Slashdot

How Are Sysadmins Handling Spectre/Meltdown Patches?

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become "a serious distraction" for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as "what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management." Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: "More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore." That is, sysadmins are ready to apply patches -- when a patch exists. "I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers," explains an IT pro named Nick... Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. "Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I've heard referred to as 'speculative reboots'..." The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems. The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."

Read more of this story at Slashdot.

House Democrats' Counter-Memo Released, Alleging Major Factual Inaccuracies

Long-time Slashdot reader Rei writes: Three weeks ago, on a party-line vote, the U.S. House Intelligence Committee voted to release a memo from committee chair and Trump transition team member Devin Nunes. The "Nunes Memo" alleged missteps by the FBI in seeking a FISA warrant against Trump aide Carter Page; a corresponding Democratic rebuttal memo was first blocked from simultaneous release by the committee, and subsequently the White House. Tonight, it has finally been released. Among its many counterclaims: the Steele Dossier, only received in September, did not initiate surveilance of Page which began in July; the Steele dossier was only one, minor component of the FISA application, and only concerning Page's Moscow meetings; Steele's funding source and termination was disclosed in the application; and a number of other "distortions and misrepresentations that are contradicted by the underlying classified documents". Perhaps most seriously, it accuses Nunes of having never read the FISA application which his memo criticized. Vox argues the memo proves that no one was misled when the surveillance was authorized. "The FBI clearly states right there in the FISA application that they believe Steele was hired to find dirt on Trump... After the Schiff memo was released on Saturday, House Republicans released a document rebutting its core claims. Their response to this damning citation is -- and I am not making this up -- that the vital line in which the FBI discloses the information about Steele was 'buried in a footnote.'"

Read more of this story at Slashdot.

Visa Claims Chip Cards Reduced Fraud By 70%

An anonymous reader quotes Ars Technica: Although only 59 percent of US storefronts have terminals that accept chip cards, fraud has dropped 70 percent from September 2015 to December 2017 for those retailers that have completed the chip upgrade, according to Visa. There are a few ways to interpret those numbers. First, it seems like two years has resulted in staggeringly little progress in encouraging storefronts to shift from magnetic stripe to chip-embedded cards, given that in early 2016, 37 percent of US storefronts were able to process chip cards. On the other hand, fraud dropping 70 percent for retailers who install chip cards seems great. Chip-embedded cards aren't un-hackable, but they do make it harder to steal card numbers en masse as we saw in the Target's 2013 breach.

Read more of this story at Slashdot.

New Tech Industry Lobbying Group Argues 'Right to Repair' Laws Endanger Consumers

chicksdaddy brings this report from Security Ledger: The Security Innovation Center, with backing of powerful tech industry groups, is arguing that letting consumers fix their own devices will empower hackers. The group released a survey last week warning of possible privacy and security risks should consumers have the right to repair their own devices. It counts powerful electronics and software industry organizations like CompTIA, CTIA, TechNet and the Consumer Technology Association as members... In an interview with The Security Ledger, Josh Zecher, the Executive Director of The Security Innovation Center, acknowledged that Security Innovation Center's main purpose is to push back on efforts to pass right to repair laws in the states. He said the group thinks such measures are dangerous, citing the "power of connected products and devices" and the fact that they are often connected to each other and to the Internet via wireless networks. Zecher said that allowing device owners or independent repair professionals to service smart home devices and connected appliances could expose consumer data to hackers or identity thieves... Asked whether Security Innovation Center was opposed to consumers having the right to repair devices they purchased and owned, Zecher said the group did oppose that right on the grounds of security, privacy and safety... "People say 'It's just my washing machine. Why can't I fix it on my own?' But we saw the Mirai botnet attack last year... Those kinds of products in the wrong hands can be used to do bad things."

Read more of this story at Slashdot.

Is Cryptocurrency Threatening Earnings at Bank of America?

An anonymous reader quotes The Next Web: One of the world's largest financial institutions admitted in its annual report that cryptocurrency is a looming threat to its business model. According to a report filed with the SEC by Bank of America, "Clients may choose to conduct business with other market participants who engage in business or offer products in areas we deem speculative or risky, such as cryptocurrencies. Increased competition may negatively affect our earnings by creating pressure to lower prices or credit standards on our products and services requiring additional investment to improve the quality and delivery of our technology and/or reducing our market share, or affecting the willingness of clients to do business with us."

Read more of this story at Slashdot.

Dart 2: Google's Language Rebooted For Web and Mobile Developers

An anonymous reader quotes InfoWorld: Google's Dart language, once positioned a potential replacement for JavaScript in the browser, is being rebooted for client-side web and mobile development in Version 2 of the language. A beta version is now available. Dart 2 features a strengthened type system, a cleaned-up syntax, and a rebuilt developer tool chain. Dart has a succinct syntax and can run on a VM with a just-in-time compiler, with the compiler enabling stateful, hot reload during mobile development. Developers also gain from fast development cycles where code can be edited, compiled, and replaced in apps running on a device. Compiling code ahead of time provides fast startup, Google said. Dart can be compiled to native code for ARM and x86 platforms. Google has used the language to build applications for iOS, Android, and the web.

Read more of this story at Slashdot.

Google's 'Bro Culture' Led To Harassment, Argues New Lawsuit By Software Engineer

An anonymous reader quotes the Mercury News: As a young, female software engineer at male-dominated Google, Loretta Lee was slapped, groped and even had a co-worker pop up from beneath her desk one night and tell her she'd never know what he'd been doing under there, according to a lawsuit filed against the Mountain View tech giant... Lee's lawsuit -- filed in Santa Clara County Superior Court -- alleges the company failed to to protect her, saying, "Google's bro-culture contributed to (Lee's) suffering frequent sexual harassment and gender discrimination, for which Google failed to take corrective action." She was fired in February 2016 for poor performance, according to the suit... Lee started at the company in 2008 in Los Angeles and later switched to the firm's Mountain View campus, according to the suit, which asserts that she "was considered a talented and rising star" who received consistently "excellent" performance reviews. Lee claims that the "severe and pervasive" sexual harassment she experienced included daily abuse and egregious incidents. In addition to making lewd comments to her and ogling her "constantly," Lee's male co-workers spiked her drinks with whiskey and laughed about it; and shot Nerf balls and darts at her "almost every day," the suit alleges. One male colleague sent her a text message asking if she wanted a "horizontal hug," while another showed up at her apartment with a bottle of liquor, offering to help her fix a problem with one of her devices, refusing to leave when she asked him to, she alleges. At a holiday party, Lee "was slapped in the face by an intoxicated male co-worker for no apparent reason," according to the suit. Lee resisted reporting an employee who had grabbed her lanyard and grazed her breasts -- and was then written up for being uncooperative. But after filing a report, "HR found her claims 'unsubstantiated,' according to the suit. 'This emboldened her colleagues to continue their inappropriate behavior,' the suit says. "Her fear of being ostracized was realized, she claims, with co-workers refusing to approve her code in spite of her diligent work on it. Not getting her code approved led to her being 'labeled as a poor performer,' the suit says."

Read more of this story at Slashdot.

Bitcoin Exchange Accidentally Allowed Customers To Buy Coins For $0

AmiMoJo writes: "A system glitch at cryptocurrency exchange site Zaif enabled users to obtain digital money for free, with one apparently "purchasing" Bitcoin valued at $20,000,000,000,000 and then attempting to cash in on it..." according to the Japanese newspaper Asahi Shimbun. "The glitch, which lasted for 18 minutes from 5:40 p.m. to 5:58 p.m. on Feb. 16, affected Zaif's price calculation system, enabling customers to buy cryptocurrencies for nothing." CoinDesk adds that "At least one customer attempted to resell their bitcoin, but the large amount of the cryptocurrency offered soon drew attention even outside the exchange. The firm later cancelled the transactions and corrected the users' balances. However, a source suggests that the correction is still being agreed with one of the seven users who attempted to transfer the free bitcoin away from the Zaif platform."

Read more of this story at Slashdot.

GitHub Drops Support for Weak Cryptographies, Adds Emojis for Labels

An anonymous reader writes: GitHub has quietly made a few changes this month. Labels for issues and pull requests will now also support emojis and on-hover descriptions. And they're also deprecating the anonymous creation of "gist" code snippets on March 19th, since "as the only way to create anonymous content on GitHub, they also see a large volume of spam." Current anonymous gists will remain accessible. But the biggest change involves permanently removing support for three weak cryptographic standards, both on github.com and api.github.com. The three weak cryptography standards that are no longer supported are: TLSv1/TLSv1.1. "This applies to all HTTPS connections, including web, API, and Git connections to https://github.com and https://api.github.com." diffie-hellman-group1-sha1. "This applies to all SSH connections to github.com." diffie-hellman-group14-sha1. "This applies to all SSH connections to github.com."

Read more of this story at Slashdot.

Signal, WhatsApp Co-Founder Launch 'Open Source Privacy Technology' Nonprofit

An anonymous reader quotes The New Web:One of the first messaging services to offer end-to-end encryption for truly private conversations, Signal has largely been developed by a team that's never grown larger than three full-time developers over the years it's been around. Now, it's getting a shot in the arm from the co-founder of a rival app. Brian Acton, who built WhatsApp with Jan Koum into a $19 billion business and sold it to Facebook, is pouring $50 million into an initiative to support the ongoing development of Signal. Having left WhatsApp last fall, he's now free to explore projects whose ideals he agrees with, and that includes creating truly private online services. "Starting with an initial $50,000,000 in funding, we can now increase the size of our team, our capacity, and our ambitions," wrote Signal founder Moxie Marlinspike (a former Twitter executive). Acton will now also serve as the executive chairman of the newly-formed Signal Foundation, which according to its web site will "develop open source privacy technology that protects free expression and enables secure global communication."

Read more of this story at Slashdot.

Two More 'SWAT' Calls in California -- One Involving a 12-Year-Old Gamer

In January an online gamer in California was arrested after at leat 20 fake emergency calls to police, one leading to a fatal shooting in Kansas. But this week in California there's been at least two more fake calls: A 12-year-old gamer heard a knock at his door Sunday -- which turned out to be "teams of Los Angeles police officers and other rescue personnel who believed two people had just hung themselves." The Los Angeles Police Department "said there's no way to initially discern swatting calls from actually emergencies, so they handle every scenario as if someone's life is in danger," according to the Los Angeles Times. The seventh-grader described it as "the most terrifying thing in my life." 36-year-old David Pearce has been arrested for falsely reporting an emergency at a Beverly Hills hotel involving "men with guns" holding him hostage. A local police captain later said that the people in the room had not made the call and in fact might have been asleep through much of the emergency. The Los Angeles Times reports that there's roughly 400 'SWATting' cases each year, according to FBI estimates, adding that "Some experts have said police agencies need to take the phenomenon more seriously and provide formal training to dispatchers and others to better recognize hoax callers." Meanwhile, in the wake of a fatal shooting in Wichita, Kansas lawmakers have passed a new bipartisan bill increasing the penalties for SWAT calls. If a fake call results in a fatality -- and the caller intentionally masks their identity -- it's the equivalent of second-degree murder. "The caller must be held accountable," one lawmaker told the Topeka Capital-Journal.

Read more of this story at Slashdot.

'Computer History Museum' Honorees Include Python Creator Guido van Rossum

On Wednesday the Computer History Museum, "the world's leading institution exploring the history of computing and its transformational impact on society," proudly announced the three Fellow Award honorees for 2018: Dov Frohman-Bentchkowsky -- "For the invention of the first commercial erasable programmable read-only memory (EPROM), which enabled rapid development of microprocessor-based systems." Dame Stephanie Shirley CH -- "For a lifetime of entrepreneurship promoting the growth of the UK software industry and the advancement of women in computing." Guido van Rossum -- "For the creation and evolution of the Python programming language, and for leadership of its community." "We are delighted to induct these outstanding new Fellows with diverse contributions in hardware, in services, and in software," said Len Shustek, the Museum's board chairman. "They are true heroes of the Digital Age."

Read more of this story at Slashdot.

BuzzFeed Unmasks Mastermind Who Urged Peter Thiel To Destroy Gawker

One day in 2011 a 26-year-old approached Peter Thiel and said "Look, I think if we datamined Gawker's history, we could find weak points that we could exploit in the court of law," according to the author of a new book. An anonymous reader quotes BuzzFeed News: Peter Thiel's campaign to ruin Gawker Media was conceived and orchestrated by a previously unknown associate who served as a middleman, allowing the billionaire to conceal his involvement in the bankrolling of lawsuits that eventually drove the New York media outlet into bankruptcy. BuzzFeed News has confirmed the identity of that mystery conspirator, known in Thiel's inner circle as "Mr. A," with multiple sources who said that he provided the venture capitalist and Facebook board member with a blueprint to covertly attack Gawker in court. That man, an Oxford-educated Australian citizen named Aron D'Souza, has few known connections to Thiel, but approached him in 2011 with an elaborate proposal to use a legal strategy to wipe out the media organization. That plot ultimately succeeded... D'Souza was aware of Thiel's public comments likening Valleywag to al-Qaeda, and presented a brazen idea: Pay someone or create a company to hire lawyers to go after Gawker. TechCrunch reported earlier this month that Gawker's old posts "will be captured and saved by the non-profit Freedom of the Press Foundation," which was co-founded in 2012 by the late John Perry Barlow. But in addition, the Gawker estate "continues to threaten possible legal action against Thiel, and hopes to begin discovery to examine the billionaire's motivations for secretly funding his legal war," the article concludes. If a New York bankruptcy court approves, and if the process "unearths anything of meaning, the estate may have grounds to sue Thiel on the grounds of tortious interference, the use of legal means to purposely disrupt a business. "To head that off, Thiel bid for the remaining Gawker assets -- including the flapship domain Gawker.com, its archive, and outstanding legal claims, like those against himself -- though Holden has made it known that he may block any sale to Thiel, no matter how much the venture capitalist is willing to bid."

Read more of this story at Slashdot.

Japanese Scientists Invent Floating 'Firefly' Light

An anonymous reader quotes a report from Reuters: Japanese engineering researchers say they have created a tiny electronic light the size of a firefly which rides waves of ultrasound, and could eventually figure in applications ranging from moving displays to projection mapping. Named Luciola for its resemblance to the firefly, the featherweight levitating particle weighs 16.2 mg, has a diameter of 3.5 mm (0.14 inch), and emits a red glimmer that can just about illuminate text. But its minuscule size belies the power of the 285 microspeakers emitting ultrasonic waves that hold up the light, and have a frequency inaudible to the human ear, allowing Luciola to operate in apparent total silence. It took two years for Luciola to get this far, said circuit design specialist Makoto Takamiya, a member of the Kawahara Universal Information Network Project that developed the device. The developers expect Luciola to find applications in the so-called Internet of Things, in which regular objects, such as cars, or domestic appliances such as air-conditioners, are connected to networks to send and receive data. Equipped with movement or temperature sensors, Luciola could fly to such objects to deliver a message or help to make moving displays with multiple lights that can detect the presence of humans, or participate in futuristic projection mapping events.

Read more of this story at Slashdot.

NRA Gives Ajit Pai 'Courage Award' and Gun For 'Saving the Internet'

The National Rifle Association (NRA) today gave its Charlton Heston Courage Under Fire Award to Ajit Pai, chairman of the Federal Communications Commission. "Pai was about to speak at the Conservative Political Action Conference (CPAC) in Maryland when the award presentation seemed to catch him by surprise," reports Ars Technica. "The award is a handmade long gun that could not be brought on stage, so it will be housed in the NRA museum until Pai can receive it." From the report: "Ajit Pai, as you probably already know, saved the Internet," American Conservative Union (ACU) Executive Director Dan Schneider told the audience. The ACU is the host of CPAC; Schneider made a few more remarks praising Pai before handing the award presentation over to NRA board member Carolyn Meadows. Pai "fought to preserve your free speech rights" as a member of the FCC's Republican minority during the Obama administration, Schneider said. Pai "fought and won against all odds, but the Obama administration had some curveballs and they implemented these regulations to take over the Internet." "As soon as President Trump came into office, President Trump asked Ajit Pai to liberate the Internet and give it back to you," Schneider added. "Ajit Pai is the most courageous, heroic person that I know." The signature achievement that helped Pai win the NRA courage award came in December when the FCC voted to eliminate net neutrality rules. The rules, which are technically still on the books for a while longer, prohibited Internet service providers from blocking and throttling lawful Internet traffic and from charging online services for prioritization. Schneider did not explain how eliminating net neutrality rules preserved anyone's "free speech rights." Right Wing Watch posted a video of the ceremony.

Read more of this story at Slashdot.

Ask Slashdot: Software To Visualize, Manage Homeowner's Association Projects?

New submitter jishak writes: I am a long time Slashdot reader who has been serving on an homeowner association (HOA) board for 7 years. Much of the job requires managing projects that happen around the community. For example, landscaping, plumbing, building maintenance, etc. Pretty much all the vendors work with paper or a management company scans the paper, giving us a digital version. I am looking for suggestions on tools to visualize and manage projects using maps/geolocation software to see where jobs are happening and track work, if that makes sense. I did a rudimentary search but didn't really find anything other than a couple of companies who make map software which is good for placing static items like a building on a map but not for ongoing work. There are tools like Visio or Autodesk, which are expensive and good for a single building, but they don't seem so practical for an entire community of 80 units with very little funds (I am a volunteer board member). The other software packages I have seen are more like general project management or CRM tools but they are of no use to track where trees are planted, which units have had termite inspections, etc. I am looking for tools where I could see a map and add custom layers for different projects that can be enabled/disabled or show historical changes. If it is web based and can be shared for use among other board members, property managers, and vendors, or viewable on a phone or tablet, that would be a plus. I am not sure how to proceed and a quick search on Slashdot didn't really turn anything up. I can't be the first person to encounter this type of problem. Readers of Slashdot what do you recommend? If I go down the road of having to roll my own solution, can you offer ideas on how to implement it? I am open to suggestions.

Read more of this story at Slashdot.

Dropbox Files To Go Public

Ten years after its launch, Dropbox has filed to go public. The cloud storage company has been around since 2007 and has raised more than $600 million in funding. TechCrunch reports: We knew that it had already filed confidentially, but the company has now unveiled its filing, meaning the actual IPO is likely very soon, probably late March. The company says it will be targeting a $500 million fundraise, but this number is usually just a placeholder. The filing shows that Dropbox had $1.1 billion in revenue last year. This compares to $845 million in revenue the year before and $604 million for 2015. The company is not yet profitable, having lost nearly $112 million last year. This shows significantly improved margins when compared to losses of $210 million for 2016 and $326 million for 2015. Dropbox has been cash flow positive since 2016.

Read more of this story at Slashdot.

Tesla Will Supply Free Charging Stations To Office Parking Lots

Tesla has unveiled a new "workplace charging" program today, which offers businesses free Tesla wall connectors and will also cover installation, provided they meet certain qualifications set forth by the California carmaker. "Tesla won't cover the cost of operating the charging stations, and the company says there could be other permitting, construction, zoning, or labor costs," reports The Verge. From the report: The workplace charging stations will be compatible with all Tesla cars, but not with other EVs, and they won't show up on publicly available Tesla charging maps. The wall chargers are 240 volts, or "Level 2," which is capable of topping off a battery pack in a handful of hours, though the company says the charge rate will vary by location depending on the infrastructure available.

Read more of this story at Slashdot.

How a Fight Over Star Wars Download Codes Could Reshape Copyright Law

An anonymous reader quotes a report from Ars Technica: A federal judge in California has rejected Disney's effort to stop Redbox from reselling download codes of popular Disney titles like Frozen, Beauty and the Beast, and the latest Star Wars movies. Judge Dean Pregerson's Tuesday ruling invoked the little-used doctrine of copyright misuse, which holds that a copyright holder loses the right to enforce a copyright if the copyright is being abused. Pregerson faulted Disney for tying digital download codes to physical ownership of discs, a practice that he argued ran afoul of copyright's first sale doctrine, which guarantees customers the right to resell used DVDs. If the ruling were upheld on appeal, it would have sweeping implications. It could potentially force Hollywood studios to stop bundling digital download codes with physical DVDs and force video game companies to rethink their own practices. But James Grimmelmann, a copyright scholar at Cornell Law School, is skeptical that the ruling will survive an inevitable appeal from Disney. "I don't see this one sticking," Grimmelmann told Ars. Copyright misuse has such sweeping legal implications that an appeals court will be reluctant to apply it to a common movie industry practice.

Read more of this story at Slashdot.

Apple Devices At California Repair Center Keep Calling 911

Since October 2017, Apple has made around 1,600 false alarm 911 calls from a distribution site in Elk Grove. "We've been seeing these calls for the last four months from Apple," said police dispatcher Jamie Hudson. "We're able to see quickly where the call is coming from, so when we get one from Apple, the address will come up with their location." CBS Sacramento reports: On average, Elk Grove Police say they've received 20 accidental 911 calls a day from Apple, roughly 1,600 calls since October. Hudson says the calls take valuable seconds away from calls that could be real life-and-death emergencies. "The times when it's greatly impacting us is when we have other emergencies happening and we may have a dispatcher on another 911 call that may have to put that call on hold to triage the incoming call," he said. The calls are all coming from an Apple repair and refurbishing center off Laguna Boulevard. The Sacramento County Sheriff's Department Communication Center is also getting these calls -- 47 since January 1. Dispatchers there say they sometimes hear technicians working in the background. Apple hasn't confirmed which of their devices is actually causing these calls: the iPhone or Apple watch, but both devices can be triggered easily. With just a touch of a button, SOS comes on and 911 is called.

Read more of this story at Slashdot.

Pages