Facebook will open source its modular network routing software Open/R, currently used in its backbone and data center networks, which "provides a platform to disseminate state across the network and allows new applications to be built on top of it." An anonymous reader quotes TechCrunch: Facebook obviously has unique scale needs when it comes to running a network. It has billions of users doing real-time messaging and streaming content at a constant clip. As with so many things, Facebook found that running the network traffic using traditional protocols had its limits and it needed a new way to route traffic that didn't rely on the protocols of the past, Omar Baldonado, Engineering Director at Facebook explained... While it was originally developed for Facebook's Terragraph wireless backhaul network, the company soon recognized it could work on other networks too including the Facebook network backbone, and even in the middle of Facebook network, he said. Given the company's extreme traffic requirements where the conditions were changing so rapidly and was at such scale, they needed a new way to route traffic on the network. "We wanted to find per application, the best path, taking into account dynamic traffic conditions throughout the network," Baldonado said.

But Facebook also recognized that it could only take this so far internally, and if they could work with partners and other network operators and hardware manufacturers, they could extend the capabilities of this tool. They are in fact working with other companies in this endeavor including Juniper and Arista networks, but by open sourcing the software, it allows developers to do things with it that Facebook might not have considered, and their engineering team finds that prospect both exciting and valuable.
"Most protocols were initially designed based on constrained hardware and software environment assumptions from decades ago," Facebook said in its announcement. "To continue delivering rich, real-time, and highly engaging user experiences over networks, it's important to accelerate innovation in the routing domain."

schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.

An anonymous reader quotes a report from Tom's Hardware: Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn't much public knowledge of the workings of the ME, especially in its current state. It's not even clear where the hardware is physically located anymore.

What's concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel's Active Management Technology (AMT), but that's just a software that runs on ME--ME is actually an entire OS. Minnich's presentation touched on his team's discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what's in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It's not known if all this code is explicitly included for current or future ME capabilities, or if it's because Intel simply saw more potential value in keeping rather than removing it.

schwit1 writes: The U.S. Environmental Protection Agency (EPA) has approved the use of a common bacterium to kill wild mosquitoes that transmit viruses such as dengue, yellow fever and Zika, Nature's news team has learned. On November 3rd, the agency told biotechnology start-up MosquitoMate that it could release the bacterium Wolbachia pipientis into the environment as a tool against the Asian tiger mosquito (Aedes albopictus). Lab-reared mosquitoes will deliver the bacterium to wild mosquito populations. The decision -- which the EPA has not formally announced -- allows the company, which is based in Lexington, Kentucky, to release the bacteria-infected mosquitoes in 20 U.S. states and Washington DC.

MosquitoMate will rear the Wolbachia-infected A. albopictus mosquitoes in its laboratories, and then sort males from females. Then the laboratory males, which don't bite, will be released at treatment sites. When these males mate with wild females, which do not carry the same strain of Wolbachia, the resulting fertilized eggs don't hatch because the paternal chromosomes do not form properly. The company says that over time, as more of the Wolbachia-infected males are released and breed with the wild partners, the pest population of A. albopictus mosquitoes dwindles. Other insects, including other species of mosquito, are not harmed by the practice, says Stephen Dobson, an entomologist at the University of Kentucky in Lexington and founder of MosquitoMate.

You asked, he answered!

For Slashdot's 20th anniversary -- and the 23rd anniversary of the first release of Red Hat Linux -- here's a special treat.

Red Hat CEO Jim Whitehurst has responded to questions submitted by Slashdot readers. Read on for his answers...

A new report from IGN this morning explains why it took so long for backwards compatibility to be supported on the Xbox One. Microsoft veteran Kevin La Chapelle says the answer to the question can be found in 2015 -- the year that Phil Spencer announced backwards compatibility at Microsoft's Xbox E3 media briefing. From the report: The fan-first feature has evolved from an experiment conducted by two separate Microsoft Research teams into a service planned for Xbox One's launch -- complete with hardware hooks baked into the Durango silicon -- until the well-publicized changes to the Xbox One policies (namely, stripping out the always-online requirement for the console) forced it to be pushed to the back burner. It's obviously back for good now, and expanding into original Xbox compatibility of select titles on Xbox One (the first batch of which we announced today). Even the Xbox One X is getting involved, with a handful of Xbox 360 games getting Scorpio-powered enhancements like 10-bit color depth, anisotropic filtering, and up to 9x additional pixel counts displayed on screen. [...]

It was 2007. One of [the research] teams was working on PowerPC CPU emulation -- getting 32-bit code, which the 360 uses, to run on the 64-bit architecture that the third-generation Xbox would be using. The other team, out of Beijing, started writing a virtual GPU emulator based on the Xbox 360 GPU architecture. "These were like peanut butter and chocolate," Microsoft VP of Xbox software engineering Kareem Choudhry recalled. "[So we thought,] 'Why don't we put them both together?'" Choudhry did just that, and so the first steps to Xbox One backwards compatibility were taken, long before the console had a name or anything remotely resembling final specifications. As Durango crystallized, so too did plans for Xbox 360 compatibility on the new machine. "This was primarily a software exercise, but we enabled that by thinking ahead with hardware," Gammill explained. "We had to bake some of the backwards compatibility support into the [Xbox One] silicon." This was done back in 2011. Preliminary tests showed that support for key Xbox middleware XMA audio and texture formats was extremely taxing to do in software alone, with the former, Gammill noted, taking up two to three of the Xbox One's six CPU cores. But a SOC (system on chip) -- basically an Xbox 360 chip inside every Xbox One, similar to how Sony put PS2 hardware inside the launch-era PS3s -- would've not only been expensive, but it would've put a ceiling on what the compatibility team could do. "If we'd have gone with the 360 SOC, we likely would've landed at just parity," he said. "The goal was never just parity." So they built the XMA and texture formats into the Xbox One chipset...

An anonymous reader quotes PCMag: In a Wednesday blog post, Redmond examined Google's browser security and took the opportunity to throw some shade at Chrome's security philosophy, while also touting the benefits of its own Edge browser. The post, written by Microsoft security team member Jordan Rabet, noted that Google's Chrome browser uses "sandboxing" and isolation techniques designed to contain any malicious code. Nevertheless, Microsoft still managed to find a security hole in Chrome that could be used to execute malicious code on the browser.

The bug involved a Javascript engine in Chrome. Microsoft notified Google about the problem, which was patched last month. The company even received a $7,500 reward for finding the flaw. However, Microsoft made sure to point out that its own Edge browser was protected from the same kind of security threat. It also criticized Google for the way it handled the patching process. Prior to the patch's official rollout, the source code for the fix was made public on GitHub, a software collaboration site that hosts computer code. That meant attentive hackers could have learned about the vulnerability before the patch was pushed out to customers, Microsoft claimed. "In this specific case, the stable channel of Chrome remained vulnerable for nearly a month," the blog post said. "That is more than enough time for an attacker to exploit it."
In the past Google has also disclosed vulnerabilities found in Microsoft products -- including Edge.

"A trio of data scientists developed a betting strategy to beat bookmakers at football games," writes austro. [The game Americans call soccer.] New Scientist reports: The team studied 10 years' worth of data on nearly half a million football matches and the associated odds offered by 32 bookmakers between January 2005 and June 2015. When they applied their strategy in a simulation, they made a return of 3.5 per cent. Making bets randomly resulted in a loss of 3.32 per cent. Then the team decided to try betting for real. They developed an online tool that would apply their odds-averaging formula to upcoming football matches. When a favorable opportunity arose, a member of the team would email Kaunitz and his wife, one of whom then placed a bet.

They kept this up for five months, placing $50 bets around 30 times a week. And they were winning. After five months the team had made a profit of $957.50 -- a return of 8.5 per cent. But their streak was cut short. Following a series of several small wins, the trio were surprised to find that their accounts had been limited, restricting how much they could bet to as little as $1.25. The gambling industry has long restricted players who appear to show an edge over the house, says Mark Griffiths at Nottingham Trent University, UK.
The paper "illustrates how the sports gambling industry compensates market inefficiencies with discriminatory practices against successful clients," adds austro, noting that the researchers posted a paper explaining their methodology on arxiv last week. "They also made the dataset and source code available on github. And best of all, they made an online publicly available dashboard that shows a live list of bet recommendations on football matches based on their strategy here or here for anyone to try."

Hyatt Hotels has suffered a second card data breach in two years. In the first breach, hackers had gained access to credit card systems at 250 properties in 50 different countries. This time, the breach appears to have impacted 41 properties across 11 countries. Krebs on Security reports: Hyatt said its cyber security team discovered signs of unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. "Upon discovery, we launched a comprehensive investigation to understand what happened and how this occurred, which included engaging leading third-party experts, payment card networks and authorities," the company said in a statement. "Hyatt's layers of defense and other cybersecurity measures helped to identify and resolve the issue. While this incident affects a small percentage of total payment cards used at the affected hotels during the at-risk dates." The hotel chain said the incident affected payment card information -- cardholder name, card number, expiration date and internal verification code -- from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. It added there is no indication that any other information was involved.

schwit1 quotes the Mercury News: In an explosive new allegation, a renowned architect has accused Google of racketeering, saying in a lawsuit the company has a pattern of stealing trade secrets from people it first invites to collaborate. Architect Eli Attia spent 50 years developing what his lawsuit calls "game-changing new technology" for building construction. Google in 2010 struck a deal to work with him on commercializing it as software, and Attia moved with his family from New York to Palo Alto to focus on the initiative, code-named "Project Genie." The project was undertaken in Google's secretive "Google X" unit for experimental "moonshots."

But then Google and its co-founders Larry Page and Sergey Brin "plotted to squeeze Attia out of the project" and pretended to kill it but used Attia's technology to "surreptitiously" spin off Project Genie into a new company, according to the lawsuit... This week, a judge in Santa Clara County Superior Court approved the addition of racketeering claims to the lawsuit originally filed in 2014. Attia's legal team uncovered six other incidents in which Google had engaged in a "substantially similar fact pattern of misappropriation of trade secrets" from other people or companies, according to a July 25 legal filing from Attia.
Wired reported yesterday that Project Loon -- also a Google X project -- "is embroiled in a lawsuit with Space Data, a small company accusing Alphabet of patent infringement, misappropriation of trade secrets, and breach of contract following a failed acquisition bid."

The lawyer for the racketeering suit complains Google can deploy a "virtually unlimited budget to fight these things in court."

dryriver writes: Chinese researchers have taken tissue from a beta-thallasemia patient, created cloned embryos from that patient's cells, and used a genetic editing technique known as Base Editing to correct the gene mutation that causes beta-thallasemia. The embryos were not implanted in a womb, so no actual babies were created during the procedure. The BBC reports: "Precise 'chemical surgery' has been performed on human embryos to remove disease in a world first, Chinese researchers have told the BBC. The team at Sun Yat-sen University used a technique called base editing to correct a single error out of the three billion 'letters' of our genetic code. They altered lab-made embryos to remove the disease beta-thalassemia. The embryos were not implanted. The team says the approach may one day treat a range of inherited diseases. Base editing alters the fundamental building blocks of DNA: the four bases adenine, cytosine, guanine and thymine. Base editing works on the DNA bases themselves to convert one into another. Prof David Liu, who pioneered base editing at Harvard University, describes the approach as 'chemical surgery.' He says the technique is more efficient and has fewer unwanted side-effects than Crispr. He told the BBC: 'About two-thirds of known human genetic variants associated with disease are point mutations. So base editing has the potential to directly correct, or reproduce for research purposes, many pathogenic [mutations].'"

In 1970 mathematician John Conway created rules for the "Game of Life," a now famous "zero-player game" where a grid of cells evolves (following Conway's rules) from an initial state proposed by the player. In 2013 someone challenged readers of StackExchange's "Programming Puzzles & Code Golf" section to devise an initial state "that will allow for the playing of a game of Tetris."

An anonymous Slashdot reader reports that "This challenge sat around, gathering upvotes but no answer, for four years. Then, it was answered." Citing the work of seven contributors, a massive six-part response says their solution took one and a half years to create, and "began as a quest but ended as an odyssey." The team created their own assembly language, known as QFTASM (Quest for Tetris Assembly) for use within Conway's mathematical universe, and then also designed their own processor architecture, and eventually even a higher-level language that they named COGOL. Their StackExchange response includes a link to all of their code on GitHub, as well as to a page where you can run the code online.

One StackExchange reader hailed the achievement as "the single greatest thing I've ever scrolled through while understanding very little."

An anonymous reader shares a report: Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as "using a prohibited technique to download dangerous executable code." Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information. Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total.

An anonymous reader quotes BleepingComputer: The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI -- Python Package Index -- the official third-party software repository for the Python programming language. NBU experts say attackers used a technique known as typosquatting to upload Python libraries with names similar to legitimate packages -- e.g.: "urlib" instead of "urllib." The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.

Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts. "These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained. Experts say the malicious code only collected information on infected hosts, such as name and version of the fake package, the username of the user who installed the package, and the user's computer hostname. Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", was uploaded to a Chinese IP address. NBU officials contacted PyPI administrators last week who removed the packages before officials published a security advisory on Saturday."
The advisory lays some of the blame on Python's 'pip' tool, which executes arbitrary code during installations without requiring a cryptographic signature.

Ars Technica also reports that another team of researchers "was able to seed PyPI with more than 20 libraries that are part of the Python standard library," and that group now reports they've already received more than 7,400 pingbacks.

According to Bleeping Computer, a WordPress plug that goes by the name Display Widgets has been used to install a backdoor on WordPress sites across the internet for the past two and a half months. While the WordPress.org team removed the plugin from the official WordPress Plugins repository, the plugin managed to be installed on more than 200,000 sites at the time of its removal. The good news is that the backdoor code was only found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2), so it's unlikely everyone who installed the plugin is affected. WordPress.org staff members reportedly removed the plugin three times before for similar violations. Bleeping Computer has compiled a history of events in its report, put together with data aggregated from three different investigations by David Law, White Fir Design, and Wordfence. The report adds: The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites. Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase. A month after buying the plugin in May, its new owner released a first new version -- v2.6.0 -- on June 21.

A thriving ecosystem of websites that allow users to automatically generate millions of fake "likes" and comments on Facebook has been documented by researchers at the University of Iowa. From a report: Working with a computer scientist at Facebook and one in Lahore, Pakistan, the team found more than 50 sites offering free, fake "likes" for users' posts in exchange for access to their accounts, which were used to falsely "like" other sites in turn. The scientists found that these "collusion networks" run by spammers have managed to harness the power of one million Facebook accounts, producing as many as 100 million fake "likes" on the systems between 2015 and 2016. A large number of "likes" can push a posting up in Facebook's algorithm, making it more likely the post will be seen by more people and also making it seem more legitimate.

An anonymous reader writes from a report via Bleeping Computer: An attacker can downgrade components of the Android TrustZone technology -- a secure section of smartphone CPUs -- to older versions that feature known vulnerabilities. The attacker can then use previously published exploit code to attack up-to-date Android OS versions. The research team proved their attack in tests on devices running the ARM TrustZone technology, such as Samsung Galaxy S7, Huawei Mate 9, Google Nexus 5, and Google Nexus 6. They replaced updated versions of the Widevine trustlet with an older version that was vulnerable to CVE-2015-6639, a vulnerability in Android's Qualcomm Secure Execution Environment (QSEE) -- Qualcomm's name for its ARM TrustZone version that runs on Qualcomm chips. This vulnerability allows attackers root level access to the TrustZone OS, which indirectly grants the attack control over the entire phone. The research paper is available here, and one of the researcher's authors explains the attack chain in an interview here.

Taringa, also known as "The Latin American Reddit," has been compromised in a massive data breach that has resulted in the leaked login credentials of almost all of its over 28 million users. The Hackers News reports: The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users. The hashed passwords use an ageing algorithm called MD5 -- which has been considered outdated even before 2012 -- that can easily be cracked, making Taringa users open to hackers. Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days. The data breach reportedly occurred last month, and the company then alerted its users via a blog post: "It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says. "At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."

An anonymous reader writes: Android bootloader components from five major chipset vendors are affected by vulnerabilities that break the CoT (Chain of Trust) during the Android OS boot-up sequence, opening devices to attacks. The vulnerabilities were discovered with a new tool called BootStomp, developed by nine computer scientists from the University of California, Santa Barbara. Researchers analyzed five bootloaders from four vendors (NVIDIA, Qualcomm, MediaTek, and Huawei/HiSilicon). Using BootStomp, researchers identified seven security flaws, six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged five and are working on a fix. "Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the research team said (PDF). "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."

theodp writes: Most TV computer scientists are still white men," USA Today reports. "Google wants to change that. Google is calling on Hollywood to give equal screen time to women and minorities after a new study the internet giant funded found that most computer scientists on television shows and in the movies are played by white men. The problem with the hackneyed stereotype of the socially inept, hoodie-clad white male coder? It does not inspire underrepresented groups to pursue careers in computer science, says Daraiha Greene, Google CS in Media program manager, multicultural strategy." According to a Google-funded study conducted by Prof. Stacy L. Smith and the Media, Diversity, & Social Change Initiative at the USC Annenberg School for Communication and Journalism, Google's Computer Science in Media team conducted "CS interventions" with "like-minded people" to create "Google influenced storytelling." The executive summary for a USC study entitled Cracking the Code: The Prevalence and Nature of Computer Science Depictions in Media notes that "Google influenced" TV programs include HBO's Silicon Valley and AMC's Halt and Catch Fire. The USC researchers also note that "non-tech focused programs may offer prime opportunities to showcase CS in unique and counter-stereotypical ways. As the Google Team moves forward in its work with series such as Empire, Girl Meets World, Gortimer Gibbons Life on Normal Street, or The Amazing Adventures of Gumball, it appears the Team is seizing these opportunities to integrate CS into storytelling without a primary tech focus." The study adds, "In the case of certain series, we provided on-going advisement. The Fosters, Miles from Tomorrowland, Halt and Catch Fire, Ready, Jet, Go, The Powerpuff Girls and Odd Squad are examples of this. In addition to our continuing interactions, we engaged in extensive PR and marketing support including social media outreach, events and press."

Google's TV interventions have even spilled over into public education -- one of Google-sponsored Code.org's signature Hour of Code tutorials last December was Gumball's Coding Adventure, inspired by the Google-advised Cartoon Network series, The Amazing Adventures of Gumball. "We need more students around the world pursuing an education in CS, particularly girls and minorities, who have historically been underrepresented in the field," explains a Google CS First presentation for educators on the search giant's Hour of Code partnership with Cartoon Network. "Based on our research, one of the reasons girls and underrepresented minorities are not pursuing computer science is because of the negative perception of computer scientists and the relevance of the field beyond coding." According to a 2015 USC report, President Obama was kept abreast of efforts to challenge media's stereotypical portrayals of women; White House Visitor Records show that USC's Smith, the Google-funded study's lead author, and Google CS Education in Media Program Manager Julie Ann Crommett (now at Disney) were among those present when the White House Council on Women and Girls met earlier that year with representatives of the nation's leading toy makers, media giants, retailers, educators, scientists, the U.S. Dept. of Education, and philanthropists.