Follow Slashdot stories on Twitter


Forgot your password?
Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

Submission + - GlassRAT Targets Chinese Nationals, Lurked for 3 Years Undetected (

chicksdaddy writes: RSA researchers issued a report today ( about a remote access trojan (or RAT) program dubbed “GlassRAT” that they are linking to sophisticated and targeted attacks on “Chinese nationals associated with large multinational corporations," The Security Ledger reports. (

Discovered by RSA in February of this year, GlassRAT was first created in 2012 and “appears to have operated, stealthily, for nearly 3 years in some environments,” in part with the help of a legitimate certificate from a prominent Chinese software publisher and signed by Symantec and Verisign, RSA reports.

The software is described as a “simple but capable RAT” that packs reverse shell features that allow attackers to remotely control infected computers as well as transfer files and list active processes. The dropper program associated with the file poses as the Adobe Flash player, and was named “Flash.exe” when it was first detected.

RSA discovered it on the PC of a Chinese national working for a large, U.S. multi-national corporation. RSA had been investigating suspicious network traffic on the enterprise network. RSA says telemetry data and anecdotal reports suggest that GlassRAT may principally be targeting Chinese nationals or other Chinese speakers, in China and elsewhere, since at least early 2013.

RSA said it has discovered links between GlassRAT and earlier malware families including Mirage, Magicfire and PlugX. Those applications have been linked to targeted campaigns against the Philippine military and the Mongolian government. (

Submission + - A Secretive Air Cargo Operation Is Running in Ohio, and Signs Point to Amazon (

citadrianne writes: In 2013, at the height of the holiday season, a surge of last minute Amazon orders and bad weather left many customers without gifts under the tree on Christmas day.

Amazon said the problem was not due to issues with its warehouses or staff, but failures on the part of UPS and other shipping partners. It apologized and reimbursed some customers with $20 gift cards, but the debacle underscored for Amazon the disadvantages of relying on third party shippers for its delivery process.

Since then, Amazon has been increasingly investing in its own alternatives, from contracting additional couriers to rolling out its own trucks in some cities.

The latest rumored venture into Amazon shipping has a name: Aerosmith.

An air cargo operation by that name launched in September of this year in Wilmington, Ohio on a trial basis. The operation is being run by the Ohio-based aviation holding company Air Transport Services Group, or ATSG, out of a state-of-the art facility. It's shipping consumer goods for a mysterious client that many believe to be Amazon.

Submission + - Fake Bomb Detector, Blamed for Hundreds of Deaths, Is Still in Use writes: Murtaza Hussain writes at The Intercept that although it remains in use at sensitive security areas throughout the world, the ADE 651 is a complete fraud and the ADE-651’s manufacturer sold it with the full knowledge that it was useless at detecting explosives. There are no batteries in the unit and it consists of a swivelling aerial mounted to a hinge on a hand-grip. The device contains nothing but the type of anti-theft tag used to prevent stealing in high street stores and critics have likened it to a glorified dowsing rod.

The story of how the ADE 651 came into use involves the 2003 U.S. invasion of Iraq. At the height of the conflict, as the new Iraqi government battled a wave of deadly car bombings, it purchased more than 7,000 ADE 651 units worth tens of millions of dollars in a desperate effort to stop the attacks. Not only did the units not help, the device actually heightened the bloodshed by creating “a false sense of security” that contributed to the deaths of hundreds of Iraqi civilians. A BBC investigation led to a subsequent export ban on the devices.

The device is once again back in the news as it was reportedly used for security screening at hotels in the Egyptian resort city of Sharm el-Sheikh where a Russian airliner that took off from that city’s airport was recently destroyed in a likely bombing attack by the militant Islamic State group. Speaking to The Independent about the hotel screening, the U.K. Foreign Office stated it would “continue to raise concerns” over the use of the ADE 651. James McCormick, the man responsible for the manufacture and sale of the ADE 651, received a 10-year prison sentence for his part in manufacture of the devices, sold to Iraq for $40,000 each. An employee of McCormick who later became a whistleblower said that after becoming concerned and questioning McCormick about the device, McCormick told him the ADE 651 “does exactly what it’s designed to. It makes money.”

Comment Re:PHP (Score 5, Informative) 191

This is not a PHP thing, but a bad-developer thing.

I guess you didn't read past my first paragraph? Please do.

You can write the same crap in Java, .NET, Python or any language you want.

Go and search the web for tutorials in those languages. You will find that the situation is vastly better with these languages compared with PHP.

That's not PHP's fault.

It is - on many fronts.

Firstly, the language promoted for many, many years, a confusion between the various layers of the application. The whole magic quotes nonsense was an attempt to fix a problem relating to the database layer in the HTTP layer. This confused PHP developers for over a decade, and even though it has since been removed, it was in there for so long that an entire generation of PHP developers had their brains twisted out of shape with this confusion.

Secondly, the official documentation was super bad for years. Security vulnerabilities in the official tutorial for years, for example.

Thirdly, the API design is so bad it practically pushes unsuspecting developers into the wrong solution. addslashes()? No, use mysql_escape_string(). Oh wait, wasn't that mysql_real_escape_string()? Or perhaps mysql_really_really_i_promise_to_do_it_right_this_time_escape_string()?

Finally, the PHP community right from the very top embraces shitty practices, like ignoring failing tests in a release build. Again, a source of security vulnerabilities that simply doesn't need to happen.

Yes, you can write bad code in any language. But that doesn't mean that all languages are equal. PHP is far, far worse at this than its contemporaries and you shouldn't make excuses for it.

Comment PHP (Score 4, Interesting) 191

So why, in 2015, is SQLi still leading to some of the biggest breaches around?

Because typical PHP tutorials still teach old, broken ways of doing things and this shows no signs of abating. Go ahead and search the web for things like php mysql tutorial. The top hits are crap like this, written by incompetent developers who don't know what they are doing. PHP developers learn from crap like that, then they go on to write their own tutorials that are the same or worse.

And before you start, yes, this is something where PHP is stand-out bad. Go ahead and try the same searches with other languages. There is a vast difference in quality of learning materials. I mean, PHP had XSS vulnerabilities in its official tutorials until relatively recently. Newbies don't stand a chance in those circumstances.

Submission + - Anonymous Reportedly "RickRolling" Isis (

retroworks writes: According to a recent tweet from the #OpParis account, Anonymous are delivering on their threat to hack Isis [slashdot, and are now flooding all pro-Isis hastags with the grandfather of all 2007 memes — Rick Aston's "Never Gonna Give You Up" (1987) music video, aka “Rick Roll” meme. Whenever a targeted Isis account tries to spread a message, the topic will instead be flooded with countless videos of Rick Astley circa 1987.

Not all are praising Anonymous methods, however. While Metro UK reports that the attacks have been successful, finding and shutting down 5,500 Twitter accounts, the article also indicates that professional security agencies have seen sources they monitor shut down. Rick Aston drowns out intelligence as well as recruitment.

Submission + - How Close Are We To a Mission on Mars? (

destinyland writes: "NASA is developing the capabilities needed to send humans to an asteroid by 2025 and Mars in the 2030s," reads the official NASA web site. But National Geographic points out that "the details haven't been announced, in large part because such a massive, long-term spending project would require the unlikely support of several successive U.S. presidents." And yet on November 4th, NASA put out a call for astronaut applications "in anticipation of returning human spaceflight launches to American soil, and in preparation for the agency’s journey to Mars," and they're currently experimenting with growing food in space. And this week they not only ordered the first commercial mission to the International Space Station, but also quietly announced that they've now partnered with 22 private space companies.

Comment Pick the Game first, then the Console (Score 1) 373

When shopping for any new gaming console, NEVER pick the hardware first. Since this is for some kids, figure out which games the kids are going to want to play. If any of them are exclusive to one console or the other, then your decision has been made for you. If Gears of War or Halo is on the list, your getting an XBox. If Gran Turismo or Ultra Street Fighter IV are on the list of games that they want to play, get the PS4.

If the games that they want are multi-platform, then the next things to consider are which controller is better in the opinion of the players, and what platform their friends play on (if online competitive play is a drawing point for the kids).


The secret of success is sincerity. Once you can fake that, you've got it made. -- Jean Giraudoux