Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Security

Apache Subversion Fails SHA-1 Collision Test, Exploit Moves Into The Wild (arstechnica.com) 26

WebKit's bug-tracker now includes a comment from Friday noting "the bots all are red" on their git-svn mirror site, reporting an error message about a checksum mismatch for shattered-2.pdf. "In some cases, due to the corruption, further commits are blocked," reports the official "Shattered" web site. Slashdot reader Artem Tashkinov explains its significance: A WebKit developer who tried to upload "bad" PDF files generated from the first successful SHA-1 attack broke WebKit's SVN repository because Subversion uses SHA-1 hash to differentiate commits. The reason to upload the files was to create a test for checking cache poisoning in WebKit.

Another news story is that based on the theoretical incomplete description of the SHA-1 collision attack published by Google just two days ago, people have managed to recreate the attack in practice and now you can download a Python script which can create a new PDF file with the same SHA-1 hashsum using your input PDF. The attack is also implemented as a website which can prepare two PDF files with different JPEG images which will result in the same hash sum.

Hardware Hacking

Open Source Car-Hacking Tool Successfully Crowdfunded (kickstarter.com) 25

An anonymous reader writes: Two geeks are crowdfunding an open source car hacking tool that will allow builders to experiment with diagnostics, telematics, security, and prototyping. "Cars have become complicated and expensive to work with," they explain on a Kickstarter page. "Macchina wants to use open source hardware to help break down these barriers and get people tinkering with their cars again." After years developing a beta prototype, they announced a tiny plug-and-play device/development platform (that can also be hardwired under the hood) on an Arduino Due board with a 32-bit ARM microcontroller. They almost immediately reached their $25,000 funding goal, and with 24 days left to go they've already raised $41,672, and they're now also selling t-shirts to benefit the EFF's "Right to Repair" activism.

Challenging "the closed, unpublished nature of modern-day car computers," their M2 device ships with protocols and libraries "to work with any car that isn't older than Google." With catchy slogans like "root your ride" and "the future is open," they're hoping to build a car-hacking developer community, and they're already touting the involvement of Craig Smith, the author of the Car Hacker's Handbook from No Starch Press.

"The one thing that all car hobbyists can agree on is that playing with cars isn't cheap," argues the campaign page. "Open source hardware is the answer!"
Microsoft

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com) 99

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
The Military

The US Department Of Defense Announces An Open Source Code Repository (defense.gov) 29

"The Pentagon is the latest government entity to join the open-source movement," writes NextGov. An anonymous reader quotes their report: The Defense Department this week launched Code.mil, a public site that will eventually showcase unclassified code written by federal employees. Citizens will be able to use that code for personal and public projects... The Defense Department's Digital Service team, whose members are recruited for short-term stints from companies including Google and Netflix, will be the first to host its code on the site once the agreement is finalized... "This is a direct avenue for the department to tap into a worldwide community of developers to collectively speed up and strengthen the software development process," a DOD post announcing the initiative said. The Pentagon also aims to find software developers and "make connections in support of DOD programs that ultimately service our national security."
Interestingly, there's no copyright protections on code written by federal employees, according to U.S. (and some international) laws, according to the site. "This can make it hard to attach an open source license to our code, and our team here at Defense Digital Service wants to find a solution. You can submit a public comment by opening a GitHub issue on this repository before we finalize the agreement at the end of March."
Transportation

Did Silicon Valley Lose The Race To Build Self-Driving Cars? (autoblog.com) 82

schwit1 quotes Autoblog: Up until very recently the talk in Silicon Valley was about how the tech industry was going to broom Detroit into the dustbin of history. Companies such as Apple, Google, and Uber -- so the thinking went -- were going to out run, out gun, and out innovate the automakers. Today that talk is starting to fade. There's a dawning realization that maybe there's a good reason why the traditional car companies have been around for more than a century.

Last year Apple laid off most of the engineers it hired to design its own car. Google (now Waymo) stopped talking about making its own car. And Uber, despite its sky high market valuation, is still a long, long way from ever making any money, much less making its own autonomous cars. To paraphrase Elon Musk, Silicon Valley is learning that "Making rockets is hard, but making cars is really hard."

The article argues the big auto-makers launched "vigorous in-house autonomous programs" which became fully competitive with Silicon Valley's efforts, and that Silicon Valley may have a larger role crunching the data that's collected from self-driving cars. "Last year in the U.S. market alone Chevrolet collected 4,220 terabytes of data from customer's cars... Retailers, advertisers, marketers, product planners, financial analysts, government agencies, and so many others will eagerly pay to get access to that information."
Earth

Professors Claim Passive Cooling Breakthrough Via Plastic Film (sciencemag.org) 137

What if you could cool buildings without using electricity? charlesj68 brings word of "the development of a plastic film by two professors at the University of Colorado in Boulder that provides a passive cooling effect." The film contains embedded glass beads that absorb and emit infrared in a wavelength that is not blocked by the atmosphere. Combining this with half-silvering to keep the sun from being the source of infrared absorption on the part of the beads, and you have a way of pumping heat at a claimed rate of 93 watts per square meter.
The film is cheap to produce -- about 50 cents per square meter -- and could create indoor temperatures of 68 degrees when it's 98.6 outside. "All the work is done by the huge temperature difference, about 290C, between the surface of the Earth and that of outer space," reports The Economist.
Botnet

UK Police Arrest Suspect Behind Mirai Malware Attacks On Deutsche Telekom (bleepingcomputer.com) 19

An anonymous reader writes: "German police announced Thursday that fellow UK police officers have arrested a suspect behind a serious cyber-attack that crippled German ISP Deutsche Telekom at the end of November 2016," according to BleepingComputer. "The attack in question caused over 900,000 routers of various makes and models to go offline after a mysterious attacker attempted to hijack the devices through a series of vulnerabilities..." The attacks were later linked to a cybercrime groups operating a botnet powered by the Mirai malware, known as Botnet #14, which was also available for hire online for on-demand DDoS attacks.

"According to a statement obtained by Bleeping Computer from Bundeskriminalamt (the German Federal Criminal Police Office), officers from UK's National Crime Agency (NCA) arrested a 29-year-old suspect at a London airport... German authorities are now in the process of requesting the unnamed suspect's extradition, so he can stand trial in Germany. Bestbuy, the name of the hacker that took credit for the attacks, has been unreachable for days."

Space

Slooh Observatory Is Webcasting Today's Rare 'Ring of Fire' Eclipse (space.com) 19

An anonymous reader quotes Space.com A solar eclipse and its spectacular "ring of fire" will be visible from the Southern Hemisphere this Sunday morning, but no matter what side of the equator you're on, you can watch the spectacular event unfold online in a live broadcast from Slooh's online observatory...beginning at 7 a.m. EST (1200 GMT)... This type of eclipse is called an annular eclipse, meaning that the sun will remain visible as a bright ring around the moon...

Slooh will present the eclipse in live feeds from Chile and other locations. "During the broadcast, Slooh host Gerard Monteux will guide viewers on this journey across multiple continents and thousands of miles," Slooh said in a statement. "He'll be joined by a number of guests who will help viewers explore not only the science of eclipses, but also the fascinating legend, myth, and spiritual and emotional expression associated with these most awe-inspiring celestial events."

United States

The Videogame Industry Is Fighting 'Right To Repair' Laws (vice.com) 202

An anonymous reader quotes Motherboard: The video game industry is lobbying against legislation that would make it easier for gamers to repair their consoles and for consumers to repair all electronics more generally. The Entertainment Software Association, a trade organization that includes Sony, Microsoft, Nintendo, as well as dozens of video game developers and publishers, is opposing a "right to repair" bill in Nebraska, which would give hardware manufacturers fewer rights to control the end-of-life of electronics that they have sold to their customers...

Bills making their way through the Nebraska, New York, Minnesota, Wyoming, Tennessee, Kansas, Massachusetts, and Illinois statehouses will require manufacturers to sell replacement parts and repair tools to independent repair companies and consumers at the same price they are sold to authorized repair centers. The bill also requires that manufacturers make diagnostic manuals public and requires them to offer software tools or firmware to revert an electronic device to its original functioning state in the case that software locks that prevent independent repair are built into a device. The bills are a huge threat to the repair monopolies these companies have enjoyed, and so just about every major manufacturer has brought lobbyists to Nebraska, where the legislation is currently furthest along... This setup has allowed companies like Apple to monopolize iPhone repair, John Deere to monopolize tractor repair, and Sony, Microsoft, and Nintendo to monopolize console repair...

Motherboard's reporter was unable to get a comment from Microsoft, Apple, and Sony, and adds that "In two years of covering this issue, no manufacturer has ever spoken to me about it either on or off the record."
Businesses

How Cable Monopolies Hurt ISP Customers (backchannel.com) 65

"New York subscribers have had to overpay month after month for services that Spectrum deliberately didn't provide," reports Backchannel -- noting these practices are significant because together Comcast and Charter (formerly Time Warner Cable) account for half of America's 92 million high-speed internet connections. An anonymous reader quotes Backchannel: Based on the company's own documents and statements, it appears that just about everything it has been saying since 2012 to New York State residents about their internet access and data services is untrue...because of business decisions the company deliberately made in order to keep its capital expenditures as low as possible... Its marketing department kept sending out advertising claims to the public that didn't match the reality of what consumers were experiencing or square with what company engineers were telling Spectrum executives. That gives the AG's office its legal hook: Spectrum's actions in knowingly saying one thing but doing another amount to fraudulent, unfair, and deceptive behavior under New York law...

The branding people went nuts, using adjectives like Turbo, Extreme, and Ultimate for the company's highest-speed 200 or 300 Mbps download offerings. But no one, or very few people, could actually experience those speeds...because, according to the complaint, the company deliberately required that internet data connections be shared among a gazillion people in each neighborhood... [T]he lawsuit won't by itself make much of a difference. But maybe the public nature of the attorney-general's assault -- charging Spectrum for illegal misconduct -- will lead to a call for alternatives. Maybe it will generate momentum for better, faster, wholesale fiber networks controlled by cities and localities themselves. If that happened, retail competition would bloom. We'd get honest, straightforward, inexpensive service, rather than the horrendously expensive cable bundles we're stuck with today.

The article says Spectrum charged 800,000 New Yorkers $10 a month for outdated cable boxes that "weren't even capable of transmitting and receiving wifi at the speeds the company advertised customers would be getting," then promised the FCC in 2013 that they'd replace them, and then didn't. "With no competition, it had no reason to upgrade its services. Indeed, the company's incentives went exactly in the other direction."
Open Source

GitHub Invites Contributions To 'Open Source Guides' (infoq.com) 53

An anonymous reader quotes InfoQ: GitHub has recently launched its Open Source Guides, a collection of resources addressing the most common scenarios and best practices for both contributors and maintainers of open source projects. The guides themselves are open source and GitHub is actively inviting developers to participate and share their stories... "Open source is complicated, especially for newcomers. Experienced contributors have learned many lessons about the best way to use, contribute to, and produce open source software. Everyone shouldn't have to learn those lessons the hard way."

Making a successful first contribution is not the exclusive focus of the guides, though, which also strives to make it easier to find users for a project, starting a new project, and building healthy open source communities. Other topics the guides dwell on are best practices, getting financial support, metrics, and legal matters.

GitHub's Head of Open Source says the guides create "the equivalent of a water cooler for the community."
Security

Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com) 75

An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."

And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?

Leave your own answers in the comments. How did you respond to Cloudbleed?
GameCube (Games)

Machine-Learning AI Now Beats Humans At Super Smash Bros. Melee (qz.com) 71

"The AI is definitely godlike," one professional player told Quartz. "I am not sure if anyone could beat it." An anonymous reader quotes their report about an AI's showdown with the best players of Super Smash Bros. Melee: Of 10 professionals that faced the bot, each one was killed more than they could kill the bot... But the bot was once only as good as a mere mortal. At first, Vlad Firoiu, creator and a competitive Smash player himself, couldn't train 'Phillip' to be as strong as the in-game bot, which he says even the worst players can beat fairly easily. Firoiu's solution? He started making the bot play itself over and over again, slowly learning which techniques fail and which succeed, called reinforcement learning. Then, he left it alone.

"I just sort of forgot about it for a week," said Firoiu, who coauthored an unreviewed paper with William F. Whitney, the NYU student [who helped him] on the work. "A week later I looked at it and I was just like, 'Oh my gosh.' I tried playing it and I couldn't beat it."

Business Insider points out that their AI read the players positions, velocities, and states directly from the game's memory, so the AI responds six times faster than a human player. To compensate it played as Captain Falcon, the game's slowest character, but there was one crucial glitch. "One particularly clever player found that the simple strategy of crouching at the edge of the stage caused the network to behave very oddly, refusing to attack and eventually KOing itself by falling off the other side of the stage."
Open Source

Linus Torvalds On Git's Use Of SHA-1: 'The Sky Isn't Falling' (zdnet.com) 178

Google's researchers specifically cited Git when they announced a new SHA-1 attack vector, according to ZDNet. "The researchers highlight that Linus Torvald's code version-control system Git 'strongly relies on SHA-1' for checking the integrity of file objects and commits. It is essentially possible to create two Git repositories with the same head commit hash and different contents, say, a benign source code and a backdoored one,' they note." Saturday morning, Linus responded: First off - the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git. Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation. And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world - or even old git repositories...

The reason for using a cryptographic hash in a project like git is because it pretty much guarantees that there is no accidental clashes, and it's also a really really good error detection thing. Think of it like "parity on steroids": it's not able to correct for errors, but it's really really good at detecting corrupt data... if you use git for source control like in the kernel, the stuff you really care about is source code, which is very much a transparent medium. If somebody inserts random odd generated crud in the middle of your source code, you will absolutely notice... It's not silently switching your data under from you... And finally, the "yes, git will eventually transition away from SHA1". There's a plan, it doesn't look all that nasty, and you don't even have to convert your repository. There's a lot of details to this, and it will take time, but because of the issues above, it's not like this is a critical "it has to happen now thing".

In addition, ZDNet reports, "Torvalds said on a mailing list yesterday that he's not concerned since 'Git doesn't actually just hash the data, it does prepend a type/length field to it', making it harder to attack than a PDF... Do we want to migrate to another hash? Yes. Is it game over for SHA-1 like people want to say? Probably not."
Piracy

Seven Film Studios Want 41 Web Sites Blocked By Australian ISPs (computerworld.com.au) 40

angry tapir writes: A group of film studios is undertaking what is set to be the most significant use so far of Australia's anti-piracy laws, which allow rights holders to apply for court orders that can compel ISPs to block their customers from accessing certain piracy-linked sites. A pair of rights holders last year successfully obtained court orders forcing Australia's most popular ISPs to block a handful of sites including The Pirate Bay. Now Village Roadshow wants to have 41 more sites blocked.
Village Roadshow joined six other studios in requesting an injunction Friday in federal court, reports Computerworld. And meanwhile, "a separate site-blocking application has been launched by Australian music labels, which are seeking to have Telstra, Optus, TPG and Foxtel's broadband arm block access to Kickass Torrents."

Slashdot Top Deals