Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Submission + - SPAM: Companies Are Hungry For Professional Open Source Talent

An anonymous reader writes: Recruiting open source talent is a top priority for hiring managers focused on recruiting technology talent, and recruiters are increasingly looking for more professional training credentials from their candidates. According to the 2016 Open Source Jobs Report, 65 percent of hiring managers say open source hiring will increase more than any other part of their business over the next six months, and 79 percent of hiring managers have increased incentives to hold on to their current open source professionals.

Submission + - China's space program to be used to develop technology and economic growth (examiner.com)

MarkWhittington writes: Aviation Week reported that China has suggested that its first crewed moon landing will take place in the 2031-36 time frame. The schedule is somewhat later than the previous estimate, which placed a Chinese moon landing sometime in the 2020s. But, the announcement represents a long term strategy for the Chinese space program and its integration into larger political, military, and economic development. China has also announced goals to land more robotic probes on the lunar surface, a mission to Mars in 2020, and the building of a space station later this decade. The next crewed flight will take place later in 2016 and will involve tests of a prototype space station module called the Tiangong-2.

Vice News suggests that the Chinese space program is designed to spur technological innovation. The assessment is based on the experience of the American space program.

Submission + - The Pocket-Sized Lab's Killer App: Analyzing Illicit Drugs (ieee.org)

the_newsbeagle writes: The pocket-sized gadget called SCiO offers at-home chemical analysis of the stuff that makes up our daily lives — things like the food on our plates and the leaves of our houseplants. That's the official pitch, anyway. But the SCiO and similar devices may be most attractive to a certain subset of consumers who are very interested in chemistry and don't have access to real labs: namely, people who take illegal or semi-legal drugs.

Submission + - OpenSSL vulnerability (openssl.org) 1

mattsheets writes: This issue affected versions of OpenSSL prior to April 2015. The bug
causing the vulnerability was fixed on April 18th 2015, and released
as part of the June 11th 2015 security releases. The security impact
of the bug was not known at the time.

In previous versions of OpenSSL, ASN.1 encoding the value zero
represented as a negative integer can cause a buffer underflow
with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does
not normally create "negative zeroes" when parsing ASN.1 input, and
therefore, an attacker cannot trigger this bug.

However, a second, independent bug revealed that the ASN.1 parser
(specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag
as a negative zero value. Large universal tags are not present in any
common ASN.1 structures (such as X509) but are accepted as part of ANY
structures.

Therefore, if an application deserializes untrusted ASN.1 structures
containing an ANY field, and later reserializes them, an attacker may
be able to trigger an out-of-bounds write. This has been shown to
cause memory corruption that is potentially exploitable with some
malloc implementations.

Applications that parse and re-encode X509 certificates are known to
be vulnerable. Applications that verify RSA signatures on X509
certificates may also be vulnerable; however, only certificates with
valid signatures trigger ASN.1 re-encoding and hence the
bug. Specifically, since OpenSSL's default TLS X509 chain verification
code verifies the certificate chain from root to leaf, TLS handshakes
could only be targeted with valid certificates issued by trusted
Certification Authorities.

OpenSSL 1.0.2 users should upgrade to 1.0.2c
OpenSSL 1.0.1 users should upgrade to 1.0.1o

This vulnerability is a combination of two bugs, neither of which
individually has security impact. The first bug (mishandling of
negative zero integers) was reported to OpenSSL by Huzaifa Sidhpurwala
(Red Hat) and independently by Hanno Böck in April 2015. The second
issue (mishandling of large universal tags) was found using libFuzzer,
and reported on the public issue tracker on March 1st 2016. The fact
that these two issues combined present a security vulnerability was
reported by David Benjamin (Google) on March 31st 2016. The fixes were
developed by Steve Henson of the OpenSSL development team, and David
Benjamin. The OpenSSL team would also like to thank Mark Brand and
Ian Beer from the Google Project Zero team for their careful analysis
of the impact.

Submission + - Uber Plans To Kill Surge Pricing With Machine Learning (npr.org)

An anonymous reader writes: Surge pricing is a familiar term for any regular Uber rider — or driver. It's when you call an Uber, and the price of a ride is two, three, or four times more as a result of greater demand brought on by a sporting event or weather event nearby. For riders, it's an annoyance, but for drivers, it's a perk as it usually results in more pocket change. Inside Uber, surge pricing is considered a market failure, and a problem to be solved. "That's where machine learning comes in. That's where the next generation comes in," says Jeff Schneider, engineering lead at Uber Advanced Technologies Center. "Because now we can look at all this data, and we can start to make predictions." Everyone knows that when a Beyonce concert ends, for example, there's going to be a lot of demand for Uber drivers. Schneider explains, "[What's harder] is to find those Tuesday nights when it's not even raining and for some reason there's demand — and to know that's coming. That's machine learning." With enough of the right data inputs, computer algorithms can do the research that Uber drivers already do — only better, "so the surge pricing never even has to happen," Schneider says.

Submission + - Georgia Tech takes on low-volume DDoS attacks (gatech.edu)

ABSned writes: Georgia Tech researchers have been awarded a $2.9 million contract from the U.S. Defense Advanced Research Projects Agency (DARPA) to develop a method for detecting and defeating low-volume distributed denial of service (DDoS) attacks. Known as ROKI, the goal of the project is to create a precise and timely detection method that identifies attacks by how they subtly change the resource consumption of a machine. With little to no degradation of system performance, Georgia Tech researchers believe they will be able to mitigate a threat by quickly writing a new signature for it inside the hardware so a network interface card will recognize it again. First deliverables are expected in approximately 18 months, beginning with a prototype to demonstrate the core idea.

Submission + - FDA: Anti Malware Scan Crashes Diagnostic PC During Heart Catheterization (securityledger.com)

chicksdaddy writes: Antivirus software running on a medical diagnostic computer caused the device to fail in the middle of a cardiac procedure, denying physicians access to data from a critical monitoring tool and potentially endangering patient safety, the U.S. Food and Drug Administration said.

The FDA issued an Adverse Event Report (https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/detail.cfm?mdrfoi__id=5487204), dated February 8, regarding the device: the Merge Hemo Programmable Diagnostic Computer (http://www.merge.com/Solutions/Cardiology/Merge-Hemo.aspx), which is made by Merge Healthcare. The adverse event occurred during a hearth catheterization procedure and was caused by improper configuration of the anti virus software, the FDA concluded.

According to the Adverse Event report, a Merge Hemo customer reported to the company that, “in the middle of a heart catheterization procedure, the Hemo Monitor PC lost communication with the Hemo client and the Hemo monitor went black.” According to information provided by the customer, “there was a delay of about 5 minutes while the patient was sedated so that the application could be rebooted," The Security Ledger reported. (https://securityledger.com/2016/05/fda-antivirus-crashed-diagnostic-tool-during-heart-procedure/)

The incident is a rare, documented instance of a software based failure interfering with a medical procedure, though nobody knows for sure how common equipment failures in clinical settings are. The FDA received around 1.2 million adverse incident reports in 2014, the last full year for which data is available. This is the first known incident linked to anti malware software.

Submission + - Scientists hit pay dirt in drilling of dinosaur-killing impact crater (sciencemag.org)

sciencehabit writes: Scientists have reached ground zero for one of the world’s most famous cataclysms. Burrowing into the impact structure responsible for the demise of the dinosaurs, a team of researchers has achieved one of its main goals, with rocks brought up from 670 meters beneath the sea floor off the coast of the Yucatán Peninsula in Mexico. These core samples contain bits of the original granite bedrock that was the unlucky target of cosmic wrath 66 million years ago, when a large asteroid struck Earth, blasted open the 180-kilometer-wide Chicxulub crater, and led to the extinction of most life on the planet.

Submission + - Typing 'http://:' into a Skype message trashes the installation beyond repair (thestack.com)

An anonymous reader writes: A thread at Skype community forums [http://community.skype.com/t5/Windows-desktop-client/Critical-bug-Skype-7-4-85-102-simple-message-crush-client/td-p/3996419] has brought to light a critical bug in Microsoft’s Skype clients for Windows, iOs and Android — typing the incorrect URL initiator 'http://:' into a text message on Skype will crash the client so badly that it can only be repaired by installing an older version and awaiting a fix from Microsoft. The bug does not affect OSX or the 'Metro'-style Windows clients — which means, effectively, that Mac users could kill the Skype installations on other platforms just by sending an eight-character message.

Submission + - Features That Windows 10 Will Deprecate 1

jones_supa writes: Following the exciting news that Windows will be free for everyone currently on Windows 7 or 8.1, providing they upgrade within the first year, users should also be aware of a few features that will no longer work with Windows 10 after that upgrade. The features that will no longer work are taken from the official specifications page at Microsoft's Windows website. The good news is that in some cases alternatives are available. Prepare to say goodbye to: Media Center, out-of-the-box DVD playback and USB floppy support, desktop gadgets, deferring updates (Home edition), old versions of Windows games, and Windows Live Essentials version of OneDrive.

Submission + - Sourceforge Hijacks the Nmap Sourceforge Account (seclists.org) 2

vivaoporto writes: Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that the Sourceforge Nmap account was hijacked from him.

According to him the old Nmap project page (located at http://sourceforge.net/projects/nmap/, screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which controlled by sf-editor1 and sf-editor3, in pattern mirroring the much discussed the takeover of GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week Slashdot.

That happens after Sourceforge promises to stop "presenting third party offers for unmaintained SourceForge projects. At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."

To their credit Fyodor states that "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP" but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html"

Submission + - Five treated in hospital following chemical gas leak at Apple data center (thestack.com)

An anonymous reader writes: A chlorine gas leak at an Apple data center in North Carolina has hospitalized five workers. The Catawba emergency services received an alert call at 2pm local time from the Apple site based on Startown Road in Maiden. Footage was captured at the scene of the building being evacuated, people being treated by medical crews and supplied with oxygen masks. Initially authorities said that there had been two unidentified chemicals involved in the leak, later confirming that it had been chlorine gas. When cooled chlorine can be stored as a liquid, but turns to gas if exposed to air. If breathed in by humans the chemical can be damaging to the respiratory system, dissolving the mucous membrane causing fluid to build up in the lungs which can lead to suffocation by drowning. An investigation has revealed that the noxious chemical leak was given off from on-site water-cooling equipment used to cool the center's servers. The five injured workers were treated at the nearby Catawba Valley Medical Center and were all discharged shortly after. Neither the medical center nor Apple have provided further details on the incident.

Submission + - Linux Kernel Switching To Linux v4.0, Coming With Many New Addons (phoronix.com)

An anonymous reader writes: Following polling on Linus Torvald's Google+ page, he's decided to make the next kernel version Linux 4.0 rather than Linux 3.20. Linux 4.0 is going to bring many big improvements besides the version bump with there being live kernel patching, pNFS block server support, VirtIO 1.0, IBM z13 mainframe support, new ARM SoC support, and many new hardware drivers and general improvements. Linux 4.0 is codenamed "Hurr durr I'ma sheep."

Submission + - Why tech activists must become campaign finance reform activists (nathanmarz.com)

Funksaw writes: In a blog post called: 'Why we in tech must support Lawrence Lessig', former Twitter engineer Nathan Marz makes the argument that technological issues, such as net neutrality, broadband monopolies, and extended copyrights, can't be addressed until campaign finance reforms are enacted, and that initiatives such as Lawrence Lessig's Mayday PAC need to be supported. FTA:

This issue is so important and touches so many aspects of our society that I believe it's our duty as citizens to fight for change any way we can. We have to support people who are working day and night on this, who have excellent ideas on how to achieve reform.


Slashdot Top Deals

Who goeth a-borrowing goeth a-sorrowing. -- Thomas Tusser

Working...