Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Company Tries To Hide Flaws By Threatening Infringement Suit

Soulskill posted 7 hours ago | from the because-that-always-ends-well dept.

Encryption 57

An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.

China Staging a Nationwide Attack On iCloud and Microsoft Accounts

Soulskill posted 12 hours ago | from the secure-browsing-advised dept.

China 83

New submitter DemonOnIce writes: According to The Verge and an original report from the site that monitor's China's Great Firewall activity, China is conducting a large-scale attack on iCloud and Microsoft accounts using its government firewall software. Chinese users may be facing an unpleasant surprise as they are directed to a dummy site designed to look like an Apple login page (or a Microsoft one, as appropriate).

GNU Emacs 24.4 Released Today

timothy posted 13 hours ago | from the please-have-more-than-8-megs-of-RAM dept.

Software 111

New submitter Shade writes Well over one and a half years in the works, the latest and greatest release of GNU Emacs was made officially available today. Highlights of this release include a built-in web browser, improved multi-monitor and fullscreen support, "electric" indentation enabled by default, support for saving and restoring the state of frames and windows, pixel-based resizing for frames and windows, support for digitally signed ELisp packages, support for menus in text terminals, and much more. Read the official announcement and the full list of changes for more information.

More Eye Candy Coming To Windows 10

timothy posted yesterday | from the sincere-flattery dept.

Operating Systems 174

jones_supa writes Microsoft is expected to release a new build of the Windows 10 Technical Preview in the very near future, according to their own words. The only build so far to be released to the public is 9841 but the next iteration will likely be in the 9860 class of releases. With this new build, Microsoft has polished up the animations that give the OS a more comprehensive feel. When you open a new window, it flies out on to the screen from the icon and when you minimize it, it collapses back in to the icon on the taskbar. It is a slick animation and if you have used OS X, it is similar to the one used to collapse windows back in to the dock. Bah.

'Endrun' Networks: Help In Danger Zones

timothy posted yesterday | from the pinging-mr-bourne-mr-jason-bourne dept.

Encryption 27

kierny writes Drawing on networking protocols designed to support NASA's interplanetary missions, two information security researchers have created a networking system that's designed to transmit information securely and reliably in even the worst conditions. Dubbed Endrun, and debuted at Black Hat Europe, its creators hope the delay-tolerant and disruption-tolerant system — which runs on Raspberry Pi — could be deployed everywhere from Ebola hot zones in Liberia, to war zones in Syria, to demonstrations in Ferguson.

Developers, IT Still Racking Up (Mostly) High Salaries

timothy posted yesterday | from the money-goes-further-if-you-live-in-omaha dept.

The Almighty Buck 170

Nerval's Lobster (2598977) writes Software development and IT remain common jobs among those in the higher brackets, although not the topmost one, according to a new study (with graph) commissioned by NPR. Among those earning between $58,000 and $72,000, IT was the sixth-most-popular job, while software developers came in tenth place. In the next bracket up (earning between $72,000 and $103,000), IT rose to third, with software development just behind in fourth place. As incomes increased another level ($103,000 to $207,000), software developers did even better, coming in second behind managers, although IT dropped off the list entirely. In the top percentile ($207,000 and above), neither software developers nor IT staff managed to place; this is a segment chiefly occupied by physicians (in first place), managers, chief executives, lawyers, and salespeople who are really good at their jobs. In other words, it seems like a good time to be in IT, provided you have a particular skillset. If those high salaries are in Silicon Valley or New York, though, they might not seem as high as half the same rate would in Omaha, or Houston, or Raleigh.

Ask Slashdot: Good Hosting Service For a Parody Site?

timothy posted 2 days ago | from the just-keep-backups dept.

The Internet 113

An anonymous reader writes "Ok, bear with me now. I know this is not PC Mag 2014 review of hosting services. I am thinking of getting a parody website up. I am mildly concerned about potential reaction of the parodee, who has been known to be a little heavy handed when it comes to things like that. In short, I want to make sure that the hosting company won't flake out just because of potential complaints. I checked some companies and their TOS and AUPs all seem to have weird-ass restrictions (Arvixe, for example, has a list of unacceptable material that happens to list RPGs and MUDS ). I live in U.S.; parodee in Poland. What would you recommend?"

iFixit Tears Apart Apple's Shiny New Retina iMac

timothy posted 2 days ago | from the good-work-if-you-can-get-it dept.

Desktops (Apple) 106

iFixit gives the new Retina iMac a score of 5 (out of 10) for repairability, and says that the new all-in-one is very little changed internally from the system (non-Retina) it succeeds. A few discoveries along the way: The new model "retains the familiar, easily accessible RAM upgrade slot from iMacs of yore"; the display panel (the one iin the machine disassmbled by iFixit at least) was manufactured by LG Display; except for that new display, "the hardware inside the iMac Intel 27" Retina 5K Display looks much the same as last year's 27" iMac." In typical iFixit style, the teardown is documented with high-resolution pictures and more technical details.

Apple's Next Hit Could Be a Microsoft Surface Pro Clone

timothy posted 2 days ago | from the they-have-the-technology dept.

Input Devices 247

theodp writes "Good artists copy, great artists steal," Steve Jobs used to say. Having launched a perfectly-timed attack against Samsung and phablets with its iPhone 6 and iPhone 6 Plus, Leonid Bershidsky suggests that the next big thing from Apple will be a tablet-laptop a la Microsoft's Surface Pro 3. "Before yesterday's Apple [iPad] event," writes Bershidsky, "rumors were strong of an upcoming giant iPad, to be called iPad Pro or iPad Plus. There were even leaked pictures of a device with a 12.9-inch screen, bigger than the Surface Pro's 12-inch one. It didn't come this time, but it will. I've been expecting a touch-screen Apple laptop for a few years now, and keep being wrong.

Google Releases Android 5.0 Lollipop SDK and Nexus Preview Images

Soulskill posted 3 days ago | from the progressively-sillier-names dept.

Android 77

An anonymous reader writes: As promised, Google today released the full Android 5.0 Lollipop SDK, along with updated developer images for Nexus 5, Nexus 7 (2013), ADT-1, and the Android emulator. The latest version of Android isn't available just yet, but the company is giving developers a head start (about two weeks), so they can test their apps on the new platform. To get the latest Android 5.0 SDK, fire up Android SDK Manager and head to the Tools section, followed by latest SDK Tools, SDK Platform-tools, and SDK Build-tools. Select everything under the Android 5.0 section, hit "Install packages...", accept the licensing agreement, and finally click Install. Google also rolled out updated resources for their Material Design guidelines.

FBI Warns Industry of Chinese Cyber Campaign

samzenpus posted 4 days ago | from the protect-ya-neck dept.

Security 105

daten writes The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies. "These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit 61398 ... whose activity was publicly disclosed and attributed by security researchers in February 2013," said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant.

Adobe: Click-to-Play Would Have Avoided Flood of Java Zero-days

Soulskill posted 4 days ago | from the of-pots-and-kettles dept.

Java 111

mask.of.sanity writes: Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.

Drupal Fixes Highly Critical SQL Injection Flaw

samzenpus posted 5 days ago | from the protect-ya-neck dept.

Security 53

An anonymous reader writes Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."

Ask Slashdot: Handling Patented IP In a Job Interview?

samzenpus posted 5 days ago | from the what's-mine-is-mine dept.

Businesses 224

ZahrGnosis writes I'm in the midst of a rather lengthy job interview; something I haven't done for some time as I've worked as a contract employee with a much lower barrier to entry for years. Recently, I've started patenting some inventions that are applicable to my industry. One hope is that the patents look good to the prospective employer on a resume, but I don't want them to take the existing IP for granted as part of the deal. I'm worried I have the wrong attitude, however. My question is, how should I treat licensing of the patent as a topic with respect to the topic of my employment? Should I build the use of my patented ideas into my salary? Should I explicitly refuse to implement my patented IP for the company without a separate licensing fee? If I emphasize the patent during the interviews without the intent to give them the IP for free, is that an ethical lapse — a personal false advertising? At the same time, when I work for a company I feel they should get the benefit of my full expertise... am I holding back something I shouldn't by not granting a de-facto license while I work for them? I perceive a fine balance between being confrontational and helpful, while not wanting to jeopardize the job prospect nor restrict my ability to capitalize on my invention. Thoughts?

Oracle Database Certifications Are No Longer Permanent

Soulskill posted about a week ago | from the you're-now-allowed-to-forget-things dept.

Oracle 108

jfruh writes: It used to be that you could get an Oracle database certification and declare yourself Oracle-certified for the rest of your career. That time is now over, causing a certain amount of consternation among DBAs. On the one hand, it makes sense that someone who's only been certified on a decade-old version of the product should need to prove they've updated their skills. On the other, Oracle charges for certification and will definitely profit from this shift."

Google Finds Vulnerability In SSL 3.0 Web Encryption

Soulskill posted about a week ago | from the another-day-another-vuln dept.

Security 68

AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Can the Sun Realistically Power Datacenters?

Soulskill posted about a week ago | from the nobody-needs-wyoming-for-anything-important dept.

Power 236

1sockchuck writes: A massive solar array in central New Jersey provides the daytime power for a server farm delivering online financial services for McGraw Hill. The 50-acre field of photovoltaic solar panels symbolizes a new phase in the use of renewable energy in data centers. Massive arrays can now provide tens of megawatts of solar power for companies (including Apple) that can afford the land and the expense. But some data center thought leaders argue that these huge fields are more about marketing than genuinely finding the best approach to a greener cloud.

Slashdot Login

Need an Account?

Forgot your password?