Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Prosecutors Say NSA Contractor Could Flee To Foreign Power ( 44

An anonymous reader quotes a report from ABC News: The NSA contractor accused of stealing a gargantuan amount of sensitive and classified data from the U.S. government was studying Russian before he was arrested and would be a "prime target" for foreign spies should he be released on bail, prosecutors argued ahead of a court hearing for Harold Martin, III, today. The government said it is "readily apparent to every foreign counterintelligence professional and nongovernmental actor that the Defendant has access to highly classified information, whether in his head, in still-hidden physical locations, or stored in cyberspace -- and he has demonstrated absolutely no interest in protecting it. This makes the Defendant a prime target, and his release would seriously endanger the safety of the country and potentially even the Defendant himself." Prosecutors noted that Martin purportedly communicated online "with others in languages other than English, including in Russian" and that he had downloaded information on the Russian language just a couple months before he was arrested in August. Martin's attorneys, however, said in their own court filing Thursday that there is still no evidence he "intended to betray his country" and argued that he was not a flight risk. All the talk of foreign spies and potential getaway plans, the defense said, were "fantastical scenarios." Martin's defense team said in part: "The government concocts fantastical scenarios in which Mr. Martin -- who, by the government's own admission, does not possess a valid passport -- would attempt to flee the country. Mr. Martin's wife is here in Maryland. His home is here in Maryland. He hash served this country honorably as a lieutenant in the United States Navy, and he has devoted his entire career to serving his country. There is no evidence he intended to betray his country. The government simply does not meet its burden of showing that no conditions of release would reasonably assure Mr. Martin's future appearance in court. For these reasons, and additional reasons to be discussed at the detention hearing, Mr. Martin should be released on conditions pending trial."

UPDATE 10/21/16: Slashdot reader chromaexursion writes: "Harold Martin was denied bail. The judge agreed the the prosecution in his decision."

Comment Re:DCMA Fair Use / Parody (Score 1) 216

No, it wouldn't. These notices are made on behalf of Samsung about an exclusive right to something about the Galaxy 7 which is allegedly being infringed. The assertion of infringement has no legal standing, but the assertion is made on behalf of the owner of an exclusive right that is allegedly infringed.

A judge can find a load of other shit you're doing wrong if you're misusing the statute. Abuse of the legal system is frowned upon.

Comment Re:Mitigations (Score 1) 107

The simple mitigation is to not have local users who will hack your machine.

If you run a server, an exploit of the server software (nginx, PHP scripts, Ruby on Rails, etc.) will provide local non-root access, which you can then root.

If you run your server software in Docker, then the host system's binaries aren't exposed. That means an attacker can't modify the disk cache for /bin/su and then su to root; he can only modify the disk cache for /bin/su or glibc from e.g. the debian:jessie image that the Docker image the container used is based on. Elevation in the same container is useless: anything mounted read-write is likely already writable by the software the attacker exploited in the first place, so they have that access; and modifying the system is pointless, since you can just destroy and recreate the container in 10 seconds.

A container exploit might give a cross-container exploit to all containers eventually descended from the same version of the same base image (e.g. everything ultimately built from that release of debian:jessie), but it's tricky. You can modify e.g. /usr/sbin/nginx and send a reverse-shell to all nginx containers; or you can modify glibc and get it into everything using the same base image (because it's from the same disk blocks, thus the same disk cache). Either of those has to use the existing memory space (can't add empty memory pages or use anything outside the file), replace code in an existing function, and not outright crash (or the container terminates and all processes end immediately); and a glibc modification would make your reverse shell kind of useless (bash would just re-exploit and call a new reverse shell).

Escape to the host system is as impossible as it is without this exploit, so there's that.

So, for some server software configurations, this is diminished to the point of uselessness. For others, they get the www-data user and then su straight to root.

The Internet

Several Sites Including Twitter, GitHub, Spotify, PayPal, NYTimes Suffering Outage -- Dyn DNS Under DDoS Attack [Update] ( 261

Several popular websites and services are down right now for many users. The affected sites include Twitter, SoundCloud, Spotify, and PayPal among others. The cause appears to be a sweeping outage of DNS provider Dyn -- which in turn is under DDoS attack, according to an official blog post. From a TechCrunch report:Other sites experiencing issues include Box, Boston Globe, New York Times, Github, Airbnb, Reddit, Freshbooks, Heroku and Vox Media properties. Users accessing these sites might have more or less success depending on where they're located, as some European and Asian users seem not to be encountering these issues. Last month, Bruce Schneier warned that someone was learning how to take down the internet. Update: 10/21 14:41 GMT by M : Dyn says that it has resolved the issue and sites should function normally. Update: 10/21 17:04 GMT by M : Department of Homeland Security says it is aware of the first DDoS attack on Dyn today and "investigating all potential causes." Dyn says it is still under DDoS attack. News outlet The Next Web says it is also facing issues. Any website that uses Dyn's service -- directly or indirectly -- is facing the issue. Motherboard has more details. Update: 10/21 17:57 GMT by M : It seems even PlayStation Network is also hit. EA Sports Games said it is aware of the issues in live-play. Dyn says it is facing a second round of DDoS attacks.

Update: 10/21 18:45 GMT by M : U.S. government probing whether east coast internet attack was a 'criminal act' - official.

Editor's note: the story is being updated as we learn more. The front page was updated to move this story up. Are you also facing issues? Share your experience in the comments section below.

'Adding a Phone Number To Your Google Account Can Make it Less Secure' ( 105

You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case. Vijay Pandurangan, EIR at Benchmark (and formerly with Eng Site Lead at Twitter) argues that your phone number is likely the weakest link for many attackers (at least when they are trying to hack your Google account). He has shared the story of his friend who had his Google account compromised. The friend in this case, let's call him Bob, had a very strong password, a completely independent recovery email, hard-to-guess security questions, and he never logged in from unknown devices. Though Bob didn't have multi-factor authentication enabled, he did add a backup phone number. On October 1, when Bob attempted to check his email, he discovered that he was logged out of his Gmail account. When he tried to login, he was told that his password was changed less than an hour ago. He tried calling Verizon, and discovered that his phone service was no longer active, and that the attacker had switched his service to an iPhone 4. "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." The attacker reset Bob's password and changed the recover email, password, name on the account, and enabled two-factor authentication. He got his account back, thanks to support staff and colleagues at Google, but the story illustrates how telco are the weakest link. From the article: Using a few old Google accounts, I experimented with Google's account recovery options and discovered that if a Google account does not have a backup phone number associated with it, Google requires you to have access to the recovery email account OR know the security questions in order to take over an account. However, if a backup phone number is on the account, Google allows you to type in a code from an SMS to the device in lieu of any other information. There you have it: adding a phone number reduces the security of your account to the lowest of: your recovery email account, your security questions, your phone service, and (presumably) Google's last-ditch customer service in case all other options fail. There are myriad examples of telcos improperly turning over their users' accounts: everything from phone hacking incidents in the UK to more recent examples. Simply put, telcos can be quite bad at securing your privacy and they should not be trusted. Interestingly, it appears that if two-factor-auth via SMS is enabled, Google will not allow your password to be reset unless you can also answer a security question in addition to having access to a phone number.

Comment Re:How can that possibly be legal? (Score 1) 301

Well they could disable access to the travel data stream--a resource you're continuously using, maintained by them, at a cost of loads and loads of money per year diffused through thousands of consumers.

400 million copies of Windows XP sold. If they paid 270 programmers full-time for 10 years to develop and maintain XP, Microsoft would have made a profit selling it at $1. What's Tesla's incentive to keep up with firmware and data updates?

For what it's worth, the 2009 DVD to update the 2004 Mazda 3's in-dash navigation system costs $300. Yes, you have to pay $300 for the DVD, then install it into your car yourself, and then you have 2009's map data instead of 2004's. This was also true of the 2007 update.

Comment Re:DCMA Fair Use / Parody (Score 4, Interesting) 216

Not even.

The phone isn't copyrighted. Its existence and a representation of it as a material fact can't be copyrighted. You can't copyright the existence and form of your product in such a way that, for example, a novel writer can't mention that a person was using a Samsung Note 3 and describe the functionality he was using. Those are material facts.

The phone is a trademark--or at least its visual form and its name are potential trademarks. You may be able to patent the production of a phone in that form (design patent), and trademark a particular shape of a phone (like the Gibson and Fender headstocks--yes, their brand-identifiable shapes are trademarked); that applies only to actually making a phone.

Samsung is legally-required to protect its trademarks, else they lose them. That means a number of things. It means you can't make a DogRun Galaxy 7 phone (especially in substantially-similar design to the Samsung offering) because Galaxy and Galaxy 7 are Samsung trademarks. It means you can't use the Samsung name to brand your phone. If you do these things, Samsung must take action, or else the next guy to do the same thing can point out that Samsung hasn't protected their trademark.

A reference to a trademark isn't a trademark infringement.

A reference to a trademark in a book, in a TV show, in a video game, in literature about your own product, wherever it is, does not infringe trademark. Trademark distinguishes products. If you make a phone and, in the literature, identify that it is distinct from the Samsung Galaxy 7 by pointing out that it has similar or superior battery life to the Samsung Galaxy 7, you haven't infringed trademark because you haven't identified your phone as a Samsung Galaxy 7.

That video isn't parody, by law; it's non-infringing. It's a non-infringing reference to a trademark and to the existence of a product. Artistically, it's satire: it explores an existing material fact with humor and exaggeration. Even if it had no artistic defense, there's no standing for any intellectual property claim--copyright, trademark, patent, or otherwise. Samsung's phones blowing up is a material fact; it might be over-emphasized, but it's a thing that happened in the world, and the phones are a thing that exist in the world, and the thing in the game is a representation of that thing and not a counterfeit product.

Comment Re:Holy flamebait batman! (Score 1) 890

It's something we need to move into, as a matter of social welfare. There's actually an argument (not very sound) that the United States is legally-required to implement something substantially-similar to the system I designed as soon as technically-feasible.

The ideal that we'll need some kind of UBI because of an upcoming crisis is rooted in a misunderstanding of economics. People think automation is a new thing and jobs go away forever; but it's just technical progress, the same as we've been doing for thousands of years. The threat comes when progress occurs too rapidly: if you create rapid unemployment, the slow replacement of jobs doesn't keep up, and you get high unemployment.

The only zero-job economy is a zero-labor utopia where humans do nothing. Flat out. As long as human hands are required somewhere in the process, there's no such thing as permanent job destruction. As well, new jobs range from highly-complex, heavily-specialized disciplines to pushing the buttons on the machines at the correct time; sometimes the sensors and probes aren't nearly as accurate as humans, or just cost a lot more. That's why things like injection-molded plastic forms are removed from the mold by hand and placed on a conveyor: a machine that can handle that job would be ridiculously-complex and unreliable; at the very least, it'd require thousands of hours of QA testing after retooling the IM to make a new form--or you just skip all that maintenance and extra QA and pay someone to do it by hand.

The nature of technology is also that it's invented as soon as it's envisioned in sufficient detail. It's in-production shortly after. People have romanticized about robots replacing 100% of all jobs since Karl Marx proposed it as an immediate, tomorrow-goal for society; then, they made machines and came up with new jobs doing the last bits of work finishing up after the machines--the robot does the job of a hundred men, and one man clears up their mistakes.

The corollary is we're constantly imagining all jobs will go away forever when we see a new technology (machines, trade, or materials--cotton is the bane of the sheep-shearers's union!). We can't imagine what new technology will appear tomorrow and how it will create jobs, because technology reduces labor requirements.

So what actually happens?

We reduce the labor involved, and the costs go down eventually--the relative cost of things is in constant turmoil, and the relative desirability of goods changes. Food has enormous competition. Every good competes with every other good--if you spend more of your money on food, you have less for iPads; if 2/3 of the price of iPads is actual costs and people are only willing-and-able to spend 3/4 of the price, then you need to lower the price (by 1/4, meaning the cost is now 8/9 of the price--an 11% margin instead of 33%). Instead of margins getting fatter and corporate profits soaring, corporate profits average the same marginal percent over the long term.

So people steadily get that spending power back. They then buy more stuff. That creates replacement jobs. If you've eliminated (over a wide time span) 50% of all required labor to make things, then costs are now only 50% as much; prices adjust in total to half of all income; and people now buy twice as many things. It takes half the working-hours to make the same, or the same working hours to make (and buy) twice as much.

Handwaving away all the economics bullshit, you can just state mathematically that a profit margin of X% implies paying wages of 100%-X%. Wages being what they are, the number of labor hours is mediated by how much money is spent. Reducing labor in one place means you have unspent money; you spend it elsewhere; suddenly there's labor there. This works over long timescales; your economy collapses if you replace a third of it with machines over the long weekend.

So, all of that. Yeah. Point?

I don't believe we're going to need to face up to a UBI in the future, in the sense that I don't believe society will collapse from catastrophic job loss and everyone will need free money. I believe the system I designed slows the transition onto technical progress by making human labor lower-cost, thus strengthening competition with lower-labor solution, without lowering take-home (spendable) wages. That means businesses take less risk waiting for automation solutions to come down in price (delaying for a competitive advantage of implementing even-cheaper automation later, at the cost of paying more for labor now); the variation in risk appetite and risk tolerance will lead some businesses to implement earlier and others later, whereas ramping up the cost of labor will cause the higher-risk players to hit their risk limits at the same time (i.e. earlier) as the lower-risk players.

A UBI is one way to avoid a transition like the Industrial Revolution (60% unemployment for THREE GENERATIONS), and instead get a transition like the Information Age (low employment, rapid job growth, rapid economic growth, and a high-speed evolution through generations of new technology and greater economic security--and occasional bitching about 6%-8% unemployment peaks that came a decade apart and lasted 2-3 years; the Great Recession of 2008 was pretty huge). It reduces the risk of a societal collapse in the way people fear one might occur, but that collapse isn't guaranteed anyway.

Other than that, it's also a lot more efficient than our current system--but only once we've got a wealthy-enough nation (which became a stable fact in 2013, in that we could do it while moving around no more money than we're already spending on welfare). Doing this in 1950 would have destroyed America.

Comment Re:It's not a matter of those reasons (Score 1) 547

True, and that's their prerogative.

The thing is both positions are surprisingly mature. Zuckerberg is probably just being a loud-mouth and trying to prevent a public incident from screwing with his company; but it's still an important point if you exclude his viewpoint. The highest-developed psychological defense mechanisms include suppression and tolerance--delaying an emotional response until you can deal with it safely, and allowing behaviors of others which aren't harmful to you even if you disagree with them. Trump supporters are their own problem, by and large because they want to support a celebrity or a political party (a lot of Republicans are blind to their own candidate and only want to be saved from socialism or something); and people who object to Trump have the right to declare that their particular organization has strong objections to Trump's message.

That means YC can declare it wants nothing to do with Trump or its supporters; and Facebook can declare itself not the steward of people's opinions; and both are essentially-correct behaviors.

Comment Re:If only there was some possible way to ... (Score 1) 82

Sure, in the same way it's not hard to just order the cheap dextromethorphin powder, measure it on a mg scale, and sift it into empty capsule shells. People still buy Robitussum.

Part of the point is that the storage has gotten so cheap there's no excuse, even if you seal the device and just permanently install a 128GB or larger microHD card in one of these devices.

So one of the things I argued was the control circuitry for a storage card costs about as much or more than a large (32GB+) amount of storage, if you use those NAND chips instead of (or in addition to) the NAND chips you used anyway. You just suggested a more-expensive way to achieve the same goal; and it's also slower than just integrating the storage directly.

I also described that the "so cheap there's no excuse" part is essentially making you buy things you won't use if you don't have a use for it--essentially everybody these days, because the cost of adequate storage for near-100% of use cases is nearly-undifferentiated from the cost of smaller storage (i.e. the process for X gigabyte chips is so efficient it's no more costly than using the same package but only etching in less than X gigabytes, where the cost of more-than-X gigabytes is higher because it requires a more-expensive process or the same process with more chips). To be clear about this: wasting a few pennies that way can have disastrous impacts on the economy, making everyone strikingly poorer.

In the case of fast food as an example, fast food joints serve 240 billion sales per year at an average $8 per sale. If we bump that to $8.14, who cares? Well, 14 cents times 240 billion is $33.6 billion. The money spent in a given year comes from incomes, which comes from revenues, which comes from sales: if you spend $8 more on some other thing, then that's $8 that isn't spent on a fast food value meal in that time frame. $33.6 billion translates to 2,371,241 full-time minimum wages--or a maximum of 2.37 million jobs lost. (The jobs are lost only if you remove their buying power--by taking a bigger corporate profit margin or raising wages so that the same money concentrates into fewer hands).

What you're describing--putting something approximately-nobody needs into the product at an arbitrary "small" cost because the producer thinks it would be nice and is cheap--is technically called "gold plating". More importantly, it wastes labor time (purchasing power and the work done to make what is purchased) producing a thing that nobody is going to use, and thus prevents people from having what that labor time would have made instead. In this case, that's an estimated $10 times 43.7 million Kindles sold per year to equip them with additional storage approximately 0% of the population will actually use--or a waste of $437 million.

That's fractionally-small compared to a few penny's increase in fast food costs. There are also cell phones, computers, watches, shoes, jackets, televisions, lamps, blenders, refrigerators, cars, keyboards, pens, tea pots, and all manner of things people buy which we could gold-plate for pennies on the dollar (because making a $120 device $130 is about 8 cents on the dollar). The end result would be a purchasing power 8% smaller--you might have the same income, but you'll buy 8% less stuff, mainly because all that stuff has a marketing bullet-point that sounds awesome but that you never use (but hey, your car DOES have a hardware Monkey's Audio decoder IC and can directly play .APE files from USB with hardware acceleration!).

I actually used to argue the exact opposite, but then I sat down and reasoned it out trying to generate a supporting argument and shot myself straight in the foot. Attempting to use logic can backfire now and then. I had to change my stance to align with objective reality.

Comment Re:I thought this was obvious? (Score 1) 151

If it were the top 3% of users, it would reach an equilibrium well-below the top 3% of typical user demand.

If it were the top 3% of volume, it would reach an equilibrium at the maximum volume possible at the throttled speed, as that is eventually the amount of use below which you cannot reduce by throttling, and any use above that would eventually push you into the top 3% as the top users are drawn downward.

They're throttling customers in the top 3% of data usage, rather than data users. Supposedly the mean data usage is around 2GB currently, so 17GB at less than 3 standard deviations out seems ludicrous.

Comment Re:If only there was some possible way to ... (Score 1) 82

My point was having two SD cards is rocket surgery--or at least is often more-complex than would be obvious. The UX to easily know what data is on what is difficult. People who aren't obsessive nerds who organize their $HOME directories essentially want "Space": they want things to download and magically end up where they belong. They don't want to spend 40 minutes sorting through 6,000 files, picking out what's what, tagging them, inspecting them when they don't remember, and then individually setting each one's storage location.

Almost 100% of people who put an SD card in a device are adding permanent storage. They put a card in their phone or tablet or whatever, and that's the end of that. It's not an organization tool to most people; it's a bulk commodity.

That's why Android phones stopped having SD cards, and then started having them again, and then started letting users replace their internal storage with SD card (your photos get copied onto the card, and the internal storage space is replaced with the SD card entirely). People see two things with storage: "I can't install an app because my phone is full" or "Now I can take more pictures!" They don't know or even care where it goes.

The solution, then, is more internal storage. External storage is an expensive added complexity that almost all users will use by putting exactly one card into the slot and never removing it unless, somehow, they have the phone 5 years later, the 32gb card is full, and new 1tb cards are available cheap--all the while wanting it to behave as more internal storage.

Comment Re:I thought this was obvious? (Score 1) 151

If you're in the top 3 percent of data volume, then throttling reduces your data volume, moving your span downward. Thus the top 3 percent of data volume becomes lower.

If you're in the top 3 percent of users, then throttling moves reduces your data volume, moving your span downward. Thus others would fall into the usage range of the top 3 percent of users, and the spot group of top-3%-users would become volatile. This would bring more users's use downward, increasing this effect until they cluster together enough to not drag down further.

Slashdot Top Deals

Nature, to be commanded, must be obeyed. -- Francis Bacon