Submission + - Using Intel Management Engine for productive purposes?

iamacat writes: Not a day goes by without a story about another Intel Management Engine vulnerability. What I get is that a lot of consumer PCs can access network and run x86 code on top of UNIX-like OS such as Minix even when powered off. This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content. So if Intel ME is so insecure, how do I exploit it for practically useful purposes?

Submission + - NASA Readies Big Announcement on Possible Alien Life (infosurhoy.com) 1

schwit1 writes: NASA has announced a press conference for Thursday and is expected to confirm a major discovery about life beyond earth.

The announcement will be made by the team of scientists who have been studying the several thousand planets discovered by the Kepler space telescope. Kepler is the most successful planet-hunting probe in history, having identified more than 2500 planets with another 2000 candidates that still need to be studied.

Kepler has found several planets orbiting their star in the so-called "Goldilocks Zone," where it is warm enough for liquid water to flow. The announcement may be related to one of those planets.

In issuing the release on the press conference, NASA pointed to a new way of analyzing data from Kepler.

The team at the Kepler Space Telescope has been searching for extra-terrestrial life since 2009, and now they have found something spell bounding. In the course of time, the telescope has found many Earth-sized planets on the habitable zone, and researchers believe that some of them have the possibility to support life. According to NASA officials, this startling discovery was made using machine learning supported by Google.

“The discovery was made by researchers using machine learning from Google. Machine learning is an approach to artificial intelligence, and demonstrates new ways of analyzing Kepler data,” wrote NASA officials in a recently released press release.


Submission + - Ask Slashdot: Explaining Programming to Laymen

Grady Martin writes: I disrespect people who describe their work in highfalutin terms, as doing so is often an attempt to hide meaninglessness. This mindset bites me in the ass, however, when describing my own work--as programming solutions to problems is little more than codifying what just about anyone can perceive through intuition. Case in point: Home for the holidays, I was asked about recent accomplishments and attempted to explain the process of producing compact visualizations of branched undo/redo histories. Responses ranged from, "Well, duh," to, "I can already do that in Word."

The comment on Word, I can appreciate. (A hammer only sees nails.) It's the "duh" that I want to address, because of course an elegant solution seem obvious after the fact: Such is the nature of elegance itself.

Does anyone have advice on making elegance sound impressive?

Submission + - What are some of the best avenues to retrain someone in IT 2

An anonymous reader writes: I was recently hired to manage the IT for a medium sized company. Over the last thirty years or so, the department eventually came to have about five IT "gofers", which eventually got whittled down to just two as the company was losing more and more.

The company got saved and is doing a lot better thanks to some good management and restructuring, but these people have literally been here their entire "career" and are now near retirement. Quite honestly, they do not have any experience other than reinstalling Windows, binding something to the domain and the occasional driver installation and are more than willing to admit this. Given many people are now using Mac and most servers/workstations running Linux, they have literally lost complete control over the company, with most of these machines sitting around completely unmanaged.

Firing these people is nearly impossible, they have a lot of goodwill within other departments, they have quite literally worked there for more than 60 years combined and I've been tasked with attempting to retrain these people in the next 6 months.

Given they still have to do work (imaging computers and fixing basic issues), what are the best ways of retraining people into basic network, Windows, Mac, Linux, and "cloud" first-level helpdesk support.

Submission + - Ask Slashdot: What Is Your View On UFO Sightings? Real Or Not?

dryriver writes: UFOs sightings have been reported in their tens of thousands over the last decades. In the past, some have seen flying cigar-shaped craft (blimps?), some flying triangles, some more rounded looking flying saucers. Often the apparent spacecraft does something improbable like standing completely still in the sky and then shooting off to somewhere at an incredible speed. Some sightings are just lights or light formations flying around or dancing around in the night sky — which could be military aircraft like helicopters and F16s training at night. There seem to be people who genuinely see stuff that is hard to explain, people who fake UFO sightings, photos and videos for profit to keep the "UFO industry" of websites, radio shows and magazines afloat, and yet others that think a regular airplane flying at night with its lights on is a UFO. What is your view on all this? Are we being visited from outer space? Is it prototype aircraft that look like UFOs to the untrained eye? Was some 190 IQ inventor-prankster having fun with quadcopter drones with colored lights 4 decades before quadcopters became a thing (hey... tons of people have created fake crop-circles in the past)? Where do all these supposed UFO sightings and reports come from? Did events like the famous "Battle Of Los Angeles" actually happen? And do you find any UFO reports credible at all?

Submission + - Daimler Tore Apart a Rented Tesla to Learn Its Secrets Then Tried to Return It (roadandtrack.com)

schwit1 writes: If you’re a car company trying to build a better car than your competitor, often you’ll want to pick up one of your competitor’s cars to see just how good they are. Maybe you'll just test it, or maybe you'll even disassemble in order to learn their secrets.

It seems like Mercedes’ parent company Daimler didn’t think this strategy all the way through. According to a report published in German magazine Der Spiegel, Daimler picked up a Tesla Model X to put through the paces. Only the Model X in question was rented, not bought, and the car's owners are left paying thousands of dollars in repair costs.

Bavarian couple Manfred van Rinsum and Monika Kindlein often rent out their three Teslas for extra income, using rental company Sixt. When Sixt reached out to them to rent their Model X to an unknown party for seven weeks, the couple didn’t think anything of it.

It was only after they got their car back heavily damaged that the couple started trying to figure out what happened. According to Der Spiegel, the car had been disassembled and screwed back together, as well as being put through several extreme tests, including heat and vibrations.

All together, an appraiser estimated that the Tesla sustained around $20,000 in damages thanks to Daimler. Van Rinsum wrote an invoice to the company for over $100,000, adding in expenses due to lost income while the car was being repaired and a fee for breaking the rental contract, which forbids testing and disassembly.

Submission + - Amazon drivers forced to deliver 200 parcels a day with no time for toilet break (mirror.co.uk)

schwit1 writes: I hopped in a white van to spend a day with one driver and experience first-hand the intolerable pressures they face from “impossible” schedules.

Many routinely exceed the legal maximum shift of 11 hours and finish their days dead on their feet.

Yet they have so little time for food or toilet stops they snatch hurried meals on the run and urinate into plastic bottles they keep in their vans.

Many claim they are employed in a way that means they have no rights to holiday or sickness pay.

And some say they take home as little as £160 for a five-day week amid conditions described by one lawyer as “almost Dickensian”.

Submission + - The reason to use Devuan is hard calculated costs (ungleich.ch)

walterbyrd writes: While I am writing here in flowery words, the reason to use Devuan is hard calculated costs. We are a small team at ungleich and we simply don't have the time to fix problems caused by systemd on a daily basis. This is even without calculating the security risks that come with systemd. Our objective is to create a great, easy-to-use platform for VM hosting, not to walk a tightrope.

Yes, you read right: what the Devuan developers are doing is creating stability. Think about it not in a few repeating systemd bugs or about the insecurity caused by a huge, monolithic piece of software running with root privileges. Why do people favor Linux on servers over Windows? It is very easy: people don't use Windows, because it is too complex, too error prone and not suitable as a stable basis. Read it again. This is exactly what systemd introduces into Linux: error prone complexity and instability.

With systemd the main advantage to use Linux is obsolete.

Submission + - Secure Apps Exposed to Hacking via Flaws in Underlying Programming Languages (bleepingcomputer.com)

An anonymous reader writes: Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks. The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

The researcher created his own fuzzing framework named XDiFF that broke down programming languages per each of its core functions and fuzzed each one for abnormalities. His work exposed severe flaws in all five languages, such as a hidden flaw in PHP constant names that can be abused to perform remote code execution, and undocumented Python methods that lead to OS code execution. Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

Submission + - Updated Debian Linux 9.3 and 8.10 released

An anonymous reader writes: The Debian project is pleased to announce the third update of its stable distribution Debian 9 (codename stretch). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. The Debian project also announce the tenth update of its oldstable distribution Debian 8 (codename jessie).

Please note that the point release does not constitute a new version of Debian 9 or 8 but only updates some of the packages included. There is no need to throw away old jessie or stretch DVD/CD media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. This stable update adds a few important corrections to packages. New installation images will be available soon at the mirrors.

Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. One can use the apt command or apt-get command to apply updates. A step-by-step update guide is posted here.

Submission + - Monster black hole is the oldest ever found (nypost.com)

schwit1 writes: A team led by the Carnegie Observatories’ Eduardo Banados reported in the journal Nature on Wednesday that the black hole lies in a quasar dating to 690 million years after the Big Bang. That means the light from this quasar has been traveling our way for more than 13 billion years.

Banados said the quasar provides a unique baby picture of the universe when it was just 5 percent of its current age.

It would be like seeing photos of a 50-year-old man when he was 2½ years old, according to Banados.

“This discovery opens up an exciting new window to understand the early universe,” he said in an email from Pasadena, California.

Submission + - San Diego Comic Con wins trademark. What do we call comic based conventions now? (deseretnews.com) 1

AlanBDee writes: When I attended the Salt Lake City Comic Con I did assume it was the same organization that put on San Diego Comic Con. I don't think that in any way that hurt the organizations of San Diego Comic Con. For that I'm glad they only got $20k in damages. But now I have to wonder how that will affect other Comic Cons around the nation? What should these comic based fan conventions be called if not Comic Con?

Submission + - Keylogger Found in HP Notebook Keyboard Driver (bleepingcomputer.com)

An anonymous reader writes: HP has released driver updates for hundreds of notebook models to remove debugging code that an attacker could have abused as a keylogger component. The keylogging code was present in the SynTP.sys file, which is part of the Synaptics Touchpad driver that ships with some HP notebook models. The keylogger behavior was turned off by default, but it could have been enabled via a simple registry key.

The keylogging code appears to be a WPP trace. WPP software tracing is a technique used by app developers and is intended for debugging code during development. HP released a list of affected notebooks. The list is 475 models-long and includes 303 consumer notebooks and 172 commercial notebooks, mobile thin clients, and mobile workstations. Affected model lines include HP's 25*, mt**, 15*, OMEN, ENVY, Pavilion, Stream, ZBook, EliteBook, and ProBook series, along with several Compaq models. This is the second time HP engineers forgot a keylogger component inside a driver. The same thing happened in May, when they left similar keylogging code inside an audio driver.

Submission + - Chrome 63 Offers Even More Protection From Malicious Sites, Using More Memory (arstechnica.com)

An anonymous reader writes: To further increase its enterprise appeal, Chrome 63—which hit the browser's stable release channel yesterday—includes a couple of new security enhancements aimed particularly at the corporate market. The first of these is site isolation, an even stricter version of the multiple process model that Chrome has used since its introduction. Chrome uses multiple processes for several security and stability reasons. On the stability front, the model means that even if a single tab crashes, other tabs (and the browser itself) are unaffected. On the security front, the use of multiple processes makes it much harder for malicious code from one site to steal secrets (such as passwords typed into forms) of another. [...]

Naturally, this greater use of multiple processes incurs a price; with this option enabled, Chrome's already high memory usage can go up by another 15 to 20 percent. As such, it's not enabled by default; instead, it's intended for use by enterprise users that are particularly concerned about organizational security. The other new capability is the ability for administrators to block extensions depending on the features those extensions need to use. For example, an admin can block any extension that tries to use file system access, that reads or writes the clipboard, or that accesses the webcam or microphone. Additionally, Google has started to deploy TLS 1.3, the latest version of Transport Layer Security, the protocol that enables secure communication between a browser and a Web server. In Chrome 63, this is only enabled between Chrome and Gmail; in 2018, it'll be turned on more widely.

Submission + - Poors Left without Heat as China Fight Air Pollution (ft.com)

hackingbear writes: Gas-supply shortages are hitting north and central China as Beijing tries to accelerate a shift away from coal rather than miss environmental targets this year. The situation has left some residents — mainly urban migrants on neighborhoods ringing the cities — without heat as temperatures drop below zero, as liquefied natural gas price pushed up over 40%. The government had dealt with the “low hanging fruit” of managing large pollution sources such as power plants, but was having a more difficult time addressing diffuse coal use by smaller businesses and residential neighborhoods, said Zhou Xizhou, managing director for Asia gas and power at IHS Markit. “This winter will be interesting for how severe the impact [of the coal control measures] will be. It will set the course for how they deal with it in the future.” Following angry [online] protests several years ago, Chinese Premier Li Keqiang declared "war" on pollution, fearing worsening air could spark wider community unrest.

Slashdot Top Deals