Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Mirai and Bashlight Join Forces Against DNS Provider Dyn ( 56

A second wave of attacks has hit dynamic domain name service provider Dyn, affecting a larger number of providers. As researchers and government officials race to figure out what is causing the outages, new details are emerging. Dan Drew, chief security officer at Level 3 Communications, says the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices. "We're seeing attacks coming from a number of different locations," Drew said. "An Internet of Things botnet called Mirai that we identified is also involved in the attack." Ars Technica reports: The botnet, made up of devices like home WiFi routers and internet protocol video cameras, is sending massive numbers of requests to Dyn's DNS service. Those requests look legitimate, so it's difficult for Dyn's systems to screen them out from normal domain name lookup requests. Earlier this month, the code for the Mirai botnet was released publicly. It may have been used in the massive DDoS attack against security reporter Brian Krebs. Mirai and another IoT botnet called Bashlight exploit a common vulnerability in BusyBox, a pared-down version of the Linux operating system used in embedded devices. Mirai and Bashlight have recently been responsible for attacks of massive scale, including the attacks on Krebs, which at one point reached a traffic volume of 620 gigabits per second. Matthew Prince, co-founder and CEO of the content delivery and DDoS protection service provider CloudFlare, said that the attack being used against Dyn is an increasingly common one. The attacks append random strings of text to the front of domain names, making them appear like new, legitimate requests for the addresses of systems with a domain. Caching the results to speed up responses is impossible. Prince told Ars: "They're tough attacks to stop because they often get channeled through recursive providers. They're not cacheable because of the random prefix. We started seeing random prefix attacks like these three years ago, and they remain a very common attack. If IoT devices are being used, that would explain the size and scale [and how the attack] would affect: someone the size of Dyn."

Comment Re:Two simple suggestions. (Score 1) 1839

Personally I read at -1, Raw and Uncut because I'm a masochist and often find some funny stuff down in the gutter.

I usually read at +3 or +4, but I give extra +5 score to flamebaits. I started doing it years ago after reading about the idea from somebody else. Those posts are funny/interesting often enough that I haven't reverted it.

Comment Re:Malware (Score 1) 181

Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why?

The answer is functionality. Let's consider the example of Android, an OS with a fairly recent security model, built on top of Linux which provides for chroot. Why not put apps into their own chroot jail by default? Seems like a good idea, right? How do you explain to Grandma why she can't upload photos from her camera's image gallery to Facebook? Oh, you'll solve that problem by putting the photos in a public directory? Okay, that eliminates the functionality concern, but now you're right back where you started with exposure to ransomware....

Not necessarily. This can be solved by having a standard privileged file open/save dialog that grants the access automatically to apps based on user input. Of course that limits the UI designs in some ways.. I wrote some ideas 11 years ago how something like this could be done. Partially obsolete nowadays though but still could be doable (except for the web browser parts - web security seems to be a lost cause already). Perhaps once these kind of worse malwares start happening people would finally implement a more secure desktop. There's no reason why I shouldn't be able to easily run whatever program I want without it breaking my computer.

Submission + - Slashdot beta sucks 9

An anonymous reader writes: Maybe some of the slashdot team should start listening to its users, most of which hate the new user interface. Thanks for ruining something that wasn't broken.

Comment Two clouds with replication! (Score 1) 150

Sorry for advertising my own product, but pretty much on topic here. :) Buy two (cheap) servers from completely different networks / data center providers, and keep them replicated with You can set up MX records to both of them, and use DNS to switch between the replicas for IMAP/POP3 as needed. Either one of the data centers can die and your mail won't stop working. Or keep one of the replicas in local network and your mail keeps working even if your internet connection dies.

(Then you'll only need to hope that there are no software bugs bringing down everything.)

Comment Re:Collateralized vs Non-Collateralized Loans (Score 1) 461

Dunno how it works in Germany, but I think the people should be able to decide for themselves what kind of education they want, whenever they want (+- a few years). And maybe more importantly: If you decide wrong at some point, you should be able to switch if you're good enough. I think the way it works in Finland is good enough. I dropped out of high school (wanted to code all nights), finished it 7 years later when I had more motivation, had no problem getting into university trying out something new interesting I re-learned at high school (biotech!), then deciding it wasn't really worth the trouble and switching back to computer science and getting a BSc out of it. The high school and college stories I hear from the US are pretty depressing usually.

Comment Re:If you HAVE to have a Retina/Pixel display... (Score 1) 392

My laptop comparisons nowadays:

Apple laptop:

Non-Apple laptop:

Until some laptop has MagSafe or similar I won't even consider it. I remember too well when I used to trip over the power cords and drag my laptop on the floor. Or break the power plug because it got twisted when moving the laptop in a bad direction. Or stepping on the power plug and breaking it. (Yeah, I don't treat my laptops all that well.)

Comment Re:Classes/Templates are not a magic bullet ... (Score 1) 406

Well, that kind of GENERATE_SORT() seems very ad-hoc way to do it and very specific to a sort.. My method looks more like this (dynamically growing type safe arrays):

#include "array.h"
int foobar_cmp(const struct foobar *f1, const struct foobar *f2); ..
ARRAY_DEFINE(foobars, struct foobar);
struct foobar f; ..
array_init(&foobars, 16);
array_append(&foobars, &f); ..
array_sort(&foobars, foobar_cmp);

I don't think that's much different (or more difficult) from how you'd do it with C++ templates. Of course implementing array.h is easier with C++.

Comment Re:Classes/Templates are not a magic bullet ... (Score 1) 406

It's also very hard to write type safe code properly in C. Just look at the classic example of the unsafe qsort versus the safer and faster std::sort.

You can do all kinds of nifty stuff with macros and gcc/clang extensions to provide type safety to C. Yeah, if you don't already have a library for that it can be a bit difficult to write one (or find one you like). But once you have the library it's very easy to write (mostly) type safe code with C. For example I have a type safe array_sort() in C.

Comment Re:QR codes don't all have destinations (Score 2) 234

But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect the content visually before acting on it. They ask if you want to proceed.

Of course one could argue the click-thru generation does not know enough to evaluate the content, but then these are the same people that no amount of malware/antivirus software can protect.

Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them. That's why potentially security sensitive questions shouldn't have such simple buttons, but rather two (radio?) buttons that require you to read (and hopefully understand) what you're doing, such as: "Replace network settings from QR" and "Keep the existing network settings".

Slashdot Top Deals

If this is a service economy, why is the service so bad?