Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - OAuth 2.0 Flaw Exposes 1 Billion Mobile Apps to Takeover (threatpost.com)

msm1267 writes: Third-party applications that allow single sign-on via Facebook and Google and support the OAuth 2.0 protocol, are exposed to account hijacking.

Three Chinese University of Hong Kong researchers presented at Black Hat EU last week a paper called “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0.” The paper describes an attack that takes advantage of poor OAuth 2.0 implementations and puts more than one billion apps in jeopardy.

The researchers examined 600 top U.S. and Chinese mobile apps that use OAuth 2.0 APIs from Facebook, Google and Sina—which operates Weibo in China—and support SSO for third-party apps. The researchers found that 41.2 percent of the apps they tested were vulnerable to their attack, including popular dating, travel, shopping, hotel booking, finance, chat, music and news apps. None of the apps were named in the paper, but some have been downloaded hundreds of millions of times and can be exploited for anything from free phone calls to fraudulent purchases.

Comment Re:Don't move to Canada, liberals. (Score 1) 2837

You do realize that all that food in your little bodega there in the fancy big city is grown by those drooling children out there in Stupidville, right? And most of the coal and natural gas that heats the water to steam that turns the turbine that generates the electricity that keeps the lights on comes from Yokelville. But you also know that, right?

Yes. We pay them for their efforts. They choose their lifestyles and occupations freely.

You do realize that the only reason you "grown ups" aren't starving in the dark is because us drooling, childish yokels feed you and keep your lights running, right? Funny, I always thought the grownups were the ones doing the work to keep the household going while the children played. I'm so glad you corrected that little misunderstanding of mine.

We reward you for doing the work we don't want to do so that we can focus on other things, like building rockets or teaching math or designing dams or defending the nation. We're all adults here, and the sooner you get over your inferiority complex, the better. Everyone's valuable.

Want to do something other than hewing wood or drawing water? This is America - get after it. Not happy with your life choices? Choose something else. But don't shit on those of us who live in cities and don't like to see our black friends pushed around or our women groped. You rely on us for the things you have, just as we rely on you.

Comment Re:Don't move to Canada, liberals. (Score 1) 2837

"All those folks out in the sparse spaces haven't figured out that rugged individualism is basically childishness."

Funny, it's been working for all of those sparse space citizens for a couple hundred years now. They don't need your safe space.

We're either going to be a society that achieves more than covering basic needs and gets past the "I got mine" mindset, or we're going to fight over scraps. Should every life start from zero, or should society lift people up and let them build off of our institutions and do better than we did?

The sparse spacers are welcome to their lifestyle, but more and more people are coming, the spaces aren't going to be sparse forever, and they're going to have to learn to live with it eventually.

Comment Don't move to Canada, liberals. (Score 3, Insightful) 2837

Pick a swing state and colonize it if you actually care about your country.

If you look at the state maps, wherever population is densest, people tend to vote left. The reason is simple: people who live in close quarters have learned that it's important to get along.

All those folks out in the sparse spaces haven't figured out that rugged individualism is basically childishness. We look out from the cities and see drooling yokels - they look at us and see preening fops making useless rules.

World's getting smaller though. Eventually the children will have to grow up. We have to take care of each other and share limited resources.

Submission + - Nuclear CSI: Noninvasive procedure could identify criminal nuclear activity (phys.org)

mdsolar writes: Determining if an individual has handled nuclear materials, such as uranium or plutonium, is a challenge national defense agencies currently face. The standard protocol to detect uranium exposure is through a urine sample; however, urine is able to only identify those who have been exposed recently. Now, scientists at the University of Missouri have developed procedures that will better identify individuals exposed to uranium within one year. Scientists and homeland security experts believe this noninvasive procedure could identify individuals who may be smuggling nuclear materials for criminal purposes.

"We are working to develop a tool that law enforcement agencies in nuclear proliferation or smuggling investigations can use to identify individuals who have handled special nuclear material," said John Brockman, associate professor of research in the MU Research Reactor Center. "The goal of our research was to determine if hair, fingernail clippings and toenail clippings could be used to better detect uranium exposure."

Brockman collected hair, fingernail and toenail clippings from workers in nuclear research facilities from around the country. Testing procedures developed by Brockman and his team were able to identify exposure to both natural and manmade sources of uranium.

According to the World Nuclear Association, naturally occurring uranium is a mixture of three isotopes, including uranium-238 (U-238), U-235 and traces of U-234. U-238 accounts for over 99 percent of the isotopes found in nature; U-235 is the isotope necessary to create nuclear weapons or power a nuclear reactor. U-235 is considered a fissile isotope, meaning the atom has the ability to split, yielding a large amount of energy. Uranium that has been used as fuel in a nuclear power plant also contains the manmade isotope, U-236.

"Our technique was not only able to determine uranium exposure, but also the specific isotopes the individual has handled within the last year," Brockman said. "We were able to identify exposure to enriched uranium, which is used to make both nuclear fuel and weapons, and U-236 which is suggestive of nuclear fuel reprocessing."

Submission + - Your future smartwatch might be printed with an inkjet printer (sciencemag.org)

sciencehabit writes: Imagine getting the latest smartwatch or a high-tech heart attack warning detector from your inkjet printer. Researchers have taken a step in this direction by printing cheap, reliable arrays of transistors—the key components of modern electronics—and using them to carry out elementary computing tasks. Instead of the usual silicon, the new circuits were fashioned out of organic—or carbon-based—compounds. And whereas others have printed and stacked organic electronic components using a mix of inkjet printing and other deposition methods, the new work uses just an inkjet printer for the entire process. “I cannot think of another [device with at least two layers] where everything was done with inkjet printing,” says Ananth Dodabalapur, an electrical engineer at the University of Texas in Austin who was not involved in the work. “This is a good demonstration.”The work might someday help usher in a new era of organic, flexible consumer electronics.

Submission + - CloudFlare Can Be Ordered To Disclose Science Piracy Website Owner Details (thestack.com)

An anonymous reader writes: A New York judge has ruled that CDN provider Cloudflare can be compelled to disclose customer details for the domains libgen.io and bookfi.org, both of which are alleged to provide pirated access to scientific and technical papers, infringing the rights of controversial academic publisher Elsevier.

Submission + - Bugs in the military forces (medium.com)

SoftwareUnicorn writes: Programs now — aren't only strange calculations of scientists on Fortran or computer games. This is something that has long been everywhere around us.

The problem of reliability of software is particularly relevant today . This time we'll touch upon the question of software safety in the military equipment.

February 11, 1991, the Israeli forces inform the Patriot Project Office about a defect found in the Patriot surface-to-air missile defense system. The software responsible for the targeting precision, had a bug that caused the system's internal clock to drift gradually from the real time. The time was stored as an integer number in a 24-bit register with an accuracy of 1/10 of a second. This resulted in some portion of the time value being lost as it incremented each 0.1 seconds. To calculate a target's location, the data had to be cast to real numbers. Learn more about the results of this bug, as well as extracts from the report where you can see the detected problems with the Patriot system, here.

The software had been written in an assembler language 15-20 years earlier and was modified a number of times by different programmer teams during the subsequent years.

P.S. Previously, serious bugs brought harm only in particular spheres — space engineering (Ariane 5) and military. Now you can see a bug not only sitting at the computer, but also driving a car (Toyota) or visiting a hospital (Therac-25).

Submission + - Malware Researchers Discover Russian Banks Talking to Trump's Private Servers (slate.com)

ewhac writes: After news broke of Russian hackers infiltrating the Democratic National Committee's servers, malware researchers decided to see if other politically-motivated intrusions were taking place. Among others, they monitored DNS traffic relating to the Trump Organization, looking for evidence of intrusion. Instead, they discovered traffic from Russia that did not match the patterns typical of malware or botnets. Rather, the patterns looked like ordinary human-driven traffic, as one might expect from email being exchanged between servers — specifically, from servers operated by Russia's Alfa Bank. Further, Trump's server only accepted connections from a limited number of IP addresses. Even more curious, when the malware researchers reached out to Alfa Bank to inquire about the unusual traffic, but before speaking to the Trump campaign, the DNS entry for Trump's server was clumsily deleted. As one researcher put it, "The knee was hit in Moscow, the leg kicked in New York." Four days later, the Trump Organization registered a new DNS name for the same server; the first DNS lookup for that name came from Alfa Bank in Russia. While the evidence is not conclusive, it is undeniably suggestive that Trump has more than just an "arms-length" relationship with Russia, and warrants further investigation.

Submission + - Physicists Induce Superconductivity In Non-Superconducting Materials (phys.org)

An anonymous reader writes: Researchers at the University of Houston have reported a new method for inducing superconductivity in non-superconducting materials, demonstrating a concept proposed decades ago but never proven. The technique can also be used to boost the efficiency of known superconducting materials, suggesting a new way to advance the commercial viability of superconductors, said Paul C.W. Chu, chief scientist at the Texas Center for Superconductivity at UH (TcSUH) and corresponding author of a paper describing the work, published Oct. 31 in the Proceedings of the National Academy of Sciences. The research, demonstrating a new method to take advantage of assembled interfaces to induce superconductivity in the non-superconducting compound calcium iron arsenide, offers a new approach to finding superconductors that work at higher temperatures. Superconducting materials conduct electric current without resistance, while traditional transmission materials lose as much as 10 percent of energy between the generating source and the end user. That means superconductors could allow utility companies to provide more electricity without increasing the amount of fuel used to generate electricity. To validate the concept, researchers working in ambient pressure exposed the undoped calcium iron arsenide compound to heat — 350 degrees Centigrade, considered relatively low temperature for this procedure — in a process known as annealing. The compound formed two distinct phases, with one phase increasingly converted to the other the longer the sample was annealed. Chu said neither of the two phases was superconducting, but researchers were able to detect superconductivity at the point when the two phases coexist. Although the superconducting critical temperature of the sample produced through the process was still relatively low, Chu said the method used to prove the concept offers a new direction in the search for more efficient, less expensive superconducting materials.

Comment This is about reducing the value of developers (Score 1) 125

This is basic supply manipulation. These companies want H1B-style pricing for local developers.

Firing Americans to hire cheap Indian labour doesn't play well in the media. Solution: teach everyone to code. If everyone's a programmer, companies can play cheap locals off of cheap imports, and "hire more americans" at significant savings.

Optics solved, costs reduced, profits maximized, management class protected.

Assholes.

Comment None of this matters (Score 3, Insightful) 182

> Maybe the government shouldn't have imposed so many surveillance programs on its citizens -- and kept quiet about it for years -- that they now feel the need to use sophisticated security technologies.

Let's get off the "fuck the man" train for a second and look at this rationally.

  • If WhatsApp were compelled to push a version of their app with unencrypted ow weakly-encrypted local message storage, you'd never know.
  • If Apple or Google were compelled to push a signed OS update that exposed WhatsApp to a local attack (after all, messages must be decrypted on your device for you to read it), you'd never know.
  • If someone were to compromise Apple/Google's SSL certificates, man in the middle your Whatsapp download, and wrap it in a keylogger, you'd never know.
  • If the your mobile provider pushed a radio baseband update that invisibly read your Whatsapp keys from memory (yes, many basebands can read and write device RAM directly from outside of OS land), you'd never know.

I am really happy that people are waking up to the necessity of encryption. But end-to-end encryption relies on a secured local endpoints, and all we have are devices that are 100% owned by the corporations we rent them from.

That phone in your hand is not yours. It's a hostile environment for hostile apps.

Slashdot Top Deals

No amount of careful planning will ever replace dumb luck.

Working...