Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - "Most serious" Linux privilege-escalation bug ever is under active exploit (arstechnica.com)

operator_error writes: Lurking in the kernel for nine years, flaw gives untrusted users unfettered root access.

By Dan Goodin — 10/20/2016

A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time."

The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."

Submission + - Verizon launches auction to sell data centers (reuters.com)

operator_error writes: Verizon has now chosen to reverse "its strategy to expand in hosting and colocation services after it acquired data center operator Terremark Worldwide Inc in 2011 for $1.4 billion", and has "started a process to sell its data center assets".

The so-called 'colocation' portfolio up for sale includes 48 data centers, and generates annual earnings before interest, tax, depreciation and amortization of around $275 million.

The enterprise telecommunications industry has had to adapt in recent years to corporate customers seeking more sophisticated and cheaper offerings to manage their data. Verizon joins a host of its rivals in telecommunications who are shedding their data centers.

The article doesn't mention alternative, scalable, virtual machine technologies or companies with such a focus, like as Amazon, Xen, KVM, or VMware, but Slashdot readers might be able to draw such conclusions for themselves.

Submission + - Pink Slips at Disney. But First, Training Foreign Replacements. (nytimes.com)

operator_error writes: The employees who kept the data systems humming in the vast Walt Disney fantasy fief did not suspect trouble when they were suddenly summoned to meetings with their boss.

“I just couldn’t believe they could fly people in to sit at our desks and take over our jobs exactly,” said one former worker, an American in his 40s who remains unemployed since his last day at Disney on Jan. 30. “It was so humiliating to train somebody else to take over your job. I still can’t grasp it.”

But the layoffs at Disney and at other companies, including the Southern California Edison power utility, are raising new questions about how businesses and outsourcing companies are using the temporary visas, known as H-1B, to place immigrants in technology jobs in the United States. These visas are at the center of a fierce debate in Congress over whether they complement American workers or displace them.

Disney “made the difficult decision to eliminate certain positions, including yours,” as a result of “the transition of your work to a managed service provider,” said a contract presented to employees on the day the layoffs were announced. It offered a “stay bonus” of 10 percent of severance pay if they remained for 90 days. But the bonus was contingent on “the continued satisfactory performance of your job duties.” For many, that involved training a replacement. Young immigrants from India took the seats at their computer stations.

“The first 30 days was all capturing what I did,” said the American in his 40s, who worked 10 years at Disney. “The next 30 days, they worked side by side with me, and the last 30 days, they took over my job completely.” To receive his severance bonus, he said, “I had to make sure they were doing my job correctly.”

Submission + - Homer Simpson Nearly Calculates Higgs Boson 14 years Before its Actual Discovery (latimes.com) 1

operator_error writes: In the episode, titled “The Wizard of Evergreen Terrace,” a mid-life crisis inspires Homer to become an inventor in the mold of Thomas Edison. One scene features him at a blackboard working on an equation to calculate the mass of a Higgs boson, the elusive subatomic particle that is key to understanding why objects in the universe have mass in the first place. (You can see a picture of the blackboard here.)

Simon Singh, a science writer with a doctorate in particle physics, crunched Homer’s numbers and declared that the usually hapless Homer got his math pretty much right.

“That equation predicts the mass of the Higgs boson” Singh told the Independent. “If you work it out, you get the mass of a Higgs boson that’s only a bit larger than the nano-mass of a Higgs boson actually is. It’s kind of amazing as Homer makes this prediction 14 years before it was discovered.”

Well, not exactly.

According to David Kaplan, a bona fide particle physicist at Johns Hopkins University, Homer’s equation yields a value of 777 gigaelectronvolts, or GeV. The actual value measured at the Large Hadron Collider is more like 125 GeV, plus or minus a GeV.

“It is a bit off, but not insanely so,” Kaplan said.

Homer would have done even better if he hadn’t made pi the first term in his equation, Kaplan added. Without it, he’d have had “a nice guess of 99 GeV, which would not have been too shabby,” he said.

Even so, 777 GeV was not outside the realm of possibility back in 1998 – at that time, the upper limit was thought to be around 850 GeV. Still, those in the know were already seeing evidence that the true mass of the Higgs was significantly lower, Kaplan explained.

The fourth line of Homer's equation appears to show how a doughnut can evolve into a spherical body that vaguely resembles the moon.

Submission + - By Hiring Tata and Infosys, So Cal Edison Reduces Local Headcount

operator_error writes: Michael Hiltzik of The Los Angeles Times reports that Southern California Edison, the local electrical utility, has let go of 500 IT employees by outsourcing jobs to Tata and Infosys who are top users/abusers of the U.S. H1-B visa process; 400 So Cal employees were laid off and 100 'left voluntarily', many with decades of experience. As indicative of a trend this has now become, last year Minnesota-based agribusiness behemoth Cargill said it would outsource as many as 900 IT jobs to Tata.

These employees perform the crucial work of installing, maintaining and managing Edison's computer hardware and software for functions as varied as payroll and billing, dispatching and electrical load management across Edison's vast power generating and electric transmission network. The workers I interviewed are in their 50s or 60s and have spent decades serving as loyal Edison employees.

"They told us they could replace one of us with three, four, or five Indian personnel and still save money," one laid-off Edison worker told me, recounting a group meeting with supervisors last year. "They said, 'We can get four Indian guys for cheaper than the price of you.' You could hear a pin drop in the room."

They're not the sort of uniquely creative engineering aces that high-tech companies say they need H-1B visas to hire from abroad, or foreign students with master's degrees or doctorates from U.S. universities who also can be employed under the H-1B program. They're experienced systems analysts and technicians for whom these jobs have been stairways from the working class to five- or six-figure middle-class incomes. Many got their training at technical institutes or from Edison itself.

This worker and the half-dozen others I interviewed asked to remain anonymous because their severance packages forbid them to speak disparagingly about the company.

Submission + - Fox News Apologizes for False Claims of Muslim-Only Areas in England and France (nytimes.com) 1

operator_error writes: Fox News issued an unusual on-air apology on Saturday night for having allowed its anchors and guests to repeat the false claim for a week, that there are Muslim-only “no-go zones” in European countries like England and France that are not under the control of the state and are ruled according to Shariah law.

Fox Report host Julie Banderas, said that “over the course of this last week, we have made some regrettable errors on air regarding the Muslim population in Europe, particularly with regard to England and France.”

“Now this applies especially to discussions of so-called no-go zones, areas where non-Muslims allegedly are not allowed in and police supposedly won’t go,” Ms. Banderas continued. “To be clear, there is no formal designation of these zones in either country and no credible information to support the assertion that there are specific areas in these countries that exclude individuals based solely on their religion.”

The claim that such areas existed attracted widespread attention, and a wave of online derision."

Submission + - Fox News Apologizes for False Claims of Muslim-Only Areas in England and France (nytimes.com) 1

operator_error writes: Fox News issued an unusual on-air apology on Saturday night for having allowed its anchors and guests to repeat the false claim for a week, that there are Muslim-only “no-go zones” in European countries like England and France that are not under the control of the state and are ruled according to Shariah law.

Fox Report host Julie Banderas, said that “over the course of this last week, we have made some regrettable errors on air regarding the Muslim population in Europe, particularly with regard to England and France.”

“Now this applies especially to discussions of so-called no-go zones, areas where non-Muslims allegedly are not allowed in and police supposedly won’t go,” Ms. Banderas continued. “To be clear, there is no formal designation of these zones in either country and no credible information to support the assertion that there are specific areas in these countries that exclude individuals based solely on their religion.”

The claim that such areas existed attracted widespread attention, and a wave of online derision.

Submission + - Amsterdam Airport Deploys Fully-Automated Solar-Power Green Lasers Against Birds

operator_error writes: Seven out of every 10,000 flights near Amsterdam involve a collision with birds, upon either take-off or landing. Therefore bird control is such an issue, as many as 7000 geese have to be gassed annually, as more humane methods have been sought. Now Amsterdam's Schiphol Airport has started to deploy solar-powered, fully-automated bird-scanning green lasers, (that will not interfere with aircraft vision).

Submission + - 'Frozen' songwriters next write about an awkward computer repairman (latimes.com)

operator_error writes: A new musical from the Academy Award-winning songwriters of "Frozen" will tell the story of a socially awkward computer repairman named Dan who becomes attracted to Lindsay, a t-shirt designer. But his overactive imagination keeps getting in the way of a potential relationship.

"Up Here" will delve into the overactive imagination of its 30-something protagonist, bringing to life the "circus of judgmental, neurotic, ever-changing characters that rule an ordinary man's mind."

Submission + - OwnCloud Developer requests removal from Ubuntu repos: multiple vulnerabilities (webupd8.org)

operator_error writes: ownCloud developer Lukas Reschke has sent an email to the Ubuntu Devel mailing list, requesting that ownCloud (server) is removed from the Ubuntu repositories because the package is old and there are multiple critical security bugs for which no fixes have been backported. He adds that:

        "Those security bugs allows an unauthenticated attacker to gain complete control about the web server process".

However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2).

Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical.

You can follow the discussion @ Ubuntu Devel mailing list.

So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service

Submission + - Studies Conclude Hands-free-calling & Apple Siri Distract Drivers (latimes.com)

operator_error writes: In many cars, making a hands-free phone call can be more distracting than picking up your phone, according to a new study from AAA and the University of Utah.

In-dash phone systems are overly complicated and prone to errors, the study found, and the same is true for voice-activated functions for music and navigation.

A companion study also found that trying to use Siri — the voice control system on Apple phones — while driving was dangerously distracting. Two participants in the study had virtual crashes in an automotive simulator while attempting to use Siri, the study's authors reported.

In response, Toyota said the study did not show a link between cognitive distraction and car crashes.

"The results actually tell us very little about the relative benefits of in-vehicle versus hand-held systems; or about the relationship between cognitive load and crash risks," said Mike Michels, a Toyota spokesman.

Submission + - "Shellshock" may be partially patched, but it's still highly dangerous (arstechnica.com)

operator_error writes: David A. Wheeler, a computer scientist who is an acknowledged expert in developing secure open-source code, posted a message to the Open Source Software Security (oss-sec) list this evening urging more changes to the bash code. And other developers have found that the current patch still has vulnerabilities similar to the original one, where an attacker could store malicious data in a variable named the same thing as frequently run commands. Norihiro Tanaka, a Japanese open-source developer, noted the problem in an e-mail to the bug-bash list today. By using an environmental variable called cat—the same name as a Unix utility that can concatenate files—he was able to bypass the fixes in the latest bash patch and pass through executable commands. Wheeler noted this vulnerability as well, in an email to both oss-sec and the bug bash list:

I appreciate the effort made in patch bash43-026, but this patch doesn't even BEGIN to solve the underlying shellshock problem. This patch just continues the "whack-a-mole" job of fixing parsing errors that began with the first patch. Bash's parser is certain have many many many other vulnerabilities; it was never designed to be security-relevant. John Haxby recently posted that "A friend of mine said this could be a vulnerability gift that keeps on giving.” Bash will be a continuous rich source of system vulnerabilities until it STOPS automatically parsing normal environment variables; all other shells just pass them through! I've turned off several websites I control because I have *no* confidence that the current official bash patches actually stop anyone, and I am deliberately *not* buying products online today for the same reason. I suspect others have done the same. I think it's important that bash change its semantics so that it "obviously has absolutely no problems of this kind".

In other words, “Shellshock” may be partially patched, but it’s still highly dangerous on systems that might use bash to pass information to the operating system or to launch other software. And it may take a significant change to fix the code.

Submission + - Nokia announces MeeGo 1.2 for Developers w/ N900 (meego.com)

operator_error writes: Jukka Eklund at Nokia writes to the Meego Dev list: "I am thrilled to announce a little thing we started at Nokia. Basically we want to have MeeGo running in N900 device, so that it's really usable as your daily development device. Basic Handset UX should work, phone calls, SMS, web browsing. So we are concentrating on a few selected features and polish those to be "perfect". It might mean that we leave out some things in MeeGo 1.2 trunk for this edition, but that is not the default intention.

We are doing this fully on the open, and I hope this is an interesting project where we all in the community work towards the same goal: have a great MeeGo edition in the N900. This work is naturally based on the great work done already by N900 adaptation team lead by Harri and Carsten.

The wiki is up here: http://wiki.meego.com/ARM/N900/DeveloperEdition. It will populated with more information as we go, thanks for the patience.

Br,
Jukka
Developer Edition product manager" ...Also folks, be sure to stay tuned for the new Nokia N950 meant only as a (likely) unsubsidized Developer's hardware refresh of the N900. Only rumor has it that it will not arrive with a slide-out keyboard. How important is having a N900-style keyboard to you, along with the new Meego Love Nokia software continues to offer?

Slashdot Top Deals

If in any problem you find yourself doing an immense amount of work, the answer can be obtained by simple inspection.

Working...