Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment: Please shame whomever it is (Score 3, Insightful) 141

by stonefoz (#48685281) Attached to: Ask Slashdot: Dealing With Companies With Poor SSL Practices?

Please don't hide whom it is that I might accidentally do business with. Nothing is going to change just sending them an email, they may even go after you for doing so. However you may stop others from being suckered when their poor security becomes everyone else's problem. It's not their problem, it's going to be everyone else's.

First assumption is that there isn't somewhere that'll get broken. Everywhere probably will get successfully attacked at some point. Use a password manager. At least this way, when somewhere is broken, I'm sure that it's the only place where that password is used.

Comment: Re:Digital imitaing analog != Analog (Score 0) 155

by stonefoz (#48117501) Attached to: Liking Analog Meters Doesn't Make You a Luddite (Video)

That's not analog strictly speaking. That is a digital device imitating an analog display. Nothing wrong with that but it isn't the same thing. To be an analog device it has to operate on analog (continuous) signals. Digital devices by definition cannot do more than an approximation of a continuous signal. Possibly a very good approximation but an approximation nonetheless.

Everything is an approximation. Any real signal of any type will contain noise. Analog has a signal/noise ratio for a given design, while digital has the same. Changing a signal into ones and zeros does add noise, however so does everything else.

+ - Internet Explorer 0-day attacks on US nuke workers hit 9 other sites->

Submitted by SternisheFan
SternisheFan (2529412) writes "Ars reports:

Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said.

The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8.

A separate blog post from security firm CrowdStrike said its researchers unearthed evidence suggesting that the campaign began in mid-March. Their analysis of logs from the malicious infrastructure used in the attacks revealed the IP addresses of visitors to the compromised sites. The logs showed addresses from 37 different countries, with 71 percent of them in the US, 11 percent in South/Southeast Asia, and 10 percent in Europe. CrowdStrike's data showed IP addresses before exploit code was run against the visitors' machines. Not all those visitors were likely compromised since the exploit code worked only against people using IE8.

CrowdStrike researchers seemed to concur with their counterparts from Invincea, who—as Ars reported on Friday—said the attacks at least in part targeted people working on sensitive government programs. Malicious links embedded in the Department of Labor website focused on webpages that dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy. But they went on to say the campaign could be much broader.

"The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium," CrowdStrike said. "Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector."

Such "watering hole" attacks—which plant malware exploits on websites that are frequented by specific groups or people—have become a common technique in targeted attacks. Once compromised by the IE zero-day, computers are infected with a version of Poison Ivy, a backdoor tool that has been widely used in past espionage campaigns. The command-and-control servers used to communicate with infected machines show signs that they were set up by a Chinese hacking crew known as DeepPanda.

Microsoft confirmed the remote code-execution vulnerability on Friday night. Versions 6, 7, 9, and 10 of the browser are immune to these attacks, so anyone who can upgrade to one of the latest two versions should do so immediately or switch to a different browser. For anyone who absolutely can not move away from IE 8, company researchers recommend the following precautions:

Set Internet and local intranet security zone settings to "High" to block ActiveX

Controls and Active Scripting in these zones

This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Users can also install EMET—short for Enhanced Mitigation Experience Toolkit—which adds a variety of exploit mitigations and security defenses and is especially useful for users of older versions of Windows, such as XP.

Technical details about the "use after free" bug are available here from Rapid7. The security firm has already folded attack code exploiting the vulnerability into the Metasploit framework used by security professionals and hackers. Researchers at FireEye have also delved into the exploit circulating online. They found it uses "return oriented programming," a technique used to defeat data-execution prevention and other exploit mitigations. The FireEye researchers said they also verified the exploit works against IE8 on Windows 7.

Microsoft's advisory on Friday said researchers were still investigating the vulnerability. When the inquiry concludes, they will decide whether to release an unscheduled update or provide a fix as part of the company's regular patching cycle. Story updated to add details from FireEye in second-to-last paragraph"

Link to Original Source

Comment: Re:Some are also destroyed/lost (Score 1) 438

by stonefoz (#41711929) Attached to: Vast Bulk of BitCoins Are Hoarded, Not Used

Flash chips do not normally contain JTAG. The WRT54G and phones using ARM have TJAG in the processor. It's for recovery and debugging, allowing the processor to be stopped and manipulated from a computer. If the processor works, TJTAG and USB could be an option.

I would have to recommend against using JTAG. The cheap adapters cost something which is more than free included USB. It is also dog slow. My much older phone would take over 30hours to copy across JTAG with a speed of 256KBs. USB running at full speed still takes around 10min. Newer phones ship with Gigabytes worth of flash, making JTAG alone unreasonable.

Comment: Re:Some are also destroyed/lost (Score 2) 438

by stonefoz (#41696259) Attached to: Vast Bulk of BitCoins Are Hoarded, Not Used

As for your phone. If any part of the proccessor/usb still works you can copy out the flash. It works well for software bricks and could help if at least some of the hardware still works.
If you have to recover the flash by its self, jigs to do so are costly.
http://www.glassechidna.com.au/products/heimdall/

Comment: How big is small office? (Score 1) 224

by stonefoz (#41557055) Attached to: Ask Slashdot: Open Communications Set-Up For Small Office?

How many handsets and how far away to you make calls. For less than 5 handsets or mostly local calls, a simple, simple hardware pbx is still king. It's just not worth the trouble of setting up several thousand dollars worth of gear just to have options you're probably not going to use. Samsung and Tadaran make simple boxes that don't randomly crash or require hours and hours of setup and maintenance.
Voip starts to make sense when you need to have access to phones outside of the office. Asterisk does a good job of patching into any other PBX as a voicemail service and routing calls in/out to voip. Normal calls don't get dropped and VOIP is still a less reliable but still functioning option.
Voip only makes sense when there are many phone in many places with many changes. It's a up front cost of testing all network gear for working QOS. Routers, switches and you're ISP has to have working QOS. When you need everything to talk with everything else, there when you have many many handsets in many places, then worry about having open communications.
For small business though, simple hardware pbx with a few extra ports give options to open it up later.

Comment: Re:Theft? (Score 1) 244

by stonefoz (#41478937) Attached to: Regarding Identity Theft:

Without removing you in the process, how can you're identity be stolen. Stolen identity is surely possible while breaking a multitude of other laws. How is lying to the creditor, to receive illicit gains, not just fraud? If I tell the bank I'm the damn Queen of England, it surely isn't a problem for the Queen of England is it?

Comment: Re:Ubuntu doesn't run on pre-USB boot systems anyw (Score 1) 488

by stonefoz (#37956868) Attached to: Ubuntu 12.04 LTS Won't Fit On a CD

Nope, Ubuntu is targeted heavily at desktop use, as such you're using the wrong time-frame.

Desktops don't do things by hours, they, and even the very very old ones work at times that are much faster than you. A desktop system works at 1/60 of a second. I push a button, I click a mouse, I wave at a camera. All of those things happen and then 1/60 of a second later the display get updated. Most of the time a desktop is usually doing nothing, nothing and nothing a 1/60 at a time. It takes much less shiny shit to fill a 1/60 than you think

Comment: Do you actually need a universal programer? (Score 1) 165

by stonefoz (#37890202) Attached to: Ask Slashdot: Best EEPROM Programmer For a Hobbyists?

They are not cheap and whomever you buy it from will burn you on the software next year. If you only have a handful of chips, most newish thing are serial and have a cheap programmer consisting of a micro and usb converter. SPI, I2C would be best done with a cheap newish design. As for the multi-pin package programmers, it's going to cost, if you value you're sanity at all. I've owned the Willem set and now a Wellon and can't go without having the chip test feature. Willem programmers are simply flaky as they don't do any test until after programing the entire chip.

Can't stress this enough, find a programmer that does test the chip on insertion.

Comment: Imitation Watches at Replica Watches (Score 2, Funny) 69

by stonefoz (#37634664) Attached to: The State of Hacked Accounts

Imitation Watches at Replica Watches

TOP grade Replica Watches of high quality at wholesale prices!
Join the wise shoppers to let your dreams come true.
BEST deals of imitation watches plus FREE shipping!

*PLEASE NOTE*
You are receiving this email because you or some one with your email has subscribed in our website.We have No aim of spamming and at any time if you want to stop receiving email from us,Just use the unsubscribe button At the end of the email,But you will Lose out our Special offers and Make money online news

Unsubscribe me from this list

Image

"Farming" Amoebas Discovered 49

Posted by samzenpus
from the rise-of-amoeba-agriculture dept.
Researchers from Rice University have found a type of amoeba that practices a sort of "primitive farming behavior." When their bacteria food become scarce, the Dictyostelium discoideum will group together and form a "fruiting body" that will disperse bacteria spores to a new area. From the article: "The behavior falls short of the kind of 'farming' that more advanced animals do; ants, for example, nurture a single fungus species that no longer exists in the wild. But the idea that an amoeba that spends much of its life as a single-celled organism could hold short of consuming a food supply before decamping is an astonishing one. More than just a snack for the journey of dispersal, the idea is that the bacteria that travel with the spores can 'seed' a new bacterial colony, and thus a food source in case the new locale should be lacking in bacteria." It's good to know that even a single celled creature is not immune to the pull of Farmville.
Hardware

Installing Linux On ARM-Based Netbooks? 179

Posted by timothy
from the super-easy dept.
An anonymous reader writes "I am sure that many other Slashdotters have noticed an increase in ARM-based netbooks over the past several months. For example, the Augen E-Go. It is a widely touted theory that it is impossible to install Linux on one of these notebooks, replacing the commonly installed Windows CE operating system. The sub-$100 netbooks carry decent specs, including 533MHz ARM processor; 128MB DDR RAM; and a 2GB Flash drive, as well as most expected netbook components (USB, Wi-Fi, etc.). I find it hard to believe that a computer with these specs is impossible to hack and install Linux to, but Google searches have been largely unsuccessful in finding proper information. Do any Slashdot readers have experience in installing ARM Linux distros to these cheap netbooks like this? If so, what distros do they recommend?" (In particular, I wonder if anyone can comment on Ubuntu on ARM.)

Thus mathematics may be defined as the subject in which we never know what we are talking about, nor whether what we are saying is true. -- Bertrand Russell

Working...