Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Submission + - HTTPoxy - CGI "HTTP_PROXY" vulnerability affecting millions of web applications

An anonymous reader writes: On July 18th, a vulnerability named ‘HTTPoxy’ was announced, affecting some server-side web applications that run in CGI or CGI-like environments, such as some FastCGI configurations. Languages known to be affected so far include PHP, Python, and Go. This has been rated as having a security impact of important on CGI application. Apache HTTP Server, HHVM, and Apache Tomcat are also affected. HTTP_PROXY is a popular environment variable used to configure an outgoing proxy on Linux, OS X/Windows IIS and Unix like system. This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now as described here for mitigating the HTTPoxy vulnerability with NGINX or Varnish or HAProxy. Red hat also published a detailed information on the same including affected version of its popular apps.

Submission + - NHK to begin 8k test broadcasts in August

AmiMoJo writes: NHK, Japan's national broadcaster, has decided to skip over 4k entirely and go straight to 8k broadcasts, starting on the 1st of August. (Japanese site, English site with some details). 8k "Super Hi-Vision" delivers 7680x4320 pixels, 16x that of standard HD, at 120Hz progressive scan and 12 bit colour. Sound is 22 channel surround. Initial broadcasts are on satellite channels, with a full service due in time for the 2020 Tokyo Olympics.

Submission + - Researcher releases 0day for Lenovo BIOSes

BIOS4breakfast writes: Researcher Dmytro Oleksiuk recently found a vulnerability that allows for compromise of System Management Mode (SMM) on Lenovo Thinkpad laptops. As SMM is the most privileged execution mode on x86 processors, this attack also allows for bypassing SecureBoot, as well as BIOS flash protections. Which means it's possible to insert a persistent backdoor (like the one HackingTeam was previously shown to be selling) into affected systems. He also discovered that the vulnerability existed in the open source UEFI reference code, but was patched at some point. This means an unknown number of other vendors likely have this same vulnerable reference code in their BIOSes. Rather than reporting this to the UEFI Security Response Team for coordination however, he decided to just drop a 0day exploit on github, and let the situation resolve itself.

Submission + - Clinton's Private Email Was Blocked By Spam Filters, So State IT Turned Them Off (arstechnica.com)

An anonymous reader writes: Documents recently obtained by the conservative advocacy group Judicial Watch show that in December 2010, then-U.S. Secretary of State Hillary Clinton and her staff were having difficulty communicating with State Department officials by e-mail because spam filters were blocking their messages. To fix the problem, State Department IT turned the filters off — potentially exposing State's employees to phishing attacks and other malicious e-mails. The mail problems prompted Clinton Chief of Staff Huma Abedin to suggest to Clinton (PDF), "We should talk about putting you on State e-mail or releasing your e-mail address to the department so you are not going to spam." Clinton replied, "Let's get [a] separate address or device but I don't want any risk of the personal [e-mail] being accessible." The mail filter system — Trend Micro's ScanMail for Exchange 8 — was apparently causing some messages from Clinton's private server (Clintonemail.com) to not be delivered (PDF). Some were "bounced;" others were accepted by the server but were quarantined and never delivered to the recipient. According to the e-mail thread published yesterday by Judicial Watch, State's IT team turned off both spam and antivirus filters on two "bridgehead" mail relay servers while waiting for a fix from Trend Micro. There was some doubt about whether Trend Micro would address the issue before State performed an upgrade to the latest version of the mail filtering software. A State Department contractor support tech confirmed that two filters needed to be shut off in order to temporarily fix the problem — a measure that State's IT team took with some trepidation, because the filters had "blocked malicious content in the recent past." It's not clear from the thread that the issue was ever satisfactorily resolved, either with SMEX 8 or SMEX 10.

Submission + - HTML5 Ads Aren't That Safe Compared to Flash, Experts Say (softpedia.com) 1

An anonymous reader writes: A study [PDF] from GeoEdge, an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser.

Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users. The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.

Submission + - Facebook Spares Humans By Fighting Offensive Photos With AI (techcrunch.com)

An anonymous reader writes: Facebook tells TechCrunch that its artificial intelligence systems now report more offensive photos than humans do. Typically when users upload content that is deemed offensive, it has to be seen and flagged by at least one human worker or user. Such posts that violate terms of service can include content that is hate speech, threatening or pornographic; incites violence; or contains nudity or graphic or gratuitous violence. The content that workers have to dig through is obviously not great, and may cause various psychological illnesses such as post-traumatic stress disorder. AI is helping to eliminate such a terrible job as it can scan images that are uploaded before anyone ever sees them. Facebook's AI already "helps rank News Feed stories, read aloud the content of photos to the vision impaired and automatically write closed captions for video ads that increase view time by 12 percent," writes TechCrunch. Facebook's Director of Engineering for Applied Machine Learning Joaquin Candela tells TechCrunch, "One thing that is interesting is that today we have more offensive photos being reported by AI algorithms than by people. The higher we push that to 100 percent, the fewer offensive photos have actually been seen by a human." One risk of such an automated system is that it could censor art and free expression that may be productive or beautiful, yet controversial. The other more obvious risk is that such a system could take jobs away from those in need.

Submission + - SPAM: Newly discovered gene regulates hyperglycemia-induced

johncarr044 writes: Elevated levels of blood glucose (hyperglycemia) can induce the death of the pancreatic beta cells over time. The death of these cells (responsible for the production of insulin) underlies much of the pathology of diabetes. Exactly how and why they die is not fully understood, but a new research report sheds light on the answer and a new therapeutic target.
Link to Original Source

Submission + - Simple Set Game Proof Stuns Mathematicians (quantamagazine.org)

An anonymous reader writes: In a series of papers posted online in recent weeks, mathematicians have solved a problem about the pattern-matching card game Set that predates the game itself. The solution, whose simplicity has stunned mathematicians, is already leading to advances in other combinatorics problems.

Submission + - NASA Nearly Crashed the Vomit Comet on a Reckless Trip to Greenland

Jason Koebler writes: NASA's infamous “Vomit Comet” zero gravity airplane nearly crashed on a mission it wasn't suited for in Greenland and was later used as a delivery plane for a private company owned by an ex astronaut, according to official complaints filed by some of the plane's former crew members.
Documents obtained by the Freedom of Information Act show that the unorthodox use of the C-9 aircraft was driven by a desire at the high levels of the agency to prove the Vomit Comet was of practical use. Apparently, it didn't work—the C-9 aircraft program was defunded and shut down in 2014.

Submission + - Drilling-induced earthquakes may endanger millions in 2016, USGS says (pbs.org)

AmiMoJo writes: Researchers at the USGS and other institutions have tied earthquake surges in eight states, including Texas, Oklahoma, Ohio, Kansas and Arkansas, to oil and gas operations. Evidence suggests that earthquake risks can spread for miles beyond the original disposal sites, and can persist for a decade or more after drilling stops. USGS issued maps based on computer models that estimate where, how often and how strongly ground-shaking an earthquake could occur, so that residents, engineers and city planners can see the likelihood that their community will experience a damaging earthquake over the next year.

Submission + - Reddit has deleted its 'warrant canary' (reuters.com)

Arthur Dent '99 writes: Today Reddit deleted wording in its transparency report that would normally indicate that they had not received any "national security letters" or "other classified requests for user information". Such "national security letters" contain penalties for telling anyone about the request, as the government wishes to keep the request secret. However, because Reddit had placed pre-existing wording in their transparency report in the event of such a letter, they were able to simply delete the existing wording to passively inform others that a request had been received, without actually saying anything at all. This usage of pre-existing wording is known as a "warrant canary" to indicate danger, much as real canaries were used in the past to indicate the presence of deadly gases in coal mines.

Submission + - A Timely Fix for a Grand Theory of Nature (quantamagazine.org)

An anonymous reader writes: In 2011, the ecologist Ryan Chisholm was looking at tree census data from 12 different forests around the world. More than 4,000 species of trees grew in these places, their numbers rising and falling over the years. The pictures the numbers painted were of ecosystems where a species’ fortunes could change nearly overnight, on an ecological timescale. For instance, a small, glossy-leaved tree called Inga marginata had 400 individuals in a Panamanian forest plot in 2005; by 2010 it had nearly doubled its numbers.

In all 12 forests, however, one detail was particularly notable. The speed and magnitude of the changes didn’t look anything like what would have been predicted by one of the leading theories in theoretical ecology. Models based on that idea, called neutral theory, have shown that the distribution of species over the landscape can be explained using surprisingly simple inputs. But here the theory was breaking down. “You look at how big these fluctuations are,” Chisholm said. “And they’re just enormous. They’re so much bigger than what neutral theory would predict. Orders of magnitude bigger.”

When Chisholm gave a talk at the Smithsonian Tropical Research Institute in Panama, where he was a postdoc, he learned that other people had noticed the same thing. Whatever its successes, neutral theory did not model change well at all — even its estimates of how long it would take a species to go extinct could be tens to hundreds of times longer than the reality. A flurry of papers from various groups since then, including one by Chisholm and collaborators appearing yesterday in Ecology, look to answer the question: Can neutral theory be adapted so that it shows changes over time? And is it possible to link a beautifully simple model more closely with the complex messiness of biology without damaging the model?

Submission + - An inside look at how Netflix builds code (sdtimes.com)

mmoorebz writes: Netflix is known as a place to binge watch television, but behind the scenes, there’s much going on before everyone’s favorite shows can be streamed.

The first step to deploying an application or service is building. Netflix created Nebula, a set of plug-ins for the Gradle build system, that “help with the heavy-lifting around building applications,” said the engineers.

Netflix is continuing to look at the developer experience and determine how it can improve. Containers could be one solution to many of the company's challenges, like increasing bake time or improving the deploy experience.

Submission + - CTB-Locker Ransomware Hits Over 100 Websites (csoonline.com)

itwbennett writes: CTB-Locker is a name associated with Windows ransomware, but now that name is also being used for a new threat that is written in PHP and encrypts all files in Web server directories. Researchers from Stormshield have found 102 websites that have been infected with this Web-based ransomware so far, although it is unclear how attackers gained access to those websites in order to install CTB-Locker. It is also unclear whether the Windows ransomware and the Web-based ransomware are related.

Submission + - 737 'Tailstrike' Caused by Typo on an iPad (arstechnica.com)

An anonymous reader writes: In August of last year, a Boeing 737 operated by Qantas experience a tailstrike while taking off — the thrust wasn't great enough for the tail to clear the runway, so it clipped the ground with its tail. The investigation into the incident (PDF) has finally been completed, and it found the cause of the accident: the co-pilot accidentally entered the wrong plane weight data into the iPad used to make calculations about the takeoff thrust. "First, when working out the plane's takeoff weight on a notepad, the captain forgot to carry the "1," resulting in an erroneous weight of 66,400kg rather than 76,400kg. Second, the co-pilot made a "transposition error" when carrying out the same calculation on the Qantas on-board performance tool (OPT)—an iPad app for calculating takeoff speed, amongst other things. "Transposition error" is an investigatory euphemism for "he accidentally hit 6 on the keyboard rather than 7." This caused the problem: "For a weight of 76,400kg and temperature of 35C, the engine thrust should've been set at 93.1 percent with a takeoff speed of 157 knots; instead, due to the errors, the thrust was set to 88.4 percent and takeoff speed was 146 knots."

Slashdot Top Deals

It is not for me to attempt to fathom the inscrutable workings of Providence. -- The Earl of Birkenhead

Working...