Forgot your password?
typodupeerror

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

Bug

Passport Database Outage Leaves Thousands Stranded 82

Posted by Unknown Lamer
from the maintenance-considered-harmful dept.
linuxwrangler (582055) writes Job interviews missed, work and wedding plans disrupted, children unable to fly home with their adoptive parents. All this disruption is due to a outage involving the passport and visa processing database at the U.S. State Department. The problems have been ongoing since July 19 and the best estimate for repair is "soon." The system "crashed shortly after maintenance."
Bug

"ExamSoft" Bar Exam Software Fails Law Grads 97

Posted by timothy
from the until-it-happens-to-you dept.
New submitter BobandMax writes ExamSoft, the management platform software that handles digital bar exam submissions for multiple states, experienced a severe technical meltdown on Tuesday, leaving many graduates temporarily unable to complete the exams needed to practice law. The snafu also left bar associations from nearly 20 states with no choice but to extend their submission deadlines. It's not the first time, either: a classmate of mine had to re-do a state bar exam after an ExamSoft glitch on the first go-'round. Besides handling the uploading of completed exam questions, ExamSoft locks down the computer on which it runs, so Wikipedia is not an option.
Communications

Black Hat Researchers Actively Trying To Deanonymize Tor Users 82

Posted by Soulskill
from the good-research-vs-bad-research dept.
An anonymous reader writes: Last week, we discussed news that a presentation had been canceled for the upcoming Black Hat security conference that involved the Tor Project. The researchers involved hadn't made much of an effort to disclose the vulnerability, and the Tor Project was scrambling to implement a fix. Now, the project says it's likely these researchers were actively attacking Tor users and trying to deanonymize them. "On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. ...We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service." They also provide a technical description of the attack, and the steps they're taking to block such attacks in the future.
Android

Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code 145

Posted by timothy
from the little-of-this-little-of-that dept.
New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.
Bug

Linus Torvalds: "GCC 4.9.0 Seems To Be Terminally Broken" 728

Posted by timothy
from the you'll-never-believe-what-he-actually-said dept.
hypnosec (2231454) writes to point out a pointed critique from Linus Torvalds of GCC 4.9.0. after a random panic was discovered in a load balance function in Linux 3.16-rc6. in an email to the Linux kernel mailing list outlining two separate but possibly related bugs, Linus describes the compiler as "terminally broken," and worse ("pure and utter sh*t," only with no asterisk). A slice: "Lookie here, your compiler does some absolutely insane things with the spilling, including spilling a *constant*. For chrissake, that compiler shouldn't have been allowed to graduate from kindergarten. We're talking "sloth that was dropped on the head as a baby" level retardation levels here .... Anyway, this is not a kernel bug. This is your compiler creating completely broken code. We may need to add a warning to make sure nobody compiles with gcc-4.9.0, and the Debian people should probably downgrate their shiny new compiler."
Bug

Bad "Buss Duct" Causes Week-long Closure of 5,000 Employee Federal Complex 124

Posted by timothy
from the something-to-be-indignant-about dept.
McGruber (1417641) writes In Atlanta, an electrical problem in a "Buss Duct" has caused the Sam Nunn Atlanta Federal Center to be closed for at least a week. 5,000 federal employees work at the center. While many might view this as another example of The Infrastructure Crisis in the USA, it might actually be another example of mismanagement at the complex's landlord, the General Service Administration (GSA). Probably no one wants to go to work in an Atlanta July without a working A/C.
Classic Games (Games)

ScummVM 1.7.0 Released 26

Posted by Unknown Lamer
from the manic-mansion dept.
jones_supa (887896) writes It's been a while since a new ScummVM release, but version 1.7.0 is now here with many exciting features. New games supported are The Neverhood, Mortville Manor, Voyeur, Return to Ringworld and Chivalry is Not Dead. The Roland MT-32 emulator has been updated, there is an OpenGL backend, the GUI has seen improvements, AGOS engine is enhanced, tons of SCI bug fixes have been applied, and various other improvements can be found. This version also introduces support for the OUYA gaming console and brings improvements to some other more exotic platforms. Please read the release notes for an accurate description of the new version. SCUMM being the language/interpreter used by many classic adventure games.
Encryption

CNN iPhone App Sends iReporters' Passwords In the Clear 40

Posted by Unknown Lamer
from the safe-reporting dept.
chicksdaddy (814965) writes The Security Ledger reports on newly published research from the firm zScaler that reveals CNN's iPhone application transmits user login session information in clear text. The security flaw could leave users of the application vulnerable to having their login credential snooped by malicious actors on the same network or connected to the same insecure wifi hotspot. That's particularly bad news if you're one of CNN's iReporters — citizen journalists — who use the app to upload photos, video and other text as they report on breaking news events. According to a zScaler analysis, CNN's app for iPhone exposes user credentials in the clear both during initial setup of the account and in subsequent mobile sessions. The iPad version of the CNN app is not affected, nor is the CNN mobile application for Android. A spokesman for CNN said the company had a fix ready and was working with Apple to have it approved and released to the iTunes AppStore.
Privacy

Black Hat Presentation On Tor Cancelled, Developers Working on Bug Fix 52

Posted by Soulskill
from the you-can't-say-that-on-television dept.
alphadogg writes A presentation on a low-budget method to unmask users of a popular online privacy tool Tor will no longer go ahead at the Black Hat security conference early next month. The talk was nixed by the legal counsel with Carnegie Mellon's Software Engineering Institute after a finding that materials from researcher Alexander Volynkin were not approved for public release, according to a notice on the conference's website. Tor project leader Roger Dingledine said, "I think I have a handle on what they did, and how to fix it. ... Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world." Tor's developers were "informally" shown materials about the bug, but never saw any details about what would be presented in the talk.
Bug

Researchers Test Developer Biometrics To Predict Buggy Code 89

Posted by Soulskill
from the subject-was-asleep-when-this-code-was-checked-in dept.
rjmarvin writes: Microsoft Research is testing a new method for predicting errors and bugs while developers write code: biometrics. By measuring a developer's eye movements, physical and mental characteristics as they code, the researchers tracked alertness and stress levels to predict the difficulty of a given task with respect to the coder's abilities. In a paper entitled "Using Psycho-Physiological Measures to Assess Task Difficulty in Software Development," the researchers summarized how they strapped an eye tracker, an electrodermal sensor and an EEG sensor to 15 developers as they programmed for various tasks. Biometrics predicted task difficulty for a new developer 64.99% of the time. For a subsequent tasks with the same developer, the researchers found biometrics to be 84.38% accurate. They suggest using the information to mark places in code that developers find particularly difficult, and then reviewing or refactoring those sections later.
Mars

ExoLance: Shooting Darts At Mars To Find Life 50

Posted by Unknown Lamer
from the lance-it-from-orbit-just-to-be-sure dept.
astroengine (1577233) writes To find life on Mars, some scientists believe you might want to look underground for microbes that may be hiding from the harsh radiation that bathes the red planet's surface. Various NASA rovers have scraped away a few inches at a time, but the real paydirt may lie a meter or two below the surface. That's too deep for existing instruments, so a team of space enthusiasts has launched a more ambitious idea: dropping arrow-like probes from the Martian atmosphere to pierce the soil like bunker-busting bug catchers. The "ExoLance" project aims to drop ground-penetrating devices, each of which would carry a small chemical sampling test to find signs of life. "One of the benefits of doing this mission is that there is less engineering," said Chris Carberry, executive director of Explore Mars, a non-profit space advocacy group pushing the idea. "With penetrators we can engineer them to get what we want, and send it back to an orbiter. We can theoretically check out more than one site at a time. We could drop five or six, which increases the chances of finding something." They will be performing a test run in the Mojave desert to see if their design stands any chance of working.
Security

Critical Vulnerabilities In Web-Based Password Managers Found 114

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"
Bug

Today In Year-based Computer Errors: Draft Notices Sent To Men Born In the 1800s 205

Posted by timothy
from the pa-dmv-never-did-me-any-favors-either dept.
sandbagger (654585) writes with word of a Y2K-style bug showing up in Y2K14: "The glitch originated with the Pennsylvania Department of Motor Vehicles during an automated data transfer of nearly 400,000 records. The records of males born between 1993 and 1997 were mixed with those of men born a century earlier. The federal agency didn't know it because the state uses a two-digit code to indicate birth year." I wonder where else two-digit years are causing problems; I still see lots of paper forms that haven't made the leap yet to four digits.
Bug

Bug In Fire TV Screensaver Tears Through 250 GB Data Cap 349

Posted by Unknown Lamer
from the should-have-stuck-to-xscreensaver dept.
jfruh (300774) writes Tech writer Tyler Hayes had never come close to hitting the 250 GB monthly bandwidth cap imposed by Cox Cable — until suddenly he was blowing right through it, eating up almost 80 GB a day. Using the Mac network utility little snitch, he eventually tracked down the culprit: a screensaver on his new Kindle Fire TV. A bug in the mosaic screensaver caused downloaded images to remain uncached.
Security

Are the Hard-to-Exploit Bugs In LZO Compression Algorithm Just Hype? 65

Posted by timothy
from the you'll-never-feel-it dept.
NotInHere (3654617) writes In 1996, Markus F. X. J. Oberhumer wrote an implementation of the Lempel–Ziv compression, which is used in various places like the Linux kernel, libav, openVPN, and the Curiosity rover. As security researchers have found out, the code contained integer overflow and buffer overrun vulnerabilities, in the part of the code that was responsible for processing uncompressed parts of the data. Those vulnerabilities are, however, very hard to exploit, and their scope is dependent on the actual implementation. According to Oberhumer, the problem only affects 32-bit systems. "I personally do not know about any client program that actually is affected", Oberhumer sais, calling the news about the possible security issue a media hype.
Android

KeyStore Vulnerability Affects 86% of Android Devices 71

Posted by timothy
from the that's-a-lot dept.
jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."
Security

Exploiting Wildcards On Linux/Unix 215

Posted by Soulskill
from the teaching-a-new-dog-old-tricks dept.
An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.
Bug

Why Software Builds Fail 279

Posted by Soulskill
from the failure-to-bribe-the-hamster dept.
itwbennett writes: A group of researchers from Google, the Hong Kong University of Science and Technology and the University of Nebraska undertook a study of over 26 million builds by 18,000 Google engineers from November 2012 through July 2013 to better understand what causes software builds to fail and, by extension, to improve developer productivity. And, while Google isn't representative of every developer everywhere, there are a few findings that stand out: Build frequency and developer (in)experience don't affect failure rates, most build errors are dependency-related, and C++ generates more build errors than Java (but they're easier to fix).
Security

Over 300,000 Servers Remain Vulnerable To Heartbleed 74

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."
Bug

One Developer's Experience With Real Life Bitrot Under HFS+ 396

Posted by timothy
from the so-really-it's-both-plus-and-minus dept.
New submitter jackjeff (955699) writes with an excerpt from developer Aymeric Barthe about data loss suffered under Apple's venerable HFS+ filesystem. HFS+ lost a total of 28 files over the course of 6 years. Most of the corrupted files are completely unreadable. The JPEGs typically decode partially, up to the point of failure. The raw .CR2 files usually turn out to be totally unreadable: either completely black or having a large color overlay on significant portions of the photo. Most of these shots are not so important, but a handful of them are. One of the CR2 files in particular, is a very good picture of my son when he was a baby. I printed and framed that photo, so I am glad that I did not lose the original. (Barthe acknowledges that data loss and corruption certainly aren't limited to HFS+; "bitrot is actually a problem shared by most popular filesystems. Including NTFS and ext4." I wish I'd lost only 28 files over the years.)

Aren't you glad you're not getting all the government you pay for now?

Working...