Security

Ask Slashdot: How Are So Many Security Vulnerabilities Possible? 233

dryriver writes: It seems like not a day goes by on Slashdot and elsewhere on the intertubes that you don't read a story headline reading "Company_Name Product_Name Has Critical Vulnerability That Allows Hackers To Description_Of_Bad_Things_Vulnerability_Allows_To_Happen." A lot of it is big brand products as well. How, in the 21st century, is this possible, and with such frequency? Is software running on electronic hardware invariably open to hacking if someone just tries long and hard enough? Or are the product manufacturers simply careless or cutting corners in their product designs? If you create something that communicates with other things electronically, is there no way at all to ensure that the device is practically unhackable?
The Internet

FCC Will Also Order States To Scrap Plans For Their Own Net Neutrality Laws (arstechnica.com) 191

An anonymous reader quotes a report from Ars Technica: In addition to ditching its own net neutrality rules, the Federal Communications Commission also plans to tell state and local governments that they cannot impose local laws regulating broadband service. This detail was revealed by senior FCC officials in a phone briefing with reporters today, and it is a victory for broadband providers that asked for widespread preemption of state laws. FCC Chairman Ajit Pai's proposed order finds that state and local laws must be preempted if they conflict with the U.S. government's policy of deregulating broadband Internet service, FCC officials said. The FCC will vote on the order at its December 14 meeting. It isn't clear yet exactly how extensive the preemption will be. Preemption would clearly prevent states from imposing net neutrality laws similar to the ones being repealed by the FCC, but it could also prevent state laws related to the privacy of Internet users or other consumer protections. Pai's staff said that states and other localities do not have jurisdiction over broadband because it is an interstate service and that it would subvert federal policy for states and localities to impose their own rules.
Transportation

Uber Fined $8.9 Million In Colorado For Allowing Drivers With Felonies, Motor Violations To Work (jalopnik.com) 84

Uber has been fined by a Colorado regulator on Monday for nearly $9 million, after an investigation revealed that 57 people with criminal and motor vehicle offenses were allowed to drive with the ride-hailing company. Jalopnik reports: States across the U.S. have been considering laws to require additional background checks for individuals who drive for Uber and competitors like Lyft. In Colorado, the state's Public Utilities Commission investigated the company's drivers after an incident this past March, reported The Denver Post, when a driver dragged a passenger out of a car and kicked them in the face. The commission said it found 57 drivers had issues that should've disqualified them from driving for Uber, including felony convictions for driving under the influence and reckless driving, while others had revoked, suspended or canceled licenses. A similar investigation was conducted on Lyft, the Post reported, but no violations were revealed. An Uber spokesperson said the situation stems from a "process error" that was "inconsistent with Colorado's ridesharing regulations." The spokesperson said Uber "proactively notified" the commission. "This error affected a small number of drivers and we immediately took corrective action," the company said in a statement to the Post. "Per Uber safety policies and Colorado state regulations, drivers with access to the Uber app must undergo a nationally accredited third-party background screening. We will continue to work closely with the CPUC to enable access to safe, reliable transportation options for all Coloradans."
Businesses

HP Enterprise CEO Meg Whitman To Step Down (reuters.com) 87

Hewlett Packard Enterprise's Meg Whitman is stepping down as chief executive officer. Reuters reports: Whitman engineered the biggest breakup in corporate history during her 6 year tenure at the helm, creating HPE and PC-and-printer business HP Inc from parent Hewlett Packard Co in 2015. Whitman will be succeeded by the company's president, Antonio Neri, who takes over from Feb. 1. "Now is the right time for Antonio and a new generation of leaders to take the reins of HPE," Whitman said in a statement. Whitman, who will continue as a board member, had been steering the company towards areas such as networking, storage and technology services.
Businesses

Russia To Act Against Google if Sputnik, RT Get Lower Search Rankings (reuters.com) 151

Paresh Dave and Jack Stubbs, reporting for Reuters: The Kremlin will take action against Alphabet's Google if articles from Russian news websites Sputnik and Russia Today are placed lower in search results, the Interfax news service cited Russia's chief media regulator as saying on Tuesday. Alexander Zharov, head of media regulator Roskomnadzor, said his agency sent a letter to Google on Tuesday requesting clarification on comments Saturday by Alphabet Executive Chairman Eric Schmidt about how the Russian websites would be treated in search, according to Interfax. "We will receive an answer and understand what to do next," Interfax quoted Zharov as saying. "We hope our opinion will be heard, and we won't have to resort to more serious" retaliatory measures.
Businesses

Why Apple's HomePod Is Three Years Behind Amazon's Echo (bloomberg.com) 81

Apple unveiled the HomePod, its first smart speaker to take on market-leading Amazon's Echo lineup of speakers, in June this year. Despite being three years late to the party, the HomePod has largely been pitched more as a speaker that sounds great instead of a device that sounds great but more importantly can also help you with daily chores. On top of this, Apple said last week it was delaying the shipment of HomePod from December this year to "early 2018." So why does a company, the market valuation of which is quickly reaching a trillion dollar, so behind its competitors? Bloomberg reports on Tuesday: Apple audio engineers had been working on an early version of the HomePod speaker for about two years in 2014 when they were blindsided by the Echo, a smart speaker from Amazon with a voice-activated assistant named Alexa. The Apple engineers jokingly accused one another of leaking details of their project to Amazon, then bought Echos so they could take them apart and see how they were put together. They quickly deemed the Echo's sound quality inferior and got back to work building a better speaker. More than two years passed. In that time Amazon's Echo became a hit with consumers impressed by Alexa's ability to answer questions, order pizzas and turn lights on and off. Meanwhile, Apple dithered over its own speaker, according to people familiar with the situation. The project was cancelled and revived several times, they said, and the device went through multiple permutations (at one point it stood 3 feet tall) as executives struggled to figure out how it would fit into the home and Apple's ecosystem of products and services. In the end, the company plowed ahead, figuring that creating a speaker would give customers another reason to stay loyal. Yet despite having all the ingredients for a serious competitor to the Echo -- including Siri and the App Store -- Apple never saw the HomePod as anything more than an accessory, like the AirPods earphones.
Businesses

FCC Announces Plan To Repeal Net Neutrality (nytimes.com) 290

FCC on Tuesday said it plans to dismantle landmark regulations that ensure equal access to the internet, clearing the way for companies to charge more and block access to some websites. From a report on the New York Times: The proposal, put forward by the F.C.C. chairman, Ajit Pai, is a sweeping repeal of rules put in place by the Obama administration that prohibited high-speed internet service providers from blocking or slowing down the delivery of websites, or charging extra fees for the best quality of streaming and other internet services for their subscribers. The clear winners from the move would be telecom giants like AT&T and Comcast that have lobbied for years against regulations of broadband and will now have more control over the online experiences of American consumers. The losers could be internet sites that will have to answer to telecom firms to get their content in front of consumers. And consumers may see their bills increase for the best quality of internet service. Note from the editor: the aforementioned link could be paywalled; consider the alternative sources: NPR, ArsTechnica, Associated Press, BBC, Axios, Reuters, TechCrunch, and Slate.

FTC Commissioner Terrell McSweeny criticized the move. She said, "So many things wrong here, like even if FCC does this FTC still won't have jurisdiction. But even if we did, most discriminatory conduct by ISPs will be perfectly legal. This won't hurt tech titans with deep pockets. They can afford to pay all the trolls under the bridge. But the entrepreneurs and innovators who truly make the Internet great won't be so lucky. It will be harder for them to compete. The FCC is upending the Internet as we know it, not saving it."

This is what the internet looks like when there is no net neutrality. Earlier today, news outlet Motherboard suggested we should build our own internet if we want to safeguard the essence of open internet.
Businesses

Apple's New iPhone Built With Illegal Overtime Teen Labor (bloomberg.com) 136

Apple's main supplier in Asia has been employing high-school students working illegal overtime to assemble the iPhone X in an effort to catch up with demand after facing production delays, the Financial Times reported on Tuesday, citing several teenagers involved. From a report: A group of 3,000 students from the Zhengzhou Urban Rail Transit School were sent to work at the local facility run by Taiwan-based Hon Hai Precision Industry, known as Foxconn, as part of a three-month stint that was billed as "work experience," and required to graduate, the Financial Times reported. Six of the students told the FT they routinely worked 11-hour days assembling Apple's flagship smartphone, which constitutes illegal overtime for student interns under Chinese law. Apple said an audit did find instances of student interns working overtime, adding that they were employed voluntarily, were compensated and provided benefits, but that they shouldn't have been allowed to work overtime.
Censorship

Skype Vanishes From App Stores in China (nytimes.com) 34

Skype, Microsoft's Internet phone call and messaging service, has been unavailable for download from a number of app stores in China, including Apple's, for almost a month (Editor's note: the link could be paywalled; alternative source), The New York Times reported on Tuesday. From the report: "We have been notified by the Ministry of Public Security that a number of voice over internet protocol apps do not comply with local law. Therefore these apps have been removed from the app store in China," an Apple spokeswoman said Tuesday in an emailed statement responding to questions about Skype's disappearance from the app store. "These apps remain available in all other markets where they do business." The removal led to a volley of complaints from Chinese users on internet message boards who were no longer able to pay for Skype's services through Apple. The users said that the disruption began in late October. Skype, which is owned by Microsoft, still functions in China, and its fate in the country is not yet clear. But its removal from the app stores is the most recent example of a decades-long push by China's government to control and monitor the flow of information online.
Businesses

Trump Administration Tightens Scrutiny of Skilled Worker Visa Applicants (inc.com) 228

wyattstorch516 writes: The Trump administration is tightening the scrutiny on the H-1B visa program (Warning: paywalled; alternative source). Changes would undo actions by the Obama administration. There are two big regulatory changes looming that would undo actions by the Obama administration. "The first change allowed spouses of H-1B workers the right to work. That regulation is being challenged in court and the Trump administration is expected to eliminate the provision rather than defend it," reports WSJ. "The second change affects the Optional Practical Training program, which allows foreign graduates from U.S. colleges in science and technology an extra two years of work authorization, giving them time to win an H-1B visa. The Trump administration could kill that benefit or reduce the two-year window, according to people familiar with the discussions." The Journal highlights a "series of more modest changes that have added scrutiny to visa processing":

- "USCIS directed last month that adjudicators no longer pay 'deference' to past determinations for renewal applications. This means an applicant's past approval won't carry any weight if he or she applies for a renewal.

- The agency is conducting more applicant interviews, which critics say slows the system. The agency spokesman says this process will ramp up over several years and is needed to detect fraud and make accurate decisions.

- In the spring, the agency suspended premium processing, which allowed for fast-track consideration to those who paid an extra fee. This option wasn't resumed until October, meaning many workers who qualified for a coveted H-1B visa had to wait months for a decision.

- State Department officials have been told to consider that Mr. Trump's 'Buy American, Hire American' executive order directs visa programs must 'protect the interests of United States workers.' And the Foreign Affairs Manual now instructs officers to scrutinize applications of students to ensure they plan to return to their home countries. A State Department official said the official rules haven't changed but said a 'comprehensive' review is under way."
AT&T

US Sues To Block AT&T Purchase of Time Warner (reuters.com) 63

The U.S. Department of Justice is suing AT&T to block its $85.4 billion acquisition of Time Warner. "The legal challenge was expected after AT&T rejected a demand by the Justice Department earlier this month to divest its DirecTV unit or Time Warner's Turner Broadcasting -- which contains news network CNN -- in order to win antitrust approval," reports Reuters. From the report: AT&T's chief executive said then that he would defend the deal in court to win approval, and the company criticized the Justice Department's case on Monday. The lawsuit is "a radical and inexplicable departure from decades of antitrust precedent," said AT&T lawyer David McAtee, arguing that so-called vertical mergers, between companies that are not direct competitors, are routinely approved. "We see no legitimate reason for our merger to be treated differently," he said, adding that AT&T is confident a judge will reject the Justice Department's case.
Bitcoin

An Ethereum Startup Just Vanished After People Invested $374K (vice.com) 189

An anonymous reader quotes a report from Motherboard: A startup on the Ethereum platform vanished from the internet on Sunday after raising $374,000 USD from investors in an Initial Coin Offering (ICO) fundraiser. Confido is a startup that pitched itself as a blockchain-based app for making payments and tracking shipments. It sold digital tokens to investors over the Ethereum blockchain in an ICO that ran from November 6 to 8. During the token sale, Confido sold people bespoke digital tokens that represent their investment in exchange for ether, Ethereum's digital currency. But on Sunday, the company unceremoniously deleted its Twitter account and took down its website. A company representative posted a brief comment to the company's now-private subforum on Reddit, citing legal problems that prevent the Confido team from continuing their work. The same message was also posted to Medium but quickly deleted.

"Right now, we are in a tight spot, as we are having legal trouble caused by a contract we signed," the message stated (a cached version of the Medium post is viewable). "It is likely that we will be able to find a solution to rectify the situation. However, we cannot assure you with 100% certainty that we will get through this." The message was apparently written by Confido's founder, one Joost van Doorn, who seems to have no internet presence besides a now-removed LinkedIn profile. Even the Confido representative on Reddit doesn't seem to know what's going on, though, posting hours after the initial message, "Look I have absolutely no idea what has happened here. The removal of all of our social media platforms and website has come as a complete surprise to me." Confido tokens had a market cap of $10 million last week, before the company disappeared, but now the tokens are worthless. And investors are crying foul.

Cloud

Amazon Launches a Cloud Service For US Intelligence Agencies (cnbc.com) 55

Amazon Web Services on Monday introduced cloud service for the CIA and other members of the U.S. intelligence community. From a report: The launch of the so-called AWS Secret Region comes six years after AWS introduced GovCloud, its first data center region for public sector customers. AWS has since announced plans to expand GovCloud. The new Secret Region signals interest in using AWS from specific parts of the U.S. government. In 2013 news outlets reported on a $600 million contract between AWS and the CIA. That event singlehandledly helped Amazon in its effort to sign up large companies to use its cloud, whose core services have been available since 2006.
Businesses

Dark Side of Gig Economy: Some Instacart Workers Go On Strike Over Pay That Can Be as Low as $1 Per Hour (fastcompany.com) 416

From a report: Instacart shoppers and drivers -- the people who gather your groceries and deliver them to you after you order via the Instacart app -- are on strike. While independent contractors can't technically strike, via a Facebook group some of the company's thousands of employees have organized a "no delivery day" in the hopes of getting higher wages, the San Francisco Chronicle reports. The strike is only taking place in a few of the 154 cities nationwide that Instacart operates in. The action may be small, but the grievances are big. While Instacart, the 5-year-old San Francisco startup, is valued at $3.4 billion, it allegedly pays its workers as little as $1 per order. Ars Technica has a great breakdown of all the issues surrounding how Instacart employees get paid and it's complex, with three different income streams coming together Voltron-like to form a wage. The result, though, is that some shoppers are being paid less than the federal minimum wage, like a Jackson, Miss., worker who put in a 19-hour week in Jackson, Mississippi, that paid out $37.75 (roughly $2/hour). That's far below the $14/hour wage that Ars Technica says Instacart is targeting.
AI

Deep Learning Is Eating Software (petewarden.com) 147

Pete Warden, engineer and CTO of Jetpac, shares his view on how deep learning is already starting to change some of the programming is done. From a blog post, shared by a reader last week: The pattern is that there's an existing software project doing data processing using explicit programming logic, and the team charged with maintaining it find they can replace it with a deep-learning-based solution. I can only point to examples within Alphabet that we've made public, like upgrading search ranking, data center energy usage, language translation, and solving Go, but these aren't rare exceptions internally. What I see is that almost any data processing system with non-trivial logic can be improved significantly by applying modern machine learning. This might sound less than dramatic when put in those terms, but it's a radical change in how we build software. Instead of writing and maintaining intricate, layered tangles of logic, the developer has to become a teacher, a curator of training data and an analyst of results. This is very, very different than the programming I was taught in school, but what gets me most excited is that it should be far more accessible than traditional coding, once the tooling catches up. The essence of the process is providing a lot of examples of inputs, and what you expect for the outputs. This doesn't require the same technical skills as traditional programming, but it does need a deep knowledge of the problem domain. That means motivated users of the software will be able to play much more of a direct role in building it than has ever been possible. In essence, the users are writing their own user stories and feeding them into the machinery to build what they want.
Spam

Spam Is Back (theoutline.com) 149

Jon Christian, writing for The Outline: For a while, spam -- unsolicited bulk messages sent for commercial or fraudulent purposes -- seemed to be fading away. The 2003 CAN-SPAM Act mandated unsubscribe links in email marketing campaigns and criminalized attempts to hide the sender's identity, while sophisticated filters on what were then cutting-edge email providers like Gmail buried unwanted messages in out-of-sight spam folders. In 2004, Microsoft co-founder Bill Gates told a crowd at the World Economic Forum that "two years from now, spam will be solved." In 2011, cybersecurity reporter Brian Krebs noted that increasingly tech savvy law enforcement efforts were shutting down major spam operators -- including SpamIt.com, alleged to be a major hub in a Russian digital criminal organization that was responsible for an estimated fifth of the world's spam. These efforts meant that the proportion of all emails that are spam has slowly fallen to a low of about 50 percent in recent years, according to Symantec research.

But it's 2017, and spam has clawed itself back from the grave. It shows up on social media and dating sites as bots hoping to lure you into downloading malware or clicking an affiliate link. It creeps onto your phone as text messages and robocalls that ring you five times a day about luxury cruises and fictitious tax bills. Networks associated with the buzzy new cryptocurrency system Ethereum have been plagued with spam. Facebook recently fought a six-month battle against a spam operation that was administering fake accounts in Bangladesh, Indonesia, Saudi Arabia, and other countries. Last year, a Chicago resident sued the Trump campaign for allegedly sending unsolicited text message spam; this past November, ZDNet reported that voters were being inundated with political text messages they never signed up for. Apps can be horrid spam vectors, too. Repeated mass data breaches that include contact information, such as the Yahoo breach in which 3 billion user accounts were exposed, surely haven't helped. Meanwhile, you, me, and everyone we know is being plagued by robocalls.

Social Networks

We Can't Trust Facebook To Regulate Itself, Says Former Operations Manager (nytimes.com) 105

schwit1 shares an op-ed on the New York Times by Sandy Parakilas, a former operations manager on the platform team at Facebook: Sandy Parakilas led Facebook's efforts to fix privacy problems on its developer platform in advance of its 2012 initial public offering. What I saw from the inside was a company that prioritized data collection from its users over protecting them from abuse. As the world contemplates what to do about Facebook in the wake of its role in Russia's election meddling, it must consider this history. Lawmakers shouldn't allow Facebook to regulate itself. Because it won't (Editor's note: the link could be paywalled; alternative source). Facebook knows what you look like, your location, who your friends are, your interests, if you're in a relationship or not, and what other pages you look at on the web. This data allows advertisers to target the more than one billion Facebook visitors a day. It's no wonder the company has ballooned in size to a $500 billion behemoth in the five years since its I.P.O. The more data it has on offer, the more value it creates for advertisers. That means it has no incentive to police the collection or use of that data -- except when negative press or regulators are involved. Facebook is free to do almost whatever it wants with your personal information, and has no reason to put safeguards in place. The company just wanted negative stories to stop. It didn't really care how the data was used. Facebook took the same approach to this investigation as the one I observed during my tenure: react only when the press or regulators make something an issue, and avoid any changes that would hurt the business of collecting and selling data. This makes for a dangerous mix: a company that reaches most of the country every day and has the most detailed set of personal data ever assembled, but has no incentive to prevent abuse. Facebook needs to be regulated more tightly, or broken up so that no single entity controls all of its data. The company won't protect us by itself, and nothing less than our democracy is at stake.
The Media

Net Neutrality is Essentially Unassailable, Argues Billionaire Barry Diller (broadcastingcable.com) 79

An anonymous reader quotes Yahoo Finance: The billionaire media mogul behind such popular sites as Expedia, Match.com and HomeAdvisor has a one-word forecast for traditional media conglomerates concerned about being replaced by tech giants: serfdom. "They, like everyone else, are kind of going to be serfs on the land of the large tech companies," IAC chairman Barry Diller said... That's because Google and Facebook not only have such massive user bases but also dominate online advertising. "Google and Facebook are consolidating," Diller said. "They are the only mass advertising mediums we have..." He expects Facebook, Google and maybe Amazon to face government regulation, simply because of their immense size. "At a certain point in size, you must," he said. "It's inevitable."

He did, however, outline one positive for Big Tech getting so gargantuan. Big Telecom no longer has the economic leverage to roll back today's net-neutrality norms, in which internet providers don't try to charge sites extra for access to their subscribers. "I think it's hard to overturn practically," he said. "It is the accepted system."

Even if the U.S. government takes moves to fight net neutrality, Diller told CNBC that "I think it is over... It is [the] practice of the world... You're still going to be able to push a button and publish to the world, without anybody in between asking you for tribute. I think that is now just the way things are done. I don't think it can be violated no matter what laws are back."
Businesses

In Defense of Project Management For Software Teams (techbeacon.com) 160

mikeatTB writes: Many Slashdotters weighed in on Steven A. Lowe's post, "Is Project Management Killing Good Products, Teams and Software?", where he slammed project management and called for product-centrism. Many commenters pushed back, but one PM, Yvette Schmitter, has fired back with a scathing response post, noting: "As a project manager, I'm saddened to see that project management and project managers are getting a bad rap from both ends of the spectrum. Business tends not to see the value in them, and developers tend to believe their own 'creativity' is being stymied by them. Let's set the record straight: Project management is a prized methodology for delivering on leadership's expectations.

"The success of the methodology depends on the quality of the specific project manager..." she continues. "If the project is being managed correctly by the project manager/scrum master, that euphoric state that developers want to get to can be achieved, along with the project objectives -- all within the prescribed budget and timeline. Denouncing an entire practice based on what appears to be a limited, misaligned application of the correct methodology does not make all of project management and all project managers bad."

How do Slashdot readers feel about project management for software teams?
Cloud

Cringely: Amazon Is Starting To Act Like 'Bad Microsoft' (cringely.com) 95

An anonymous reader quotes Cringely.com: My last column was about the recent tipping point signifying that cloud computing is guaranteed to replace personal computing over the next three years. This column is about the slugfest to determine what company's public cloud is most likely to prevail. I reckon it is Amazon's and I'll go further to claim that Amazon will shortly be the new Microsoft. What I mean by The New Microsoft is that Amazon is starting to act a lot like the old Microsoft of the 1990s. You remember -- the Bad Microsoft...

Tech companies behave this way because most employees are young and haven't worked anywhere else and because the behavior reflects the character of the founder. If the boss tells you to beat up customers and partners and it's your first job out of college, then you beat up customers and partners because that's the only world you know. At Microsoft this approach was driven by Bill Gates's belief that dominance could be lost in a single product cycle leaving no room for playing nice. At Amazon, Jeff Bezos is a believer in moving fast, making quick decisions and never looking back. The market has long rewarded this audacity so Amazon will continue to play hard until -- like Microsoft in the 90s -- they are punished for it.

Cringely points out most startups are already usings AWS -- and so are all 17 US intelligence agencies ("taking 350,000 PCs out of places like the CIA.")

Bonus link: 17 years ago Cringely answered questions from Slashdot readers.

Slashdot Top Deals