Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

+ - Cyberlock lawyers threaten security researcher over vulnerability disclosure

Submitted by qubezz
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states:


The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i .. hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results.

What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity?

+ - The World's Most Wasteful Megacity

Submitted by merbs
merbs writes: The world’s most wasteful megacity is a densely populated, steadily aging, consumerist utopia where we buy, and throw away, a staggering amount of stuff. Where some faucet, toilet, or pipe, is constantly leaking in our apartments. Where an armada of commerce-beckoning lights are always on. Where a fleet of gas-guzzling cars still clog the roadways. I, along with my twenty million or so neighbors, help New York City use more energy, suck down more water, and spew out more solid waste than any other mega-metropolitan area.

+ - Visualizations of Rebel Alliances in the UK Government->

Submitted by Anonymous Coward
An anonymous reader writes: I just published this article and thought it might be of interest to Slashdot readers.

It's about a collection visualizations I created based on public voting data from The Public Whip project, which collects and normalizes voting data from the UK House of Commons. The visualizations show relationships between MPs, with a focus on agreement rates, and more interestingly — rebellion.

Link to Original Source

+ - Google Can't Ignore The Android Update Problem Any Longer->

Submitted by Anonymous Coward
An anonymous reader writes: An editorial at Tom's Hardware makes the case that Google's Android fragmentation problem has gotten too big to ignore any longer. Android 5.0 Lollipop and its successor 5.1 have seen very low adoption rates — 9.0% and 0.7% respectively. Almost 40% of users are still on KitKat. 6% lag far behind on Gingerbread and Froyo. The article points out that even Microsoft is now making efforts to both streamline Windows upgrades and adapt Android (and iOS) apps to run on Windows. If Google doesn't adapt, "it risks having users (slowly but surely) switch to more secure platforms that do give them updates in a timely manner. And if users want those platforms, OEMs will have no choice but to switch to them too, leaving Google with less and less Android adoption." The author also says OEMs and carriers can no longer be trusted to handle operating system updates, because they've proven themselves quite incapable of doing so in a reasonable manner.
Link to Original Source

+ - French parliament approves new surveillance rules->

Submitted by mpicpp
mpicpp writes: The French parliament has approved a controversial law strengthening the intelligence services, with the aim of preventing Islamist attacks.
The law on intelligence-gathering, adopted by 438 votes to 86, was drafted after three days of attacks in Paris in January, in which 17 people died.
The Socialist government says the law is needed to take account of changes in communications technology.
But critics say it is a dangerous extension of mass surveillance.
They argue that it gives too much power to the state and threatens the independence of the digital economy.

Main provisions of the new law:

Define the purposes for which secret intelligence-gathering may be used

Set up a supervisory body, the National Commission for Control of Intelligence Techniques (CNCTR), with wider rules of operation

Authorise new methods, such as the bulk collection of metadata via internet providers

Link to Original Source

+ - But can the IAEA verify the Iran deal?-> 1

Submitted by Lasrick
Lasrick writes: Former International Atomic Energy Agency (IAEA) safeguards analyst Alissa Carrigan looks at an important question that needs an answer: Given the staffing requirements of the verification framework outlined in the Iran deal, can the IAEA actually carry out sufficient verification in Iran? Carrigan breaks down what is required for the IAEA to do its job, and compares the work that will be required in Iran to what the agency did in South Africa and Iraq. Great stuff.
Link to Original Source

+ - AirMap: App Helps Drone Flyers Navigate Airspace Restrictions ->

Submitted by Xconomy'sBT
Xconomy'sBT writes: What’s the difference between driving a remote-controlled toy Lamborghini on your driveway and flying a hobby drone to take roof-level aerial videos of your family barbeque? Flying the drone could draw punishment from the Federal Aviation Administration---a potential $10,000 fine for violating national airspace system restrictions. A California company has created a digital map, AirMap, to help recreational drone users navigate within the complex layers of restricted zones around airports, parks, wildlife refuges, and institutions, as well as temporary flight restrictions due to events like the President’s speaking tours.
Few consumers know they’re required to notify airport officials in advance of any plan to fly a drone within a five-mile radius of an airport, says air rights legal expert Gregory McNeal, co-founder of AirMap with aviation entrepreneur and flight instructor Ben Marcus.

From the story at online tech news organization Xconomy:
While the Federal Aviation Administration publishes aeronautical charts of the national airspace system up to 60,000 feet, that’s too much information for a recreational drone user to interpret, McNeal says. AirMap strips away the top layers—where passenger jets fly, for example—to show only the flight restrictions from the ground level up to 500 feet—the region where drones actually operate.
AirMap also gives street-level detail of the boundaries of restricted zones, unlike the scale of FAA charts designed to help aircraft pilots navigate around whole cities, McNeal says. Drone operators need that higher resolution to find out exactly which fields, or specific blocks on a street, are outside the five-mile radius around an airport, for example. The invisible boundary line might fall right through the middle of an intersection or a local park, McNeal says. Commercial drone operators often need the same kind of street-level information. For example, realtors use drones to capture images of individual houses for sale.

Link to Original Source

+ - Why Was Linux The Kernel That Succeeded?-> 1

Submitted by jones_supa
jones_supa writes: One of the most puzzling questions about the history of free and open source software is this: Why did Linux succeed so spectacularly, whereas similar attempts to build a free or open source, Unix-like operating system kernel met with considerably less success? Christopher Tozzi has rounded up some theories, focusing specifically on kernels, not complete operating systems. These theories take a detailed look at the decentralized development structure, pragmatic approach to things, and the rich developer community, all of which worked in favor of Linux.
Link to Original Source
Input Devices

The Challenge of Getting a Usable QWERTY Keyboard Onto a Dime-sized Screen 124

Posted by timothy
from the you-will-fail-at-that-task dept.
An anonymous reader writes: Researchers from Spain and Germany are building on Carnegie Mellon's work to attempt to create workable text-input interfaces for wearables, smartwatches and a new breed of IoT devices too small to accomodate even the truncated soft keyboards familiar to phone users. In certain cases, the screen area in which the keyboard must be made usable is no bigger than a dime. Of all the commercial input systems I've used, Graffiti seems like it might be the most suited to such tiny surfaces.
Programming

Is It Worth Learning a Little-Known Programming Language? 211

Posted by timothy
from the worth-it-to-whom? dept.
Nerval's Lobster writes: Ask a group of developers to rattle off the world's most popular programming languages, and they'll likely name the usual suspects: JavaScript, Java, Python, Ruby, C++, PHP, and so on. Ask which programming languages pay the best, and they'll probably list the same ones, which makes sense. But what about the little-known languages and skill sets (Dice link) that don't leap immediately to mind but nonetheless support some vital IT infrastructure (and sometimes, as a result, pay absurdly well)? is it worth learning a relatively obscure language or skill set, on the hope that you can score one of a handful of well-paying jobs that require it? The answer is a qualified yes—so long as the language or skill set in question is clearly on the rise. Go, Swift, Rust, Julia and CoffeeScript have all enjoyed rising popularity, for example, which increases the odds that they'll remain relevant for at least the next few years. But a language without momentum behind it probably isn't worth your time, unless you want to learn it simply for the pleasure of learning something new.

+ - Netflix Open-Sources Security Incident Management Tool->

Submitted by itwbennett
itwbennett writes: Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents. Called FIDO (Fully Integrated Defense Operation), the tool is designed to research, score and categorize threats in order to speed up handling of the most urgent ones. FIDO is available on GitHub.
Link to Original Source

+ - The challenge of getting a usable QWERTY keyboard onto a dime-sized screen->

Submitted by Anonymous Coward
An anonymous reader writes: Researchers from Spain and Germany are building on Carnegie Mellon's work to attempt to create workable text-input interfaces [http://personales.upv.es/luileito/web/docs/papers/tinyqwerty-chi2015-preprint.pdf] for wearables, smartwatches and a new breed of IoT devices too small to accomodate even the truncated soft keyboards familiar to phone users. In certain cases, the screen area in which the keyboard must be made usable is no bigger than a dime.
Link to Original Source

+ - Bitcoin's Predecessors, Online Game Currencies, and What We Can Learn From Them

Submitted by HughPickens.com
HughPickens.com writes: Thomas Kim has an interesting paper at PLOS one that analyzes virtual currencies in online games that have been voluntarily managed by individuals since 1990s to study whether the recent price patterns and transaction costs of Bitcoin represent a general characteristic of decentralized virtual currencies. Kim's conclusions:

We find that more mature game currencies have a price volatility of one-third of that of Bitcoin, at a level similar to that of small size equities or gold. The decentralized structure of Bitcoin does not seem to be the cause of the recent price instability, as game currencies are also managed by non-government entities. We observe a similar price instability from the game currencies that are launched around the time when Bitcoin gained much of its current public attention (around the year 2011). The contrast between mature and newly introduced virtual currencies indicates that the Bitcoin price may stabilize over time.

The transaction costs of virtual currencies are sometimes lower than that of real currencies. With more competition among virtual currency exchanges, the transaction costs may drop further making virtual currencies a lower cost alternative to real currency transactions. Economists agree that a properly functioning currency should include a method of transaction, a unit of account, and store value (Yermack [3]). Bitcoin may meet the criteria if it can combine its low transaction costs with more stable prices.

However, there are a few caveats for our projection. Bitcoin is the first virtual currency that is attempting to substitute the role of real currencies. Until this point, other virtual currencies, like game currencies, remain as auxiliary currencies that aid in transactions that real currencies cannot easily do, such as transactions within an online game. Game currencies currently have considerable trading volume, but their role is tied to the gaming industry. It is difficult to estimate how widespread Bitcoin will be. Also, our analysis does not justify that virtual currencies should have greater value. A large volume of Bitcoin trading in these days is speculative trading, betting on the possible appreciation of Bitcoin prices. Speculative trades are necessary to discover the reasonable exchange rates of Bitcoin, but it is unknown when the market will reach the equilibrium. As we demonstrate from the comparison of exchanges with varying degrees of competition, various regulations imposed on Bitcoin exchanges may be a dragging factor in the price discovery process.

+ - Researcher: drug Infusion Pump is the 'least secure IP device' he's ever seen->

Submitted by chicksdaddy
chicksdaddy writes: This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump.(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3459)

The problem? According to this report by Security Ledger (https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/) the main problem was an almost total lack of security controls on the device. According to independent researcher Jeremy Williams, the PCA pump listens on Telnet port 23. Connecting to the device via Telnet, he was brought immediately to a root shell account that gave him total, administrator level access to the pump without authentication. “The only thing I needed to get in was an interest in the pump,” he said.

Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump’s operation using fairly simple scripts.

Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it.
The problems prompted Richards to call the PCA 3 pump “the least secure IP enabled device” he has ever worked with. (http://hextechsecurity.com/?p=123)

Hospira did not responded to requests for comment prior to publication.

Link to Original Source

+ - Is It Worth Learning a Little-Known Programming Language?->

Submitted by Nerval's Lobster
Nerval's Lobster writes: Ask a group of developers to rattle off the world’s most popular programming languages, and they’ll likely name the usual suspects: JavaScript, Java, Python, Ruby, C++, PHP, and so on. Ask which programming languages pay the best, and they’ll probably list the same ones, which makes sense. But what about the little-known languages and skill sets (Dice link) that don’t leap immediately to mind but nonetheless support some vital IT infrastructure (and sometimes, as a result, pay absurdly well)? is it worth learning a relatively obscure language or skill set, on the hope that you can score one of a handful of well-paying jobs that require it? The answer is a qualified yes—so long as the language or skill set in question is clearly on the rise. Go, Swift, Rust, Julia and CoffeeScript have all enjoyed rising popularity, for example, which increases the odds that they’ll remain relevant for at least the next few years. But a language without momentum behind it probably isn’t worth your time, unless you want to learn it simply for the pleasure of learning something new.
Link to Original Source

"Just think, with VLSI we can have 100 ENIACS on a chip!" -- Alan Perlis

Working...