Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - Petya Ransomware's Encryption Defeated and Password Generator Released (bleepingcomputer.com)

runner_one writes: An individual going by the twitter handle leostone was able to create an algorithm that can generate the password used to decrypt a Petya encrypted computer. In my test this, this algorithm was able to generate my key in 7 seconds.
To use Leostone's decryption tool you will need attach the Petya affected drive to another computer and extract specific data from it. The data that needs to be extracted is 512-bytes starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21). This data then needs to be converted to Base64 encoding and used on the https://petya-pay-no-ransom.he... site to generate the key.

Unfortunately, for many victims extracting this data is not an easy task. The good news is that Fabian Wosar created a special tool that can be used to easily extract this data. In order to use this tool, you need to take the encrypted drive from the affected computer and attach it to a Windows computer that is working properly. If your infected computer has multiple drives, you should only remove the the drive that is theboot drive, or C:\ drive, for your computer.

Submission + - Vulnerable Serial To Ethernet Converters Let You Hack Just About Everything (securityledger.com)

chicksdaddy writes: The biggest threat to the security of hospitals, airplanes, transportation, the electric grid and just about everything else is a little piece of equipment most companies don't even know they have deployed: Serial to Ethernet converters, the Security Ledger reports. (https://securityledger.com/2016/04/serial-to-ethernet-converters-the-giant-infrastructure-risk-nobody-talks-about/)

The inexpensive devices are used to allow legacy equipment that relies on serial connections and protocols to "speak IP," connecting to more modern networks and management tools. As a result, they're used almost everywhere: on airplanes to connect aging avionics equipment, in electrical substations, data centers, you name it. In fact, a serial to ethernet converter was attacked and knocked offline in the recent attack on the electrical grid in Ukraine. (https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01)

The problem: the converters are riddled with remotely exploitable security holes and lack many basic security features. The latest evidence of this came last week, when the Department of Homeland Security’s Industrial Control System CERT (ICS CERT) issued an alert about one of the most commonly used serial to ethernet converters, a device called NPort manufactured by a Taiwanese company, Moxa. (https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-099-01) That followed the publication of research by Rapid7 on the Moxa devices that found no-authentication-required features that would permit an attacker to push new firmware (software) onto the converter and a buffer overflow vulnerability that opens the devices to having malicious code run on it. Vendors like Moxa have also been slow to respond to security issues reported to them — if they respond at all, said Reid Wightman of the firm Digital Bond. After months of ignoring Digital Bond's inquiries, Moxa told ICS-CERT that it will have a patch ready for the critical, remotely exploitable holes in its hardware...in late August.

With more than 5,000 NPort devices publicly addressable, the possibility for mayhem and so-called 'cyber kinetic' attacks looms large. Taking control of the Serial to Ethernet converter is paramount controlling the devices that connect to it, experts said “Once you have access to the converter, its game over,” said Billy Rios of the firm Whitescope. “The devices attached to it will do whatever you tell them to do.”

Submission + - The Future of Ransomware is Self-Propagating Worms

Trailrunner7 writes: Ransomware has become one of the top threats to consumers over the course of the past few years, and it has begun to spread to enterprises as well of late. But as bad as this problem has become, researchers say that what we’re seeing right now may be just a ripple in the water compared to the tsunami that could be on the horizon.

Perhaps the biggest factor, though, in the move toward ransomware attacks on enterprises is the ability to infect multiple machines, destroy backups, and pull in a large payment all at once rather than relying on multiple smaller payments from individual victims. In order to get that large payment, though, the attacker needs to have the ability to get his ransomware on large numbers of machines in a target network, and that requires rapid infections and lateral movement inside the network.

Enter the self-propagating ransomware worm.

Researchers from Cisco’s Talos team did an in-depth analysis of the current state of ransomware attacks and looked at what the future may hold, too. They analyzed the recent attacks featuring the SamSam ransomware, which has some functions that allow it to spread on a network. It goes after network backups and looks for mapped drives.

“The ultimate goal for this stage of invasion is to locate and destroy networked backups before mass-distributing ransomware to as many systems on the network as they are able to access.. After finding the backup systems and destroying any local backups, or otherwise denying access to said backups, the adversary scans and enumerates as many Windows hosts as they can. After the hosts are enumerated, the attackers utilize a simple combination of a batch script, psexec, and their ransomware payload to spread the ransomware through the network in a semi-automated fashion,” a paper from Cisco Talos released this week says.

Submission + - Uber Releases First-Ever Transparency Report (thestack.com)

An anonymous reader writes: Uber released its first transparency report today, an overview of the information that was requested by U.S. regulators and law enforcement in the second half of 2015. The report shows that while Uber is not yet receiving the number or type of requests that non-transport companies do, the data requests affect millions of Uber customers and drivers.

Uber received 408 requests for information from law enforcement, and 415 from state and federal governments. These requests were complied with in approximately 85% of cases, where after review, Uber provided at least some of the data requested. They also responded to 67 requests for information from regulatory bodies and from airports, with data provided on over 11 million riders and 600,000 drivers.

Submission + - Symantec: Zero-Days Doubled In 2015, More Companies Hiding Breach Data (csoonline.com)

itwbennett writes: According to a new report by Symantec, 54 zero-day vulnerabilities were discovered in 2015, more than twice as many as in 2014, and the number of breaches of more than 10 million records also hit a record high. Driving this is a new professionalism in the market. 'People figured out that they could make money by finding zero-day vulnerabilities and selling them to attackers,' said Kevin Haley, director of security response at Symantec. 'So there became a marketplace, and these things started to have value, and people started to hunt for them.' At the same time, 2015 saw another disturbing trend: The number of companies choosing not to report the number of records they have lost rose by 85 percent (from 61 in 2014 to 113 in 2015). 'More and more companies aren't actually revealing what was breached,' said Haley. 'They will say attackers came and stole from us, but not saying how many records were lost.'

Comment Re:No uncertain terms? (Score 1) 400

You can't force a company to spend money and man hours making something that doesn't exist so that you can use their product they way you want to,

Why not? I can be forced to spend money (and therefore the man hours necessary for me to earn that money) in order to consume a product -- health insurance -- so why can't a company be forced to spend money and man hours making a product?

In the 21st century we've already established that the government can compel behavior whenever it suits the public interest. Everything else from here on out is just a temporary quibble over details, until all regulations are permitted.

Comment Re:Phone Numbers (Score 1) 289

I think it's an interesting thought, but disagree. To many places say "go to oursite.com" or "getfreebies.net" for that to be true. I believe you are attempting to equate laziness with ignorance, which is wrong. Most users are lazy, but they know what an address is. Hell, most technical people are lazy too. We just maintain truckloads of bookmarks.

This isn't something you can "disagree" on. I spend a significant portion of my time teaching/training/educating users up and down the food chain. Let me assure you -- there are a LOT of people out there who do not have any idea what the address bar in a browser is and how to use it. When you show them something as simple as typing "maps.google.com" they look at you like you've just given them a pill which regenerated their kidneys and cured their need for dialysis.

Comment Re:Phone Numbers (Score 1) 289

- Universally Ubiquitous
- Nationalized
- Lowest Common Denominator
- (for POTS anyway) Pretty damn rock solid in most of the world

Did Facebook kill Email? No.
Did Google kill the address bar? No.
Did Apple kill the PC? No.
Did solar panels (insert any other energy technology) kill the grid? No.
Will Facebook messenger (or any company-centric IM system) kill telephones? No.

Next flamebait topic please.

It is easy to sit here on Slashdot and say that Google did not kill the address bar, because I've no doubt at least 85% of the people here know what "URL" stands for, how a URL is composed and read by a browser, and are also people who desire a high level of direct control over their computing and therefore don't mind memorizing dozens of unique URL strings for the sites/pages they use most often.

Actual normal users, on the other hand, only know whatever their current system tells them. I work with/around hundreds of people every day who only know one URL: google.com. I rarely get more than 1-2 days without observing a user go to google and type "yahoo mail" as the search string, then click a google result for the Yahoo! Mail site. This is how they always access their email. Going to the address bar and typing in mail.yahoo.com is like asking them to interpret ancient copies of the Bible written in Greek. The address bar wasn't totally 'killed' by Google, but the google mentality and in-browser search providers have so heavily obfuscated the site/page address that a significant percentage of computer users would be stymied by a browser operating at, say, the Netscape 4 level, and it would take them a very long time to find things they access every day.

It's a very apt comparison to phone numbers, which for many people under 25, they don't know ANY numbers of their friends' or family members. They have been using name-based electronic lists of contacts since they were 17 or earlier. If they lost their cell phone and were standing at a pay phone they would have no idea how to contact anyone without calling Directory Assistance... i.e. Google for phone numbers.

Comment Re:This is a good thing. (Score 1) 291

to pay for basic income, everyone has to earn less

I don't think that's accurate. Productivity since the 70s has doubled, but real-terms wages have been stagnant. In the last 3 decades, the top 0.1% of Americans have doubled their wealth. It's obvious that improved technology can maintain the same lifestyle for the same number of people but with the labour of fewer people - the maintenance of employment levels has mostly been due to the improvement of that basic lifestyle (smartphones, better medical technology, etc) providing jobs for displaced farm workers etc. The system we have encourages spending the extra productivity of technology and economic growth on an expanded lifestyle, but it could be diverted instead to providing a basic lifestyle without requiring extra labour.

But as I understand it the critique of your position is that "the extra productivity of technology" came from the inventor/entrepreneur class specifically because of the profit motive -- that is, the motive to earn more profit than the other guy. And therefore when you say "it could be diverted instead to providing a basic lifestyle", you are falsifying the equation by doing an operation on one side that you're not doing to the other. You are assuming that you wipe the profit motive out of existence while still keeping the innovation and economic activity which arose from the profit motive. That innovation and economic activity doesn't exist on its own absolute terms.

So the critique of your position is that sure, you could take the results of increased capital/production/capacity and divert it to people who didn't invent or bring to market the innovation which made it possible... one time, and maybe for a full generation if there was a previous extraordinary growth to draw from. But rather quickly human nature adapts to the new reality. Once you have removed that more-profit-than-the-other-guy motive, there is zero incentive for the remaining inventors/producers/entrepreneurs to continue to invent and produce and bring new things to market. So what happens over time is that the previous increase in productivity is spent by the redistributionists, and then the rate of increase slows dramatically without motive to drive it drives it, and then the market re-normalizes at a new level where yes everyone is closer to equal but at a lower equilibrium point.

Comment Re: Remove casing from a Wallmart clock - get invi (Score 1) 621

None of the other people or nationalities you listed have books from God that tell them to kill nonbelievers ask a means to please their God.

That is the difference.
But, by all means, if you feel differently about it, you can travel to Syria and make nice with Isis.

I'm sure you're up to the task, after all, you're so fair minded and much better than the rest of us.

Huh? What comment are you replying to? What makes you think I am asking for fairness or being nice to terrorists. On the contrary that is my entire point -- the GP I was replying to was saying that this kid's supposed isolation as a result of the incident is the most effective way to make him into a terrorist. I am pointing out that isolation doesn't make someone into a terrorist. There are millions upon millions of people leading "lives of quiet desperation" every day and they don't become terrorists, and it is ridiculous to support anything remotely resembling any kind of understandable rational path to murdering people and blowing things up for a political/religious ideology. If feeling a bit isolated leads you to bombing civilians, then you were already a terrorist in your heart, and the isolation was just a minor catalyst which would have inevitably happened in thousands of future social situations.

I don't see the relevance of your reply. If you are trying to make a point that belief in Islam makes terrorists, well that's your own thread, go for it.

Comment Re:Remove casing from a Wallmart clock - get invit (Score 1) 621

They made this kid feel like an isolated second class person and to be honest, I can't imagine a more effective way to turn this kid into an actual terrorist.

The attention he got was more about undoing the damage than rewarding any actual genius.

So we're on Slashdot, the official Internet home of mom's basement losers and Magic The Gathering addicts.... in other words, hundreds of thousands of people for whom the first 25 years of their lives consisted of nothing but "[being made to ] feel like an isolated second class person". How many Slashdot users go blow up innocent people as a political ploy?

If feeling a little isolated and second class is the most effective way to turn you into a terrorist, why didn't all of the isolated second class Italians and Irish and Germans and Chinese and Japanese immigrants who barely made it to this country with the clothes on their back and didn't have 30,438 federal assistance programs, become raging terrorists? How is this country even still standing -- what with all the mass bombings and slayings and blood running in the streets from all those angry disaffected young Japanese men terrorizing San Francisco?

There is absolutely 0.000% of anything in this kid's history in the United States which should explain/justify/rationalize him turning into a terrorist in the future. You're simply making another instance of the Bundy-porn argument made by the James Dobsonites in the 1990s -- Bundy watched a lot of porn; Bundy raped/killed a lot of women; therefore if someone watches a lot of porn, "I can't imagine a more effective way to turn this kid into an actual serial rapist".

Comment Re:Do Not Conflate This With Individual Free Speec (Score 1) 109

Ugh, quote FAIL. The final paragraph belongs to the comment I was replying to.

Speech used by an individual to express ideas is free speech. Advertisements -- especially advertisements representing a very large organization -- are not. Corporations should not have the same rights individuals have and I feel that free speech is one of those clear cut distinctions. There is a long history of consumer protection everywhere in the world -- learn about your own country's struggles with it. It's not a simple issue and advertisement should not be regarded as free speech.

Comment Re:Do Not Conflate This With Individual Free Speec (Score 1) 109

But the truth of the matter is that, as a consumer, we only have so many hours in a day to decide which of the thousands of products we consume in a year we should spend our money on. So it does come down to federal guidelines for what is "Grade A" or "Organic" or "Green" when there is a label espousing these properties and there are consumers paying a premium for this notion. Without those guidelines those words will mean absolutely nothing and there will be no way to tell where your product was made, how much cadmium it has in it or whether it is the end result of spewing carbon into the atmosphere. Without similar laws, you wouldn't be able to trust the nutritional information at the grocery store. Is it free speech to claim that my potato chips cure cancer and lead to weight loss no matter how many of them you eat? People will know that I'm lying? Cigarettes used to sooth sore throats. Trans fats used to taste awesome.

Okay, how about "Tasty" or "Chunky" or "Kids love it!"? How can we allow companies to just sling those words around willy-nilly without a few hundred men in Washington DC taxing and regulating everything to make sure we aren't led astray? I pay an extra 12% per can for "Thick and Chunky" stew instead of the plain stew, which must in comparison be thin and runny. Since corporations are evil and out to deceive me to trick me into giving them money, how can I be sure the Safeway-brand frozen pizza actually is "Tasty"? What happens when the can of "thick and chunky" soup only has two pieces of beef and a couple little cubes of carrots? How about when I try to serve my child the raisin oat bran cereal and not only do they not love it, they refuse to eat it?

"Green" or "Organic" are just words. They are words which marketers observed in daily use and wanted consumers to identify with their product, in exactly the same way marketers want you to associate their products with words like "Zesty" or "Bursting With Fruit Flavor!"

Design a conceptual framework which allows the government to regulate the word "Organic" which does not also allow them to regulate "Healthy" or "Very Berry!" or "Extra Bold Taste".

Speech used by an individual to express ideas is free speech. Advertisements -- especially advertisements representing a very large organization -- are not. Corporations should not have the same rights individuals have and I feel that free speech is one of those clear cut distinctions. There is a long history of consumer protection everywhere in the world -- learn about your own country's struggles with it. It's not a simple issue and advertisement should not be regarded as free speech.

Comment Re:Thaty's the wat to do it ... (Score 1) 257

My mom had that rule when i was young for a while, I would get nothing else till it was eaten.... I went to bed many times without eating anything.

So this plan may work on some, but is going to harm others.

But the question is, did your mom really plate the veggie course and only the veggies and bring those plates to the table, then everyone sat with them for 10 minutes before your mom went back into the kitchen and finished the next course? That is what AthanasiusKircher is describing. That is not the same as putting all of dinner on the table and then setting a mere verbal rule that kids have to eat some broccoli first even though the kids can see and smell the skillet of sausage links.

Slashdot Top Deals

"You know, we've won awards for this crap." -- David Letterman