Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Researchers Say PHP SuperGlobal Variables Are Critical Security Risks

Trailrunner7 writes: The ease with which PHP applications can be subverted should be pretty apparent by now given the number of botnets supported by compromised sites hosting PHP code.

The biggest culprit in the PHP universe may be a set of nine variables called SuperGlobals that provide programmers with development flexibility yet introduce dangerous vulnerabilities that allow attackers to externally modify these variables and run code of their choosing, conduct remote file inclusion, or bypass intrusion detection signatures.

Research released today by Imperva calls for a ban on SuperGlobal variables, vulnerabilities in which can be exploited to break application logic and hack servers hosting the wonky code. The result could be anything from fraud against online banking customers to loss of personal data.

Submission + - How to foil NSA sabotage: use a dead man's switch (theguardian.com) 4

mspohr writes: Cory Doctorow has an interesting idea published in todays Guardian on how to approach the problem of NSA "gag orders" which prevent web sites, etc. from telling anyone that they have been compromised. His idea is to set up a "dead man" switch where a site would publish a statement that "We have not been contacted by the government" ... until, of course, they were contacted and compromised. The statement would then disappear since it would no longer be true.
He points out a few problems... Not making the statement could be considered a violation of disclosure... but, can the government force you to lie and state that you haven't been contacted when you actually have?

Comment Silicon Valley Culture (Score 2) 762

About two weeks ago we had this story Silicon Valleys Loony Cheerleading Culture is Out Of Control.

Titstare just seems like a satire on the completely pointless app genre that seems to be the new popular thing to do if you are a young hip coder looking to score big in the new social/app bubble we are in.

Didn't Facebook start as a way to rank girl's appearance at Harvard? Who's to fault these guys, they could be the next Zuckerberg. Titstare is (however tongue-in-cheek) indicative of the trend of creating valueless apps and hyping them up to billion dollar status and then selling to the highest bidder trying to reinvigorate their failing business. (example: AOL/MySpace/HuffPost).

Submission + - TSA is officially allowed to lie to you in order to cover itself

zoan2013 writes: Blogger Johnathan Corbett reports that the remaining claims of his lawsuit against the TSA were dismissed on Tuesday with US District Judge Joan A Lenard basically saying the TSA doesn't have to tell the truth in TSA-related FOIA requests. (Full dismissal order here) Judge Lenard also refused to allow the 19 previously dismissed charges to be appealed while the rest were being decided. Corbett is now appealing to the Court of Appeals for the 11th Circuit, and is considering filing a complaint of judicial misconduct against Lenard.

Comment Re:"Former U.S. official" (Score 1) 743

That may very well be true but I still don't believe that if the person had to be responsible for their words they would say it. I guess my point is that if someone in the media said to me: "We have decided that you are a credible source but we won't publish your name if you give us a statement; what's your opinion on subject X that supports our narrative?" I would be inclined to be hyperbolic and grandiose more so than if my name would be printed next to my quotation.

Submission + - What Snowden and Manning Don't Understand About Secrecy 4

Hugh Pickens DOT Com writes: Investigative journalist Mark Bowden writes in the Atlantic that what is troubling about Bradley Manning and Edward Snowden is not that they broke the oaths they swore when they took their classified government jobs, but the indiscriminate nature of their leaks proceeding from a Julian Assange-influenced, comic-book vision of the world where all governments are a part of an evil plot against humanity. Bowden, the author of "Black Hawk Down" and "The Finish: The Killing of Osama Bin Laden", says there are many legitimate reasons for governments to keep secrets among them the need to preserve the element of surprise in military operations or criminal investigations, to permit leaders and diplomats to bargain candidly, and to protect the identities of those we ask to perform dangerous and difficult missions and the most famous leakers in American history were motivated not by a general opposition to secrecy but by a desire to expose specific wrongdoing. "Mark Felt, the “Deep Throat” who helped steer Bob Woodward and Carl Bernstein’s Watergate reporting, understood that the Nixon Administration was energetically abusing the powers of the presidency. Daniel Ellsberg copied and leaked the Pentagon Papers because they showed that the White House and Pentagon had never really believed the lies they were telling about the Vietnam War." There have been a few things in the Manning and Snowden leaks that might have warranted taking a principled stand says Bowden, but the great bulk of what they delivered shows our nation’s military, intelligence agencies, and foreign service working hard at their jobs — doing the things we the people, through our elected representatives, have ordered them to do. "Both Manning and Snowden strike me not as heroes, but as naifs. Neither appears to have understood what they were getting themselves into, and, more importantly, what they were doing."

Submission + - Inside the 2013 U.S. intelligence 'black budget' (washingtonpost.com)

i_want_you_to_throw_ writes: U.S. spy agencies have built an intelligence-gathering colossus since the attacks of Sept. 11, 2001, but remain unable to provide critical information to the president on a range of national security threats, according to the government’s top secret budget.

The $52.6 billion “black budget” for fiscal 2013, obtained by The Washington Post from former intelligence contractor Edward Snowden, maps a bureaucratic and operational landscape that has never been subject to public scrutiny. Although the government has annually released its overall level of intelligence spending since 2007, it has not divulged how it uses those funds or how it performs against the goals set by the president and Congress.

Comment "Former U.S. official" (Score 4, Insightful) 743

Sometimes I feel that these "former U.S. officials" and "anonymous staff members" should STFU. It just seems like they use their anonymity to say random shit that will create headlines and stroke their ego. The "don't hire brilliant people" quotation is just stupid. No one that would have to be responsible for their words would say that.

Submission + - Stop Blaming Indian Companies for Visa Abuse (bloomberg.com)

walterbyrd writes: It is amazing, in this racially enlightened century, that we still see members of the U.S. Congress demonizing an ethnic group. Yet that is what happened when the Senate adopted a provision in the immigration bill singling out Indian and Indian-American information-technology companies that have operations in the U.S. with punitive restrictions on H-1B work visas. By contrast, the legislation expanded access to the visa to others in the technology industry.

Comment Re:Idiocracy (Score 2) 628

But what possible reason is there of stripping the bos (sic) of HIS moral responsibility for putting the driver in that position (of having to choose between keeping his job and looking at a text) in the first place? THAT is what the judge is getting at, and you have not provided any valid argument against it.

You're begging the question of the drivers job being on the line based on a binary decision: read the text and break the law, or ignore the text and lose job.

Why couldn't the driver just pull over for a few min to correspond with his boss? How do you know that the boss didn't assume that is what the driver would do because it is illegal to text and drive. How do you know there isn't a text to speech device that reads out texts as the driver gets them (actually pretty common in commercial trucks).

If the boss forced the driver to read the text while actively driving, I can see how that should be criminal. But the means of force need to be more serious than the driver didn't want to pull over for a few min to read his phone. If the boss sends a text and the driver decides to read it instead of pulling over, the boss has no control over that and should not be implicated.

Submission + - Silicon Valley's Loony Cheerleading Culture Is Out of Control (slashdot.org) 1

Nerval's Lobster writes: Kernel editor-in-chief and noted firebrand Milo Yiannopoulos swings away at Silicon Valley's current startup culture, noting that it's resulted in herds of wannabe founders and startup groupies who don't exactly have a track record of starting successful companies or even producing solid code. "Though they produce little of value, they are the naive soft power behind aggressive capitalist machines in Silicon Valley: the trend-setting vanguard of the global Web and mobile industries," he writes. "We should be very wary indeed of these vacuous cheerleaders whose vague waffle about the transformational potential of photo-sharing apps is more sinister and Orwellian than anything dreamt up by a dictator." How long can such a culture continue before it dries up, and the whole tech-investment cycle begins anew?

Submission + - Detecting Whether You Are on a Targeted Watchlist?

An anonymous reader writes: Yesterday, we learned that Kim Dotcom determined he was being spied on when he noticed that his latency to a few servers increased by 20 or 30 milliseconds. I have always wondered if, based on some of the slightly suspicious things I do on the Internet (download many Linux ISOs on BitTorrent and use Tor frequently), whether I am on some sort of elevated watchlist. Are there any telltale signs to look for to determine whether or not I have attracted undesirable attention on the Internet?

Submission + - How Should Slashdot Handle an NSA Incursion?

wjcofkc writes: With the fall of Lavabit and Groklaw at hand, an interesting question arises: how should Slashdot respond to the NSA if they come knocking? It is not entirely unreasonable to think that this might happen, if it hasn't already. Slashdot is after all highly trafficked by the fringes of society and is rife with seditious discussion. Courtesy of gag orders, it's difficult to know who the NSA's heavy handed dragnet operation has already ensnared. Should we expect Slashdot's editors and administrators to reflect it's powerfully counter-culture user base, and out an NSA incursion while shutting down the site, violating a gag order? Or could Dice Holdings prevent the people that run Slashdot from even knowing it was happening? These are question we should all be asking. And so I pose the question to those who administer this site: do you have a plan in case the NSA comes knocking? Is Dice Holdings in a position to keep you ignorant of NSA snooping activity? Also, to the users: how do you think Slashdot should handle their user base in response to a visit from the NSA to copy hard drives, install 'special' hardware, and lay down a gag order? If you think the question doesn't apply to us, consider that it shouldn't have applied to Groklaw either.

Slashdot Top Deals