Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Submission + - New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (threatpost.com)

msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction.

The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected tomorrow to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version this week as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks.

The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic--from a connection that is kept alive for a long period of time--to recover the session cookie.

Submission + - Something "Unexpected" Happened When Seattle Raised The Minimum Wage

schwit1 writes: The latest research comes from the University of Washington which researched the impact of Seattle's recent minimum wage hike on employment in that city (as background, Seattle recently passed legislation that increased it's minimum wage to $11 per hour on April 1, 2015, $13 on January 1, 2016 and $15 on January 1, 2017). "Shockingly", the University of Washington found that Seattle's higher minimum wages "lowered employment rates of low-wage workers" (the report is attached in its entirety at the end of this post).

Yet, our best estimates find that the Seattle Minimum Wage Ordinance appears to have lowered employment rates of low-wage workers. This negative unintended consequence (which are predicted by some of the existing economic literature) is concerning and needs to be followed closely in future years, because the long-run effects are likely to be greater as businesses and workers have more time to adapt to the ordinance. Finally, we find only modest impacts on earnings. The effects of disemployment appear to be roughly offsetting the gain in hourly wage rates, leaving the earnings for the average low-wage worker unchanged. Of course, we are talking about the average result.

More specifically, we find that median wages for low-wage workers (those earning less than $11 per hour during the 2nd quarter of 2014) rose by $1.18 per hour, and we estimate that the impact of the Ordinance was to increase these workers’ median wage by $0.73 per hour. Further, while these low-wage workers increased their likelihood of being employed relative to prior years, this increase was less than in comparison regions. We estimate that the impact of the Ordinance was a 1.1 percentage point decrease in likelihood of low-wage Seattle workers remaining employed. While these low-wage workers increased their quarterly earnings relative to prior years, the estimated impact of the Ordinance on earnings is small and sensitive to the choice of comparison region. Finally, for those who kept their job, the Ordinance appears to have improved wages and earnings, but decreased their likelihood of being employed in Seattle relative other parts of the state of Washington.

Still not convinced? How about a recent report from the Federal Reserve Bank of San Francisco that finds that "higher minimum wage results in some job loss for the least-skilled workers—with possibly larger adverse effects than earlier research suggested."

Submission + - Fake Linus Torvalds' Key Found in the Wild

AmiMoJo writes: It was well-known that PGP is vulnerable to short-ID collisions. Real attacks started in June, some developers found their fake keys with same name, email, and even "same" fake signatures by more fake keys in the wild, on the keyservers. All these keys have same short-IDs, created by collision attacks. Fake keys of Linus Torvalds, Greg Kroah-Hartman, and other kernel devs are found in the wild recently.

Submission + - Stolen NSA hacking tools reportedly on sale for $8,000 (bgr.com)

alir1272 writes: It’s been a rough week for the NSA, to say the least. Last week, a group of hackers collectively known as The Shadow Brokers allegedly stole and released a treasure trove of NSA hacking tools and exploits. What’s more, the group promised to release even more weapons from the NSA’s cyber arsenal for the right price.

While the initial leak was met with skepticism, researchers and security experts who examined the leak subsequently confirmed that the leaked exploits were very much real. “It definitely looks like a toolkit used by the NSA,” French computer researcher Matt Suiche said after taking a look at the code.

Comment Didn't Proxmire keep this from happening ? (Score 1) 124

. . I've heard the story, on and off over the years, that Sen. William Proxmire stopped funding for NASA studies on taking the External Tank into orbit, and using it for the basis of a Station.

But I can't seem to find an actual reference, anybody seen one, or is this an Urban Legend of the Space Program ?

Comment Obviously. . . (Score 3, Insightful) 81

. . . the success of this program will depend on the models sold, and the price. I already see refurbed Samsung S3's, S4's, and S5's for a reasonable price. If they stay competitive with the market, and I'm thinking Refurbed S6's at a ~$350. price point, this could be successful. But they're going to have to leverage some added value: say, a decent warranty and perhaps the latest build of Android to differentiate themselves from the existing refurbished markets. . .

Submission + - Linux Kernel Development: How Fast It's Going And Who Is Doing It (helpnetsecurity.com)

An anonymous reader writes: The Linux Foundation analyzed the work done by over 13,500 developers over more than a decade, to provide insight into the Linux kernel development trends and methodologies used by thousands of different individuals collectively to create some of the most important software code on the planet. This year’s data covers work completed through Linux kernel 4.7, with an emphasis on releases 3.19 to 4.7. The rate of Linux development continues to increase, as does the number of developers and companies involved in the process.

Submission + - SPAM: Nuclear's Glacial Pace

mdsolar writes: Climate change has forced us to rethink how we get electricity. Use of renewable sources like solar and wind is rapidly increasing, while nuclear, though long a reliable source of carbon-free electricity, is not. Meanwhile, a number of startups are promising cheap, safe, proliferation-resistant nuclear energy in the next decade (see “Fail-Safe Nuclear Power”).

Can these startups fulfill their promises? Outside of China, nuclear power is expanding nowhere. China has 21 new reactors under construction; Russia has nine, India six. The U.S. is bringing five new plants online, but since 2012, five other reactors have been retired, with seven more to be shuttered by 2019. California’s Diablo Canyon plant recently announced it will close by 2025. With other plants closing in Japan, Germany, and the U.K., more reactors may be decommissioned than built in the near future.

Link to Original Source

Submission + - Ask Slashdot: Email Workflow and Hillary's Woes 2

Tablizer writes: Political blame issues aside, how could a work environment like the State Department monitor and ensure "wrong stuff" does not end up in regular office emails? It seems they should have a monitoring team in place to monitor all emails and outgoing documents. There may be urgent situations that could result in them not having enough time to vet something before it's released, but at least they'd know about it as soon as possible afterwards in order to mitigate the damage, investigate the cause, and "educate" the perpetrator(s), perhaps issuing formal reprimands. Bad habits wouldn't be allowed to fester. Has any slashdotter seen a similar setup at their shop?

Comment Re: Well (Score 1) 85

After 40 you need to have moved into management. If you want to keep doing tech, move into the public sector and/or move to the Midwest.

There are still plenty of jobs for olds, just not where you might want them to be or doing the latest and greatest stuff. Olds maintain old tech.

hmm. . . that is why my 54-year-old ass is doing Software Assurance **AND** management. And I guess you consider Android and IOS apps to be "old tech". . . .

Comment Re:Well (Score 1) 85

Wow. I must not exist. I'm 54, started as a Geophysicist, moved to the USAF and flew bombers doing Electronic Warfare for a few years, then left and got a job doing EW Systems Engineering. Developed from there into a Sysadmin, and from there into Security. And have never been jobless for more than 2 months. Re-training ? Currently studying Cloud in general, and AWS in particular, on the side. . .

So, yes, you CAN retrain. In fact, I would argue that if you're not constantly retraining YOURSELF. . . you're going to be doing the IT equivalent of flipping burgers. It merely requires self-discipline and a willingness to spend a few hours of your free time every week, learning something new. . .

Slashdot Top Deals

If in any problem you find yourself doing an immense amount of work, the answer can be obtained by simple inspection.