Linux RNG May Be Insecure After All 240

Okian Warrior writes "As a followup to Linus's opinion about people skeptical of the Linux random number generator, a new paper analyzes the robustness of /dev/urandom and /dev/random . From the paper: 'From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the "robustness" notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice.'" Of course, you might not even be able to trust hardware RNGs. Rather than simply proving that the Linux PRNGs are not robust thanks to their run-time entropy estimator, the authors provide a new property for proving the robustness of the entropy accumulation stage of a PRNG, and offer an alternative PRNG model and proof that is both robust and more efficient than the current Linux PRNGs.
The Courts

DOJ: Defendant Has No Standing To Oppose Use of Phone Records 396

An anonymous reader writes with news of a man caught by the NSA dragnet for donating a small sum of money to an organization that the federal government considered terrorist in nature. The man is having problems mounting an appeal. From the article: "Seven months after his conviction, Basaaly Moalin's defense attorney moved for a new trial, arguing that evidence collected about him under the government's recently disclosed dragnet telephone surveillance program violated his constitutional and statutory rights. ... The government's response (PDF), filed on September 30th, is a heavily redacted opposition arguing that when law enforcement can monitor one person's information without a warrant, it can monitor everyone's information, 'regardless of the collection's expanse.' Notably, the government is also arguing that no one other than the company that provided the information — including the defendant in this case — has the right to challenge this disclosure in court." This goes far beyond the third party doctrine, effectively prosecuting someone and depriving them of the ability to defend themselves by declaring that they have no standing to refute the evidence used against them.

Java Spec Compatibility Weakened Android's TLS Encryption 82

sfcrazy writes "It has been discovered that Google downgraded the SSL encryption of Android after version 2.3.4 and defaulted to RC4 and MD5 ciphers. It may appear that NSA is at play here as both are broken and can be easily compromised. But after digging the code Georg Lukas concluded that the blame goes to Oracle. 'The cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility.'" The Java spec from 2002 specified RC4 and MD5 as the first two ciphers for TLS; Android, however, used DHE-RSA-AES256-SHA by default. The default cipher list for Java 7 was updated, but Android is stuck using JDK 6 and a default cipher list over a decade old.

RMS: How Much Surveillance Can Democracy Withstand? 264

Covalent writes "RMS describes how much surveillance is too much (hint: it's all too much) and how to combat, circumvent, and prevent future surveillance. How much of what is suggested is plausible? How much is just a pipe dream? Discuss!" The article contains an extensive list of things we do that give too much data to centralized organization, and offers solutions to combat all of them. From the article: "The goal of making journalism and democracy safe therefore requires that we reduce the data collected about people by any organization, not just by the state. We must redesign digital systems so that they do not accumulate data about their users. If they need digital data about our transactions, they should not be allowed to keep them more than a short time beyond what is inherently necessary for their dealings with us."

Support For NASA Spending Depends On Perception of Size of Space Agency Budget 205

MarkWhittington writes "Alan Steinberg, a post doctorate fellow in political science at Sam Houston State University, conducted a study surrounding the vexing problem of how to motivate more people to support increased levels of funding for NASA. In an October 14, 2013 piece in The Space Review, Steinberg announced the results of a study conducted with a group of college students. Steinberg's approach was based on the findings of a study by Roger Launius conducted in the late 1990s that suggested that the American public believe that NASA spending takes up about 20 percent of the federal budget. It has in fact never exceeded four percent, which it enjoyed at the height of the Apollo program, and is currently about .5 percent. Steinberg was testing a notion advanced by Neil deGrasse Tyson that if people knew the true size of NASA's budget they would be more likely to support increasing it."

Imagination Tech Announces MIPS-based 'Warrior P-Class' CPU Core 122

MojoKid writes "Imagination Technologies has announced the first CPU based on its new version of the MIPS architecture. The new P5600 chip (codenamed Warrior) is a 32-bit CPU based on the MIPS Series 5 architecture and is designed to challenge companies like ARM in the embedded and mobile markets. Major features of the new chip include: support for 40-bit memory extensions, or up to 1TB of RAM, a 128-bit SIMD engine (Single Instruction, Multiple Data), and Hardware virtualization (MIPS R5 can virtualize other machines in hardware). The P5600 core is being touted as supporting up to six cores in a cache-coherent link, most likely similar to ARM's CCI-400. According to IT, the chip is capable of executing 3.5 DMIPs/MHz in CoreMark, which theoretically puts the P5600 on par with the Cortex-A15."

Why Small-Scale Biomass Energy Projects Aren't a Solution To Climate Change 178

Lasrick writes "Roberto Bissio has an excellent piece in a roundtable on biomass energy, pointing out that small scale biomass energy projects designed for people in poor countries aren't really a solution to climate change. After pointing out that patent protections could impede wide-spread adoption, Bissio adds that the people in these countries aren't really contributing to climate change in the first place: 'Why? Because poor people, whose carbon emissions these technologies would reduce, produce very little carbon in the first place. As I mentioned in Round One, the planet's poorest 1 billion people are responsible for only 3 percent of global carbon emissions. The 1.26 billion people whose countries belong to the Organization for Economic Co-operation and Development account for 42 percent of emissions. The rich, if they reduced their emissions by just 8 percent, could achieve more climate mitigation than the poor could achieve by reducing their emissions to zero. The rich could manage this 8 percent reduction by altering their lifestyles in barely noticeable ways. For the poor, a reduction of 100 percent would imply permanent misery.'"

Broadcom Laying Off LTE and Modem Design Employees 71

Dawn Kawamoto writes "Within days of closing its deal to acquire LTE-related assets from Renesas Electronics, Broadcom is now taking the hatchet to its own internal LTE and modem design team members by doling out pink slips. Although several hundred Broadcom workers in the U.S. and overseas are getting layoff notices, the figure could go substantially higher because the company expects to cut roughly $45 million in operating expenses relating to the deal between now and the next 12 months."

Gravity: Can Film Ever Get the Science Right? 438

dryriver writes in with a story lamenting the lack of accurate science in movies. "The relationship between science and science fiction has always been tempestuous. Gravity focuses on two astronauts stranded in space after the destruction of their space shuttle. Since Gravity's US release (it comes to the UK in November) many critics have praised the film for its scientific accuracy. But noted astrophysicist Dr Neil deGrasse Tyson, director of the Hayden Planetarium at the American Museum of Natural History in New York, had several issues with the accuracy of Gravity's portrayal of space. Through a series of posts on Twitter, Tyson — who later emphasized that he 'enjoyed the film very much' — highlighted various errors. He noted the Hubble space telescope (orbiting at 350 miles above sea level), the International Space Station (at 250 miles), and a Chinese space station could never be in line of sight of one another. On top of that, most satellites orbit west to east, yet in the film the satellite debris was seen drifting east to west. Tyson also noted how Sandra Bullock's hair did not float freely as it would in zero-gravity. This is arguably not so much an error in physics, but a reflection of the limitations of cinematic technology to accurately portray actors in zero-gravity. That is, of course, without sending them into space for the duration of the film. The Michael Bay film Armageddon is known for its woeful number of inaccuracies, from the space shuttles separating their rocket boosters and fuel tanks in close proximity to each other (risking a collision) and to objects falling on to the asteroid under a gravitational pull seemingly as strong as the Earth's. More than one interested observer tried to work out how big the bomb would have to be to blow up an asteroid in the way demanded in the movie. Answer: Very big indeed. Nasa is reported to have even used Armageddon as part of a test within their training program, asking candidates to identify all the scientific impossibilities within the film."
United States

Lessons From the Healthcare.gov Fiasco 501

Nerval's Lobster writes "In theory, the federal government's Health Insurance Marketplace was supposed to make things easy for anyone in the market for health insurance. But fourteen days after the Website made its debut, the online initiative—an integral part of the Obama administration's Affordable Care Act—has metastasized into a disaster. Despite costing $400 million (so far) and employing an army of experienced IT contractors (such as Booz Allen Hamilton and CGI Group), the Website is prone to glitches and frequent crashes, frustrating many of those seeking to sign up for a health-insurance policy. Unless you're the head of a major federal agency or a huge company launching an online initiative targeted at millions of users, it's unlikely you'll be the one responsible for a project (and problems) on the scale of the Health Insurance Marketplace. Nonetheless, the debacle offers some handy lessons in project management for Websites and portals of any size: know your IT specifications (federal contractors reportedly didn't receive theirs until a few months ago), choose management capable of recognizing the problems that arise (management of Healthcare.gov was entrusted to the Medicare and Medicaid agency, which didn't have the technical chops), roll out small if possible, and test, test, test. The Health Insurance Marketplace fiasco speaks to an unfortunate truth about Web development: even when an entity (whether public or private, corporation or federal government) has keen minds and millions of dollars at its disposal, forgetting or mishandling the basics of successful Web construction can lead to embarrassing problems."

Book Review: Getting Started With Drupal Commerce 37

Michael Ross writes "An online store is one of the most common use cases for a website nowadays. For those web developers and business owners who choose the current version of Drupal as a basis for such an e-commerce project, the canonical solution is Drupal Commerce. There are numerous online resources for learning Commerce, and yet for the longest time no printed book. Now we have Getting Started with Drupal Commerce, written by Richard Jones." Read below for the rest of Michael's review.

Ford, University of Michigan Open Next-Generation EV Battery Research Lab 67

cartechboy writes "Its no secret that one constraint on electric vehicle adoption is battery production capacity and cost. Right now battery costs add thousands of dollars in price tags on electric vehicles, so the race is on to gain capacity make cheaper batteries. Today, Ford and the University of Michigan are announcing an $8 million EV experimental battery research lab to try and accelerate this type of early testing. The lab, which will be on campus in Ann Arbor, Michigan, will allow automakers, battery makers and individual researchers to test battery cells earlier in the process than ever. The lab says it will have strict controls to protect each entity's individual intellectual property as the research in theory happens all in one place."

What's Lost When a Meeting Goes Virtual 96

nbauman writes "This summer, NASA's Lunar Science Forum became the largest scientific gathering to embrace the new world of cyber meetings. The experience drew mixed reviews, according to a report in Science magazine. Mihály Horányi, who has been a regular, sat down at his computer at 1:45 p.m. on the first day of the conference and began talking into a webcam perched above the screen. 'Last year it was a performance. This year it meant staring at myself, being annoyed that I kept leaning in and out of the picture, and thinking, "Boy, am I getting old."' He and other participants say the virtual conference was a pale imitation of the real thing. At previous forums, 'You see your friends, you ask about their kids, and then the discussion flows into the science.' He participated much less this year, 2 hours a day. In addition to the physical challenge of sitting at one's computer for hours on end, participants say that their day jobs competed for their attention. 150 to 200 people "attended" at any one time. Even without distractions, the quality of the interaction was much lower than in person. 'I received a handful of short comments [from my talk] and had maybe one e-mail exchange,' Horányi recalls. One scientist who didn't present this year—and who listened to only one talk after the fact—said that he much prefers an in-person meeting because 'you get a much better sense of how the audience is reacting to what you're saying, especially any negative feedback.'"

Grocery Store "Smart Shelves" Will Identify Customers, Show Targeted Ads 274

cagraham writes "Snack company Mondelez International (maker of Oreos, Trident, Cadbury eggs) will introduce so-called 'smart shelves' into store checkout aisles beginning 2015. The shelves will use Microsoft's Kinect software, in addition to other tech, to identify shoppers age and sex, and will then use that info to deliver demographically tailored advertisements. The shelves will be able to track engagement, monitor how long customer's watch each ad, and offer discounts if a customer is considering a purchase (weight sensors will tell the machine if you pick up a product). Mondelez says the software will only use and collect aggregate data, and will not record any video or photos."
United States

Brazil Announces Secure Email To Counter US Spying 165

Hugh Pickens DOT Com writes "Phys Org reports that Brazilian President Dilma Rousseff has announced her government is creating a secure email system to try and shield official communications from spying by the United States and other countries. 'We need more security on our messages to prevent possible espionage,' Rousseff said on Twitter, ordering the Federal Data Processing Service, or SERPRO, to implement a safe email system throughout the federal government. The move came after Rousseff publicly condemned spying against Brazilian government agencies attributed to the United States and Canada. 'This is the first step toward extending the privacy and inviolability of official posts,' Rousseff said. After bringing her complaints against U.S. intelligence agencies to the United Nations General Assembly last month and canceling a state visit to Washington, Rousseff announced that the country will host an international conference on Internet governance in April."

Slashdot Top Deals