encrypt the skimmed data, preventing the low-level attackers from profiting from the stolen data. The profits go to the top first, and the paychecks cascade down (assuming honor among thieves.)

So what's newsworthy here is that they believe this malware to be further evidence of a new breed of well organized criminal software developers.

Comment Re:Awww (Score 3, Interesting) 93

Because neonicotinoids are among the safest overall pesticides that have ever been developed. They very effectively target insects, but have very minor effects on mammals. The LD50 of Safari is over 2000 mg/kg of body weight in rats. They're rated category III by the EPA, which means 'slightly toxic and/or slightly irritating.'

The big problem is with bees. Neonics are supposedly 150X more lethal to bees than to any other insect genera.

The EU has already banned neonics (possibly because population density is higher and bees may be more shared than in the US); the US is dragging their feet.

Comment Re:Translation : (Score 1) 93

Actually, they've known for several years that minute quantities of neonicotinoids cause bees to 'dance' incorrectly; where the dance no longer correctly directs other bees to their discovery of nectar. The loss of food may be partly responsible for Colony Collapse Disorder. It's not surprising that this would also lead to reduced pollination.

Comment A couple points (Score 1) 424

First, the best treatment of the prequels, and one of the most brilliant things I have ever seen period, is the Star Wars prequel reviews by Red Letter Media. They're here:

I found something meaningful in those reviews, they just captured a sentiment for me â" and I totally recommend checking them out.

Second, maybe the title should be "Disney: George, you're done with Star Wars."? :)

Comment Shackleton circus (Score 0) 174

"Somebody has decided to create this cut-down, using only the sections of The Gathering Clouds that discuss the difficulties faced, not the positive ways they were addressed and overcome - which are also covered in this and other featurettes."

When BANA books its annual shindig at a charming convention center catered by the Willy Wonka Chocolate Corporation with an entertainment package featuring a human volleyball act by the Ethiopian Cirque du Soleil, I too would probably look more at the original decision making than the food-oriented heroics induced.

BANA = Bulimia Anorexia Nervosa Association

I can see it now.

Some enterprising greeter saves the day by equipping the Shin Dig Hall entrance booth with 300 complimentary pairs of silicone oven mitts (frantically relabelled to read "size 3/4/5" with just minutes to spare) and zap straps snug enough to keep them secured to bony wrists until the evening's festivities run to conclusion.

Forever afterwards, the meeting is recalled as the "Silicone Shackleton Saliva Circus".

Comment Re:The thing about the "bombing ISIS positions"... (Score 1) 488

I can think of two plausible but simplistic explanations, there are no doubt more.

First, they may have been waiting for better timing. Once you drop a bomb on a building, the scum-lickers learn they've been exposed and will not return. So they want to bomb the building when it contains one or more high value targets. Knowing when a high value target is inside requires you to have an intel source observing the building (or the target) at the same time the target is in the building and you have assets in position to level it. That doesn't happen very often. But due to the attack they have to respond quickly, so they are sending a different message by killing a bunch of low value targets in a lot of locations.

The other simplistic explanation is intel gathering. Getting a spy into their organization is not easy. If you bomb a building, you are revealing to the enemy that at least one of the people who knows about the building is a spy; or that you have the capability of intercepting some kind of traffic. To preserve the secrecy of the ULTRA program that decrypted German Enigma traffic, Britain developed an elaborate process for destroying U-boats in WWII. They couldn't just fly to the location of the submarine and drop depth charges as that risked revealing the Allies ability to decrypt communications; instead, they scheduled weather-reporting planes to fly more missions in certain sectors; these weather planes would then "get lucky" and report the U-boat's position to the destroyers. Similarly, France may not want to reveal that they're triangulating cell traffic, or tapping certain phone lines, or monitoring PlayStation Call-Of-Duty chat rooms.

Either way, France is trading potential future intel gathering capabilities to send a message today that says "you are not invincible, you are not right, you are not just, you are only vermin to be exterminated." They can rebuild their intel network later.

Comment Re:if they really want revenge (Score 1) 488

Ignoring the restrictions is useful, but it provides the enemy with justification. "You say you live by this rule, but you ignore it. Therefore, we're every bit as good as you are, or you're every bit as bad as us."

Thus, black ops and deniability. Who knows; maybe Anonymous is so full of FBI moles that this is actually a government backed attack?

Comment Re:Barcode scanner = keyboard (Score 1) 79

The problem is that scanners support multiple communications protocols so they can be sold to a wide variety of clients, and the scanners' configurations can be changed via barcode without first asking for permission.

Your attacker can see that you're using a DS-6878 scanner with a USB cable, so he opens his phone's browser to this page of the manual, and displays the barcode to configure a North American keyboard. Once scanned, as far as Windows knows someone just plugged in a new USB HID Keyboard device. None of the old configuration settings matter any more, and your bulletproof application may not even be notified that its scanner has been hijacked.

He then scans a few more configuration codes so that he knows his codes will be properly effective, perhaps something like Send Barcodes with Unknown Characters (page 67), and finally a control sequence to open a URL to Pwnage ensues.

Comment Re:Use Windows 10 (Score 1) 197

One problem with this solution is there are still some Windows native apps that are pixel-based instead of percent or resolution based. We have a 15.6" laptop with a 3840x2160 screen, and have encountered a couple of apps that now display in impossible-to-use resolutions.

For example, QuickBooks displays a page of instructions in a tiny window that I can literally cover with my thumbnail. The minimize/restore/close icons at the upper right corner of each window are less than 1mm high, and very difficult for my wife to click on with the trackpad. Their official "fix"? Crank the resolution of the screen down to 1024x768, and learn Ctrl-F4 and Alt-F4! So because they don't know how to code, its their users' fault for buying a nice screen. If this was the only dumb-ass arrogant thing Intuit ever did, I could forgive them for not catching up to 2003 usability standards, but it's far from their first episode of "all you damn customers suck." I need a new bookkeeping package from someone who is not Intuit.

Comment Innocent? (Score 2, Interesting) 108

"this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?

If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.

Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.

The circumstances all seem pretty similar to me.

This restaurant was advertising breakfast any time. So I ordered french toast in the renaissance. - Steven Wright, comedian