×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RCMP Arrest Canadian Teen For Heartbleed Exploit

timothy posted 1 hour ago | from the they-got-their-man dept.

45

According to PC Mag, a "19-year-old Canadian was arrested on Tuesday for his alleged role in the breach of the Canada Revenue Agency (CRA) website, the first known arrest for exploiting the Heartbleed bug. Stephen Arthuro Solis-Reyes (pictured) of London, Ontario faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data." That exploit led to a deadline extension for some Canadian taxpayers in getting in their returns this year. The Register has the story as well. The Montreal Gazette has some pointed questions about how much the Canadian tax authorities knew about the breach, and when.

Switching From Sitting To Standing At Your Desk

samzenpus posted 3 hours ago | from the throw-away-the-tuffet dept.

122

Hugh Pickens DOT Com (2995471) writes "Chris Bowlby reports at BBC that medical research has been building up for a while now, suggesting constant sitting is harming our health — potentially causing cardiovascular problems or vulnerability to diabetes. Advocates of sit-stand desks say more standing would benefit not only health, but also workers' energy and creativity. Some big organizations and companies are beginning to look seriously at reducing 'prolonged sitting' among office workers. 'It's becoming more well known that long periods of sedentary behavior has an adverse effect on health,' says GE engineer Jonathan McGregor, 'so we're looking at bringing in standing desks.' The whole concept of sitting as the norm in workplaces is a recent innovation, points out Jeremy Myerson, professor of design at the Royal College of Art. 'If you look at the late 19th Century,' he says, Victorian clerks could stand at their desks and 'moved around a lot more'. 'It's possible to look back at the industrial office of the past 100 years or so as some kind of weird aberration in a 1,000-year continuum of work where we've always moved around.' What changed things in the 20th Century was 'Taylorism' — time and motion studies applied to office work. 'It's much easier to supervise and control people when they're sitting down,' says Myerson. What might finally change things is if the evidence becomes overwhelming, the health costs rise, and stopping employees from sitting too much becomes part of an employer's legal duty of care. 'If what we are creating are environments where people are not going to be terribly healthy and are suffering from diseases like cardiovascular disease and diabetes,' says Prof Alexi Marmot, a specialist on workplace design, 'it's highly unlikely the organization benefits in any way.'"

Ask Slashdot: System Administrator Vs Change Advisory Board

samzenpus posted 6 hours ago | from the get-along dept.

200

thundergeek (808819) writes "I am the sole sysadmin for nearly 50 servers (win/linux) across several contracts. Now a Change Advisory Board (CAB) is wanting to manage every patch that will be installed on the OS and approve/disapprove for testing on the development network. Once tested and verified, all changes will then need to be approved for production. Windows servers aren't always the best for informing admin exactly what is being 'patched' on the OS, and the frequency of updates will make my efficiency take a nose dive. Now I'll have to track each KB, RHSA, directives and any other 3rd party updates, submit a lengthy report outlining each patch being applied, and then sit back and wait for approval. What should I use/do to track what I will be installing? Is there already a product out there that will make my life a little less stressful on the admin side? Does anyone else have to go toe-to-toe with a CAB? How do you handle your patch approval process?"

How 'DevOps' Is Killing the Developer

Soulskill posted yesterday | from the in-the-server-room-with-the-lamp-stack dept.

209

An anonymous reader writes "Python guru Jeff Knupp writes about his frustration with the so-called 'DevOps' movement, an effort to blend development jobs with operations positions. It's an artifact of startup culture, and while it might make sense when you only have a few employees and a focus on simply getting it running rather than getting it running right, Knupp feels it has no place in bigger, more established companies. He says, 'Somewhere along the way, however, we tricked ourselves into thinking that because, at any one time, a start-up developer had to take on different roles he or she should actually be all those things at once. If such people even existed, "full-stack" developers still wouldn't be used as they should. Rather than temporarily taking on a single role for a short period of time, then transitioning into the next role, they are meant to be performing all the roles, all the time. And here's what really sucks: most good developers can almost pull this off.' Knupp adds, 'The effect of all of this is to destroy the role of "developer" and replace it with a sort of "technology utility-player". Every developer I know got into programming because they actually enjoyed doing it (at one point). You do a disservice to everyone involved when you force your brightest people to take on additional roles.'"

How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Soulskill posted 2 days ago | from the or-at-least-marginally-less-unsafe dept.

532

jammag writes: "Heartbleed has dealt a blow to the image of free and open source software. In the self-mythology of FOSS, bugs like Heartbleed aren't supposed to happen when the source code is freely available and being worked with daily. As Eric Raymond famously said, 'given enough eyeballs, all bugs are shallow.' Many users of proprietary software, tired of FOSS's continual claims of superior security, welcome the idea that Heartbleed has punctured FOSS's pretensions. But is that what has happened?"

Lack of US Cybersecurity Across the Electric Grid

Soulskill posted 2 days ago | from the asking-for-trouble dept.

93

Lasrick writes: "Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center's Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector. Cyber attacks could come from a variety of sources, and 'a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.' ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. The vulnerability of the grid has been much discussed this last week; McGuinness's recommendations are a good place to start."

Snowden Used the Linux Distro Designed For Internet Anonymity

Soulskill posted 2 days ago | from the NSA-can't-make-heads-or-something-of-it dept.

166

Hugh Pickens DOT Com writes: "When Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. Now Klint Finley reports that Snowden also used The Amnesic Incognito Live System (Tails) to keep his communications out of the NSA's prying eyes. Tails is a kind of computer-in-a-box using a version of the Linux operating system optimized for anonymity that you install on a DVD or USB drive, boot your computer from and you're pretty close to anonymous on the internet. 'Snowden, Greenwald and their collaborator, documentary film maker Laura Poitras, used it because, by design, Tails doesn't store any data locally,' writes Finley. 'This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.'

The developers of Tails are, appropriately, anonymous. They're protecting their identities, in part, to help protect the code from government interference. 'The NSA has been pressuring free software projects and developers in various ways,' the group says. But since we don't know who wrote Tails, how do we know it isn't some government plot designed to snare activists or criminals? A couple of ways, actually. One of the Snowden leaks show the NSA complaining about Tails in a Power Point Slide; if it's bad for the NSA, it's safe to say it's good for privacy. And all of the Tails code is open source, so it can be inspected by anyone worried about foul play. 'With Tails,' say the distro developers, 'we provide a tongue and a pen protected by state-of-the-art cryptography to guarantee basic human rights and allow journalists worldwide to work and communicate freely and without fear of reprisal.'"

The Security of Popular Programming Languages

Soulskill posted 2 days ago | from the new-ways-to-argue-about-your-favorite-language dept.

183

An anonymous reader writes "Deciding which programming language to use is often based on considerations such as what the development team is most familiar with, what will generate code the fastest, or simply what will get the job done. How secure the language might be is simply an afterthought, which is usually too late. A new WhiteHat Security report approaches application security not from the standpoint of what risks exist on sites and applications once they have been pushed into production, but rather by examining how the languages themselves perform in the field. In doing so, we hope to elevate security considerations and deepen those conversations earlier in the decision process, which will ultimately lead to more secure websites and applications."

OpenBSD Team Cleaning Up OpenSSL

timothy posted 2 days ago | from the devil-you-say dept.

284

First time accepted submitter Iarwain Ben-adar (2393286) writes "The OpenBSD has started a cleanup of their in-tree OpenSSL library. Improvements include removing "exploit mitigation countermeasures", fixing bugs, removal of questionable entropy additions, and many more. If you support the effort of these guys who are responsible for the venerable OpenSSH library, consider a donation to the OpenBSD Foundation. Maybe someday we'll see a 'portable' version of this new OpenSSL fork. Or not."

Microsoft Confirms It Is Dropping Windows 8.1 Support

Unknown Lamer posted 2 days ago | from the little-orphan-windows dept.

565

snydeq (1272828) writes "Microsoft TechNet blog makes clear that Windows 8.1 will not be patched, and that users must get Windows 8.1 Update if they want security patches, InfoWorld's Woody Leonhard reports. 'In what is surely the most customer-antagonistic move of the new Windows regime, Steve Thomas at Microsoft posted a TechNet article on Saturday stating categorically that Microsoft will no longer issue security patches for Windows 8.1, starting in May,' Leonhard writes. 'Never mind that Windows 8.1 customers are still having multiple problems with errors when trying to install the Update. At this point, there are 300 posts on the Microsoft Answers forum thread 'Windows 8.1 Update 1 Failing to Install with errors 0x80070020, 80073712 and 800F081F.' The Answers forum is peppered with similar complaints and a wide range of errors, from 800F0092 to 80070003, for which there are no solutions from Microsoft. Never mind that Microsoft itself yanked Windows 8.1 Update from the corporate WSUS update server chute almost a week ago and still hasn't offered a replacement.'"

First Phase of TrueCrypt Audit Turns Up No Backdoors

Unknown Lamer posted 2 days ago | from the only-slightly-insecure dept.

171

msm1267 (2804139) writes "A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released today (PDF) by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly."

Heartbleed Disclosure Timeline Revealed

samzenpus posted 2 days ago | from the when-did-you-know dept.

62

bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."

Bachelor's Degree: An Unnecessary Path To a Tech Job

samzenpus posted 3 days ago | from the just-a-piece-of-paper dept.

286

dcblogs (1096431) writes "A study of New York City's tech workforce found that 44% of jobs in the city's 'tech ecosystem,' or 128,000 jobs, 'are accessible' to people without a Bachelor's degree. This eco-system includes both tech specific jobs and those jobs supported by tech. For instance, a technology specific job that doesn't require a Bachelor's degree might be a computer user support specialist, earning $28.80 an hour, according to this study. Tech industry jobs that do not require a four-year degree and may only need on-the-job training include customer services representatives, at $18.50 an hour, telecom line installer, $37.60 an hour, and sales representatives, $33.60 an hour. The study did not look at 'who is actually sitting in those jobs and whether people are under-employed,' said Kate Wittels, a director at HR&A Advisors, a real-estate and economic-development consulting firm, and report author.. Many people in the 'accessible' non-degree jobs may indeed have degrees. For instance. About 75% of the 25 employees who work at New York Computer Help in Manhattan have a Bachelor's degree. Of those with Bachelor's degrees, about half have IT-related degrees."

Akamai Reissues All SSL Certificates After Admitting Heartbleed Patch Was Faulty

samzenpus posted 3 days ago | from the try-it-again dept.

56

SpacemanukBEJY.53u (3309653) writes "It took security researcher Willem Pinckaers all of 15 minutes to spot a flaw in code created by Akamai that the company thought shielded most of its users from one of the pernicious aspects of the Heartbleed flaw in OpenSSL. More than a decade ago, Akamai modified parts of OpenSSL it felt were weak related to key storage. Akamai CTO Andy Ellis wrote last week that the modification protected most customers from having their private SSL stolen despite the Heartbleed bug. But on Sunday Ellis wrote Akamai was wrong after Pinckaers found several flaws in the code. Akamai is now reissuing all SSL certificates and keys to its customers."

Private Keys Stolen Within Hours From Heartbleed OpenSSL Site

samzenpus posted 3 days ago | from the that-didn't-take-long dept.

151

Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."

US Takes Out Gang That Used Zeus Malware To Steal Millions

samzenpus posted 4 days ago | from the book-em-danno! dept.

38

coondoggie (973519) writes "The US Department of Justice charged nine members of a group that used Zeus malware to infect thousands of business computers and illegally siphon-off millions of dollars into over-seas bank accounts. The DoJ said an indictment was unsealed in connection with the arraignment this week at the federal courthouse in Lincoln, Neb., of two Ukrainian nationals, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36. Konovalenko and Kulibaba were recently extradited from the United Kingdom."

Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed

Soulskill posted 4 days ago | from the thanks-for-providing-zero-clarity dept.

134

An anonymous reader writes "The White House has joined the public debate about Heartbleed. The administration denied any prior knowledge of Heartbleed, and said the NSA should reveal such flaws once discovered. Unfortunately, this statement was hedged. The NSA should reveal these flaws unless 'a clear national security or law enforcement need' exists. Since that can be construed to apply to virtually any situation, we're left with the same dilemma as before: do we take them at their word or not? The use of such an exploit is certainly not without precedent: 'The NSA made use of four "zero day" vulnerabilities in its attack on Iran's nuclear enrichment sites. That operation, code-named "Olympic Games," managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.' A senior White House official is quoted saying, 'I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.'" Side note: CloudFlare has named several winners in its challenge to prove it was possible to steal private keys using the Heartbleed exploit.

Linux 3.15 Will Suspend & Resume Much Faster

Soulskill posted 4 days ago | from the cutting-into-my-foot-tapping-time dept.

116

An anonymous reader writes "The Linux 3.15 kernel now in its early life will be able to suspend and resume much faster than previous versions of the Linux kernel. A few days ago we saw ACPI and Power Management updates that enable asynchronous threads for more suspend and resume callbacks. Carrying out more async operations leads to reduced time for the system suspend and then resuming. According to one developer, it was about an 80% time savings within one of the phases. On Friday, work was merged that ensured the kernel is no longer blocked by waiting for ATA devices to resume. Multiple ATA devices can be woken up simultaneously, and any ATA commands for the device(s) will be queued until they have powered up. According to an 01.org blog post on the ATA/SCSI resume optimization patches, when tested on three Intel Linux systems the resume time was between 7x and 12x faster (not including the latest ACPI/PM S&R optimizations)."

Wi-Fi Problems Dog Apple-Samsung Trial

timothy posted 5 days ago | from the it's-the-little-things dept.

80

alphadogg (971356) writes "There's a new sign on the door to Courtroom 5 at the federal courthouse in San Jose, the home to the Apple v. Samsung battle that's playing out this month: 'Please turn off all cell phones.' For a trial that centers on smartphones and the technology they use, it's more than a little ironic. The entire case might not even be taking place if the market wasn't so big and important, but the constant need for connectivity of everyone is causing problems in the court, hence the new sign. The problems have centered on the system that displays the court reporter's real-time transcription onto monitors on the desks of Judge Lucy Koh, the presiding judge in the case, and the lawyers of Apple and Samsung. The system, it seems, is connected via Wi-Fi and that connection keeps failing."

GM Names Names, Suspends Two Engineers Over Ignition-Switch Safety

timothy posted 5 days ago | from the laying-blame dept.

236

cartechboy (2660665) writes "GM said it has placed two engineers on paid leave in connection with its massive recall probe of 2 million vehicles. Now, GM is asking NASA to advise on whether those cars are safe to drive even with the ignition key alone. Significantly, individual engineers now have their names in print and face a raft of inquiries what they did or didn't know, did or didn't do, and when. A vulnerability for GM: One engineer may have tried to re-engineer the faulty ignition switch without changing the part number—an unheard-of practice in the industry. Is it a good thing that people who engineer for a living can now get their names on national news for parts designed 10 years ago? The next time your mail goes down, should we know the name of the guy whose code flaw may have caused that?"

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...