Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security

Grinch Vulnerability Could Put a Hole In Your Linux Stocking 4

Posted by timothy
from the pretty-generic-description-there dept.
itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September.

Comment: Good Voice-only Interface for Phone (Score 2) 69

by billstewart (#48628547) Attached to: Ask Slashdot: What Can I Really Do With a Smart Watch?

What you need is a good voice-only interface for your phone, and if possible in your clean-room environment, some kind of Bluetooth headset. Phone rings, you tell it "answer". If you want to do something, tell Siri or equivalent, and get voice feedback. Not being an iPhone user, I don't know if Siri's good enough. (The Android stuff I've used so far hasn't been, but my car's phone-dialing interface is at least a start.)

Toys

Ask Slashdot: What Can I Really Do With a Smart Watch? 72

Posted by timothy
from the you-can-measure-the-battery-drain dept.
kwelch007 writes I commonly work in a clean-room (CR.) As such, I commonly need access to my smart-phone for various reasons while inside the CR...but, I commonly keep it in my front pocket INSIDE my clean-suit. Therefore, to get my phone out of my pocket, I have to leave the room, get my phone out of my pocket, and because I have a one track mind, commonly leave it sitting on a table or something in the CR, so I then have to either have someone bring it to me, or suit back up and go get it myself...a real pain. I have been looking in to getting a 'Smart Watch' (I'm preferential to Android, but I know Apple has similar smart-watches.) I would use a smart-watch as a convenient, easy to transport and access method to access basic communications (email alerts, text, weather maps, etc.) The problem I'm finding while researching these devices is, I'm not finding many apps. Sure, they can look like a nice digital watch, but I can spend $10 for that...not the several hundred or whatever to buy a smart-watch. What are some apps I can get? (don't care about platform, don't care if they're free) I just want to know what's the best out there, and what it can do? I couldn't care less about it being a watch...we have these things called clocks all over the place. I need various sorts of data access. I don't care if it has to pair with my smart-phone using Bluetooth or whatever, and it won't have to be a 100% solution...it would be more of a convenience that is worth the several hundred dollars to me. My phone will never be more than 5 feet away, it's just inconvenient to physically access it. Further, I am also a developer...what is the best platform to develop for these wearable devices on, and why? Maybe I could make my own apps? Is it worth waiting for the next generation of smart-watches?
Australia

Australia Moves Toward New Restrictions On Technology Export and Publication 31

Posted by timothy
from the locked-file-cabinet-in-the-basement dept.
An anonymous reader writes Australia is starting a public consultation process for new legislation that further restricts the publication and export of technology on national security grounds. The public consultation starts now (a few days before Christmas) and it is due by Jan 30th while a lot of Australians are on holidays. I don't have the legal expertise to dissect the proposed legislation, but I'd like some more public scrutiny on it. I find particularly disturbing the phrase "The Bill includes defences that reverse the onus of proof which limit the right to be presumed innocent until proven guilty" contained in this document, also available on the consultation web site.

+ - Grinch Vulnerability Could Put a Hole In Your Linux Stocking->

Submitted by itwbennett
itwbennett (1594911) writes "In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September."
Link to Original Source

Comment: Re:Poll purpose (the simple explanation) (Score 1) 49

by timothy (#48628013) Attached to: At 40, a person is ...

Nah

Actually, it's my 40th birthday, and I've been amused (pleased, too) by the nice greetings I've gotten from friends both older and younger. If Dice Incorporated Amalgamated International Limited wants to make something of the results, they're free to, but since (this being a Slashdot poll) the answers are far less the point than the discussion, I don't think that's very likely. Our polls (we love poll submissions, by the way) are kernels for discussion, and often the product of whimsy. There are lots of ways that age (esp. in technical fields) tends to come up on Slashdot, and a pretty wide range both of what "old" *is* and what it means.

There may be many conspiracies in the world; this just isn't one :)

 

Techdirt: The MPAA's Secret Plan To Reinterpret The DMCA Into A Vast Censorship Machine Th->

From feed by feedfeeder
Yes, all the attention these days about the Sony hack is on the decision to not release The Interview, but it still seems like the big story to come out of the hack is the sneaky plans of the MPAA in its bizarre infatuation with attacking the internet. We've already covered the MPAA's questionably cozy relationship with state Attorneys General (to the point of both funding an investigation into Google and writing documents for those AGs to send in their names), as well as the continued focus on site blocking, despite an admission that the MPAA and the studios still don't have the slightest clue about the technology implications of site blocking.

Last week, TorrentFreak noted the various options that were under discussion by the MPAA for blocking sites, and now The Verge has published more information, including the analysis by MPAA's favorite hatchetmen lawyers at Jenner & Block about how site blocking might work in practice [pdf] by breaking DNS.

For years, actual technology experts have explained why DNS blocking is a really bad idea , but the MPAA just can't let it go apparently. It's just, this time, it's looking for ways to do it by twisting existing laws, rather than by getting a new SOPA-like law passed.

To understand the plan, you have to first understand the DMCA section 512, which is known as the safe harbor section, but which includes a few different sections, with different rules applying to different types of services. 512(a) is about "transitory digital network communications" and basically grants very broad liability protection for a network provider who isn't storing anything -- but just providing the network. There are good reasons for this, obviously. Making a network provider liable for traffic going over the network would be a disaster for the internet on a variety of levels.

The MPAA lawyers appear to recognize this (though they make some arguments for getting around it, which we'll get to in a follow-up post), but they argue that a specific narrow attack via DMCA might be used to force ISPs to break the basic internet by disabling entries in their own DNS databases. The trick here is twisting a different part of the DMCA, 512(d), which is for "information location tools." Normally, this is what's used against search engines like Google or social media links like those found on Twitter. But the MPAA argues that since ISPs offer DNS service, that DNS service is also an "information location tool" and... ta da... that's how the MPAA can break DNS. The MPAA admits that there's an easy workaround for end-users -- using third-party DNS providers like OpenDNS or Google's DNS service -- but many users won't do that. And the MPAA would likely go after those guys as well.

At the same time, even this narrow limitation on ISPs’ immunity could have the salutary effect of requiring ISPs to respond to takedown notices by disabling DNS lookups of pirate sites through the ISPs’ own DNS servers, which is not currently a general practice. Importantly, the argument for such a requirement need not turn on the Communications Act, but can instead be based on the DMCA itself, which expressly limits ISPs’ immunity to each “separate and distinct” function that ISPs provide. See 17 U.S.C. 512(n). A reasonable argument can be made that DNS functionality is an “information location tool” as contemplated by DMCA Section 512(d) and, therefore, that ISPs are required, as a condition of the safe harbor, to cease connecting users to known infringing material through their own DNS servers. Should this argument hold – and we believe that it has a reasonable prospect of success – copyright owners could effectively require ISPs to implement a modest (albeit easily circumvented) form of DNS-based site blocking on the basis of only a takedown notice rather than litigation.
In short, since DMCA takedown notices apply to "information location tools," but not to "transitory network communications," the MPAA would like to argue that just the DNS lookup functionality is an information location tool -- and can thus be censored with just a takedown notice. This is both really slimy (though brilliant in its nefariousness) and insanely dangerous for the internet and free speech . We see so many bogus DMCA takedowns of basic content today, and here the MPAA is looking to effectively, and sneakily expand that to whole sites by misrepresenting the law (badly).

DNS is not an "information location tool" in the sense of a search engine. It's the core underpinning of how much of the internet works. At no point in the 16 years the DMCA has been around has anyone made an argument that the DNS system was covered by the "information location tools" definition. Because that's clearly not what it was written to cover. The MPAA's lawyers (in this "confidential" memo) appear to recognize that this argument doesn't fully make sense because of that, but they seem to think it's worth a go:

To be sure, the argument is not guaranteed to succeed, as unlike a “pointer” or “hyperlink text,” DNS provides a user’s browser with specific information (IP routing information) that the user has requested by other means (alphanumeric internet addresses), as opposed to providing the user with an active interface allowing the user to request information online, as they might from a clickable page of search results. But at least in the literal sense, DNS appears to fit within the list of Section 512(d) functions and a reasonable argument can be made that DNS is more like a “directory” than the provision of “routing” and should be treated accordingly under the statute as a Section 512(d) function rather than a Section 512(a) function.
Pushing this argument would raise many of the problems found with the original DNS-breaking proposal in PIPA/SOPA. It would raise even more serious questions about the First Amendment and prior restraint. Effectively, it would be moving the definition of "information location tool" down the stack, such that rather than requiring the removal of access to the specific infringing content, it would require removal of access to an entire site based on a single accusation of infringement. Someone uploaded an infringing video to YouTube? Under this interpretation, the MPAA can force Verizon to make YouTube disappear from the internet for all users relying on Verizon's DNS. The censorship implications are massive here, especially with no court proceeding at all. This wouldn't require anything in court -- just a single takedown notice, of which copyright holders send millions. Rather than sending all those notices to Google and getting them delisted from search, copyright holders could turn the firehose towards Verizon, AT&T and Comcast, and basically take down half the internet on their say so alone. Yes, sites could counternotice, but ISPs would have 10 business days in which they can keep sites off their DNS entirely.

The results would be insane.

And that doesn't even touch on the technical havoc this would wreak. As we've noted earlier, the MPAA admits it's not clear on the technical implications of this plan, but let's just point back to Paul Vixie's discussion of how SOPA/PIPA would break the internet by mucking with the core DNS functionality, no matter how it was implemented.

What this goes back to is the core purpose of DNS, which is merely to translate a URL into a numeric equivalent to connect. It's not an information location tool for helping people "find" information -- it's just the basic plumbing of how the internet works. It's how basically all pieces of the internet expect to work. If you put in a URL here, then DNS returns the proper IP addresses to follow through there. Breaking that, effectively fracturing the internet, and creating a patchwork of different DNS systems would create a huge list of problems not easily fixed.

And, yet, because the MPAA can't figure out how to adapt to the times, it appears to be willing to give it a shot. Because, hey, it's better than innovating.

Permalink | Comments | Email This Story








Link to Original Source
Space

India Successfully Test Fires Its Heaviest Rocket 29

Posted by timothy
from the might-roar dept.
vasanth (908280) writes India on Thursday moved forward in rocket technology with the successful flight testing of its heaviest next generation rocket and the crew module . The 630-tonne three-stage rocket, Geo-Synchronous Satellite Launch Vehicle Mark III, carried active solid boosters, liquid core stage and a passive cryo stage and a crew module to test its re-entry characteristics. This rocket is capable of doubling the capacity of payloads India can carry into space and it can deposit up to four tonne class of communication satellites into space. India also plans to use this rocket for ferrying Indian astronauts into space. For India, ISRO (the Indian space agency) perfecting the cryogenic engine technology is crucial as India can save precious foreign exchange by launching heavy duty communication satellites by itself.
Math

Cause and Effect: How a Revolutionary New Statistical Test Can Tease Them Apart 81

Posted by timothy
from the submission-caused-post dept.
KentuckyFC writes Statisticians have long thought it impossible to tell cause and effect apart using observational data. The problem is to take two sets of measurements that are correlated, say X and Y, and to find out if X caused Y or Y caused X. That's straightforward with a controlled experiment in which one variable can be held constant to see how this influences the other. Take for example, a correlation between wind speed and the rotation speed of a wind turbine. Observational data gives no clue about cause and effect but an experiment that holds the wind speed constant while measuring the speed of the turbine, and vice versa, would soon give an answer. But in the last couple of years, statisticians have developed a technique that can tease apart cause and effect from the observational data alone. It is based on the idea that any set of measurements always contain noise. However, the noise in the cause variable can influence the effect but not the other way round. So the noise in the effect dataset is always more complex than the noise in the cause dataset. The new statistical test, known as the additive noise model, is designed to find this asymmetry. Now statisticians have tested the model on 88 sets of cause-and-effect data, ranging from altitude and temperature measurements at German weather stations to the correlation between rent and apartment size in student accommodation.The results suggest that the additive noise model can tease apart cause and effect correctly in up to 80 per cent of the cases (provided there are no confounding factors or selection effects). That's a useful new trick in a statistician's armoury, particularly in areas of science where controlled experiments are expensive, unethical or practically impossible.

+ - AnandTech bought by Purch, same owner as Tom's Hardware

Submitted by DrunkenTerror
DrunkenTerror (561616) writes "Following founder Anand Lal Shimpi's departure a few months back, seminal tech site AnandTech has been bought by Purch, the same company that owns their 1990s era competitor, Tom's Hardware. Long-time readers shouldn't worry, however, since "AnandTech and Tom’s Hardware remain editorially independent, and though no longer competitors, the goal is to learn from one another. ""

Techdirt: DOJ Leans On Old Laws And Even Older Cases To Argue Against Privacy Expectations->

From feed by feedfeeder
Last month, ATT entered an amicus brief in the US v. Quartavious Davis case, arguing that law enforcement shouldn't be allowed warrantless access to cell site location data. ATT's entry into the privacy battle comes after a lengthy silence during which it was very obliging of government requests for customers' data. The crux of its argument was this:

Nothing in those [prior court] decisions contemplated, much less required, a legal regime that forces individuals to choose between maintaining their privacy and participating in the emerging social, political, and economic world facilitated by the use of today's mobile devices or other location-based services."
That's where we are, as far as private citizens are concerned. The government, through its thorough exploitation of the Third Party Doctrine, has basically forced the public to choose between allowing warrantless access to tons of their data (and metadata) or living some sort of off-the-grid lifestyle that doesn't involve generating "business records" via cell phone, internet service, etc.

Some judges and justices have noted that today's connected world would be completely unrecognizable to the judges who made the decisions the government relies so heavily on: namely, Smith vs. Maryland (1979).

The DOJ has entered its brief [pdf link] for the Eleventh Circuit Court's en banc re-hearing of US vs. Davis (2014), and it again attacks the defendant's assertion that he has an expectation of privacy in his cell phone records. While the government does make a good point that it's difficult for Davis to claim privacy expectations in a phone he refused to admit was his, it goes on to attack the premise that anyone has any expectation of privacy in their cell phone records. (All emphasis the DOJ's.)

Davis may not make out a right to be secure in someone elses papers, see U.S. Const. amend. IV, by complaining that those papers contained his location data. Evidence lawfully in the possession of a third party is not his, even if it has to do with him. Indeed, so far as the Fourth Amendment is concerned, Davis could not have prevented MetroPCS from producing the records in question even if they were his.
Here, the government argues that the records you generate by using a cell phone are not yours, nor will they ever be. They belong solely to the company that retains them and, as such, can be obtained with a minimum of paperwork or effort. It expands a bit on this argument a little later in the brief, but the underlying assertion is clear. These records are yours in the fact that they can identify you, but they are not yours should you seek to control access to them.

Certainly Davis could not have prevented the provider from turning over the records, but that skirts some of the issues with this case. ATT argued that the information it collected was sensitive enough that it should require a warrant to obtain. The government could still obtain these records (as it argues here), but it would need to reach the slightly-higher bar of "probable cause," rather than a court order or a subpoena.

The government leans on the nearly 40-year-old Smith decision as a prelude to its longer dismissal of any additional privacy expectations.

In general, courts have held that phone customers could not have maintained an actual expectation of privacy in routing-related business records made by a phone company to document transactions to which it was a party. See Smith, 442 U.S. at 741-43, 99 S.Ct. at 2580-82; United States v. Gallo, 123 F.2d 229, 231 (2d Cir. 1941). There is no cause to take a different view as to cell tower records.
The DOJ may say that cell phone records are pretty much the same as they've always been, but the dates of the cases cited don't bear this out. One decision is 35 years old. The other is 73 years old. Phone records used to be limited to phone numbers only. Now, they carry additional data, including location -- something that definitely wasn't on the courts' radar 40-70 years ago.

The DOJ then nails the point home, indicting US citizens as complicit in the removal of privacy expectations.

At any rate, Davis is not in a good position to complain that the government improperly obtained his location data, since he himself exposed and revealed to MetroPCS the very information he now seeks to keep privatei.e., the general vicinity information circumstantially inferable from cell tower records
"Exposed" and "revealed" are pretty harsh terms for something citizens are forced to give up in order to use cell phones. Without a doubt, many would like to keep this information private, but are unable to do so because even though they generate the records, they ultimately have no control over their distribution. Not only that, but they have considerably less access to records they've generated than law enforcement agencies do. The Third Party Doctrine has managed to turn the American public into handy little data generators -- data that the government can avail itself of with nothing more than a subpoena.

The government further asserts that Davis' stated "ignorance" of the fact that cell providers collect and store location data gives him no reason to claim an expectation of privacy. And this is true. Ignorance isn't a worthwhile excuse. But many of us do know providers store this information and yet, there's nothing that can be done about it other than to forgo the use of a cell phone altogether. That's almost an impossibility in this world, but the government maintains the stance that all of this is optional -- that we willingly create a wealth of data for third parties that can be accessed by law enforcement with minimal paperwork, let alone oversight. These are records we have no control over and yet the government is willing to use these against us while pretending we somehow have a choice in the matter.

Notably, the government also leans heavily on the Stored Communications Act to bolster its arguments -- a 30-year-old law that still treats email over 180 days old as not worthy of a warrant. Again, times have changed but applicable decisions and laws haven't. As it stands now, your life -- as stored by third parties -- is an open book.

This isn't a great test case for privacy expectations in cell phone records. Davis refused to admit ownership of the phone linking him to the string of robberies, taking a lot of the wind out of his Fourth Amendment sails in the progress. Like the Dread Pirate Roberts/Silk Road case, the government has used the denial of ownership to undercut Fourth Amendment concerns (Ulbricht has denied the servers infiltrated by the FBI are his). Defendants are basically being put in the position of incriminating themselves or abandoning any privacy arguments -- an unenviable position.

But the fact remains that location data can reveal far more about a person than the government is willing to admit. It's not simply a "business record." It's a roadmap to a person's connected existence. There should be an expectation of privacy, especially when the data gathered covers a span of days or weeks. But so far, the laws and the courts back up the government's third party assertions.

Permalink | Comments | Email This Story








Link to Original Source

+ - Cause And Effect: How a Revolutionary New Statistical Test Can Tease Them Apart

Submitted by KentuckyFC
KentuckyFC (1144503) writes "Statisticians have long thought it impossible to tell cause and effect apart using observational data. The problem is to take two sets of measurements that are correlated, say X and Y, and to find out if X caused Y or Y caused X. That's straightforward with a controlled experiment in which one variable can be held constant to see how this influences the other. Take for example, a correlation between wind speed and the rotation speed of a wind turbine. Observational data gives no clue about cause and effect but an experiment that holds the wind speed constant while measuring the speed of the turbine, and vice versa, would soon give an answer. But in the last couple of years, statisticians have developed a technique that can tease apart cause and effect from the observational data alone. It is based on the idea that any set of measurements always contain noise. However, the noise in the cause variable can influence the effect but not the other way round. So the noise in the effect dataset is always more complex than the noise in the cause dataset. The new statistical test, known as the additive noise model, is designed to find this asymmetry. Now statisticians have tested the model on 88 sets of cause-and-effect data, ranging from altitude and temperature measurements at German weather stations to the correlation between rent and apartment size in student accommodation.The results suggest that the additive noise model can tease apart cause and effect correctly in up to 80 per cent of the cases (provided there are no confounding factors or selection effects). That's a useful new trick in a statistician's armoury, particularly in areas of science where controlled experiments are expensive, unethical or practically impossible."

If it happens once, it's a bug. If it happens twice, it's a feature. If it happens more than twice, it's a design philosophy.

Working...