Networking

New Privacy Vulnerability In IOT Devices: Traffic Rate Metadata (helpnetsecurity.com) 21

Orome1 quotes Help Net Security: Even though many IoT devices for smart homes encrypt their traffic, a passive network observer -- e.g. an ISP, or a neighborhood WiFi eavesdropper -- can infer consumer behavior and sensitive details about users from IoT device-associated traffic rate metadata. A group of researchers from the Computer Science Department of Princeton University have proven this fact by setting up smart home laboratory with a passive network tap, and examining the traffic rates of four IoT smart home devices: a Sense sleep monitor, a Nest Cam Indoor security camera, a WeMo smart outlet, and an Amazon Echo smart speaker... "Once an adversary identifies packet streams for a particular device, one or more of the streams are likely to encode device state. Simply plotting send/receive rates of the streams revealed potentially private user interactions for each device we tested," the researchers noted. [PDF]
In addition, the article notes, "Separating recorded network traffic into packet streams and associating each stream with an IoT device is not that hard."
Cloud

Is Amazon's AWS Hiring 'Demolishing The Cult Of Youth'? (redmonk.com) 133

Tech analyst James Governor argues that Amazon's cloud business is "demolishing the cult of youth." It just announced it is hiring James Gosling, one of the original inventors of Java... Meanwhile James Hamilton continues to completely kick ass in compute, network, and data center design for AWS... He's in his 50s. Tim Bray, one of the inventors of XML, joined Amazon in 2014. He's another Sun alumni. He's 61 now. He still codes. When you sit down with one of the AWS engineering teams you're sitting down with grownups... Adrian Cockcroft joined AWS in October 2016. He graduated in 1982, not 2002. He is VP Cloud Architecture Strategy at AWS, a perfect role for someone that helped drive Netflix's transition from on-prem Java hairball to serious cloud leadership.

Great engineering is not maths -- it involves tradeoffs, wisdom and experience... The company puts such a premium on independent groups working fast and making their own decisions it requires a particular skillset, which generally involves a great deal of field experience. A related trend is hiring seasoned marketing talent from the likes of IBM. Some other older companies have older distinguished engineers because they grew up with the company. AWS is explicitly bringing that experience in. It's refreshing to the see a different perspective on value.

In a later post the analyst acknowledges engineering managers are generally older than their reports, but adds that "If AWS sees value in hiring engineering leadership from folks that are frankly a bit older than the norm in the industry, isn't that worth shining a light on?" In response to the article, XML inventor Tim Bray suggested a new acronym: GaaS. "Geezers as a service," while Amazon CTO Werner Vogels tweeted "There is no compression algorithm for experience."
Bug

Wormable Code-Execution Bug Lurked In Samba For 7 Years (arstechnica.com) 80

Long-time Slashdot reader williamyf was the first to share news of "a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards." Ars Technica reports: Researchers with security firm Rapid7...said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available... Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network's SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.
The U.S. Department of Homeland Security's CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just "not as common as Windows architectures." But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'."
Republicans

Hackers Have Targeted Both the Trump Organization And Democrat Election Data (arstechnica.com) 223

An anonymous reader writes: Two recent news stories give new prominence to politically-motivated data breaches. Friday the Wall Street Journal reported that last year Guccifer 2.0 sent 2.5 gigabytes of Democratic Congressional Campaign Committee election data to a Republican operative in Florida, including their critical voter turnout projections. At the same time ABC News is reporting that the FBI is investigating "an attempted overseas cyberattack against the Trump Organization," adding that such an attack would make his network a high priority for government monitoring.

"In the course of its investigation," they add, "the FBI could get access to the Trump Organization's computer network, meaning FBI agents could possibly find records connected to other investigations." A senior FBI official (now retired) concedes to ABC that "There could be stuff in there that they [the Trump organization] do not want to become part of a separate criminal investigation."

It seems like everyone's talking about the privacy of their communications. Tonight the Washington Post writes that Trump's son-in-law/senior advisor Jared Kushner "discussed the possibility of setting up a secret and secure communications channel between Trump's transition team and the Kremlin, using Russian diplomatic facilities in an apparent move to shield their pre-inauguration discussions from monitoring, according to U.S. officials briefed on intelligence reports." And Friday Hillary Clinton was even quoted as saying, "I would have won had I not been subjected to the unprecedented attacks by Comey and the Russians..."
Businesses

Sean Parker Is Going To Great Lengths To Ensure 'Screening Room' Is Piracy Free, Patents Reveal (torrentfreak.com) 139

Napster co-founder Sean Parker has been working on his new service called Screening Room, which when becomes reality, could allow people to watch the latest Hollywood blockbusters in their living room as soon as they premiere at the box office. This week we get a glimpse at the kind of technologies Parker is using to ensure that the movies don't get distributed easily. From a report: Over the past several weeks, Screening Room Media, Inc. has submitted no less than eight patent applications related to its plans, all with some sort of anti-piracy angle. For example, a patent titled "Presenting Sonic Signals to Prevent Digital Content Misuse" describes a technology where acoustic signals are regularly sent to mobile devices, to confirm that the user is near the set-top box and is authorized to play the content. Similarly, the "Monitoring Nearby Mobile Computing Devices to Prevent Digital Content Misuse" patent, describes a system that detects the number of mobile devices near the client-side device, to make sure that too many people aren't tuning in. The general technology outlined in the patents also includes forensic watermarking and a "P2P polluter." The watermarking technology can be used to detect when pirated content spreads outside of the protected network onto the public Internet. "At this point, the member's movie accessing system will be shut off and quarantined. If the abuse or illicit activity is confirmed, the member and the household will be banned from the content distribution network," the patent reads. [...] Screening Room's system also comes with a wide range of other anti-piracy scans built in. Among other things, it regularly scans the Wi-Fi network to see which devices are connected, and Bluetooth is used to check what other devices are near.
Debian

Devuan Jessie 1.0 Officially Released (softpedia.com) 228

prisoninmate quotes a report from Softpedia: Announced for the first time back in November 2014, Devuan is a Debian fork that doesn't use systemd as init system. It took more than two and a half years for it to reach 1.0 milestone, but the wait is now over and Devuan 1.0.0 stable release is here. Based on the packages and software repositories of the Debian GNU/Linux 8 "Jessie" operating system, Devuan 1.0.0 "Jessie" is now considered the first stable version of the GNU/Linux distribution, which stays true to its vision of developing a free Debian OS without systemd. This release is recommended for production use. As Devuan 1.0.0 doesn't ship with systemd, several adjustments needed to be made. For example, the distro uses a systemd-free version of the NetworkManager network connection manager and includes several extra libsystemd0-free packages in its repository.
Government

Proposed Active-Defense Bill Would Allow Destruction of Data, Use of Beacon Tech (onthewire.io) 68

Trailrunner7 quotes a report from On the Wire: A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker's machine. The Active Cyber Defense Certainty Act, drafted by Rep. Tom Graves (R-Ga.) in March, is designed to enable people who have been targets of cybercrime to employ certain specific techniques to trace the attack and identify the attacker. The bill defines active cyber defense as "any measure -- (I) undertaken by, or at the direction of, a victim"; and "(II) consisting of accessing without authorization the computer of the attacker to the victim" own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network." After releasing an initial draft of the bill in March, Rep. Tom Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker. "The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion," the bill says.
Education

It's Time For Academics To Take Back Control Of Research Journals (theguardian.com) 74

Stephen Curry, a professor of structural biology at Imperial College London, has a piece on The Guardian today in which he outlines the history of the relationship between commercial interests, academic prestige and the circulation of research. An excerpt from the article: "Publish or perish" has long been the mantra of seeking to make a success of their research career. Reputations are built on the ability to communicate something new to the world. Increasingly, however, they are determined by numbers, not by words, as universities are caught in a tangle of management targets composed of academic journal impact factors, university rankings and scores in the government's research excellence framework. The chase for metricised success has been further exacerbated by the takeover of scholarly publishing by profit-seeking commercial companies, which pose as partners but no longer seem properly in tune with academia. Evidence of the growing divergence between academic and commercial interests is visible in the secrecy around negotiations on subscription and open access charges. It's also clear from the popularity among academics of the controversial site Sci-Hub, which has made over 60m research articles freely available on the internet. Over-worked researchers could be forgiven for thinking that the time-honoured mantra has morphed to "publish, and perish anyway."
Security

DEFCON Conference To Target Voting Machines (politico.com) 105

An anonymous reader quotes a report from Politico: Hackers will target American voting machines -- as a public service, to prove how vulnerable they are. When over 25,000 of them descend on Caesar's Palace in Las Vegas at the end of July for DEFCON, the world's largest hacking conference, organizers are planning to have waiting what they call "a village" of different opportunities to test how easily voting machines can be manipulated. Some will let people go after the network software remotely, some will be broken apart to let people dig into the hardware, and some will be set up to see how a prepared hacker could fiddle with individual machines on site in a polling place through a combination of physical and virtual attacks. With all the attention on Russia's apparent attempts to meddle in American elections -- former President Barack Obama and aides have made many accusations toward Moscow, but insisted that there's no evidence of actual vote tampering -- voting machines were an obvious next target, said DEFCON founder Jeff Moss.
Censorship

FCC Won't Punish Stephen Colbert For Controversial Trump Insult (slashdot.org) 305

Earlier this month, the FCC said it would look into complaints made against The Late Show host Stephen Colbert over a homophobic joke he made about President Donald Trump. Well, it turns out the FCC is not going to levy a fine against the comedian for using the word "cock" on late-night network television, reports The Verge. From the report: "Consistent with standard operating procedure, the FCC's Enforcement Bureau has reviewed the complaints and the material that was the subject of these complaints," reads the FCC's statement, according to Variety. "The Bureau has concluded that there was nothing actionable under the FCC's rules." Helping Colbert's case was the fact that the broadcast, time delayed for incidents like these, bleeped out the questionable word and also blurred the host's mouth as he was saying it. The FCC has broad authority to regulate what can and cannot be broadcast based on legal precedent regarding obscenity laws. Yet looser rules apply during the hours of 10PM and 6AM ET, when Colbert's show airs. So it would appear that the ample self-censorship on behalf of CBS saved the program from a guilty verdict in this case.
Sony

'Sony Needs a Fresh Hit' (bloomberg.com) 123

Even as Sony's CEO Kazuo Hirai has done a remarkable job over the past five years -- taking bold decisions on the areas the company should be focusing on, and cutting efforts on those that aren't working -- his company desperately needs a fresh hit to boost its revenue and to become relevant in the mind of most, writes columnist Tim Culpan for Bloomberg. An except from his article: According to a company statement Tuesday for investors' day, the key will be to "remain the 'last one inch' that delivers a sense of 'wow' to customers," expand recurring revenue, and pursue new businesses.Those three strategies are closely linked. With TV sales in decline, its Vaio PC business spun off, and its smartphones barely a blip on the radar, Sony's last inch is heavily dependent on the PlayStation. Sony's Game & Network Services business has grown at both the top and bottom lines over the past five years, but the games console business is stuck in time. [...] Sony needs to build a device that will be far more ubiquitous and can appeal to consumers beyond the current male-skewed slowly aging hard-core gamer base. Amazon and Alphabet, with Echo and Home, are two such examples, and Apple will probably follow suit. With its background in audio, video, sensors and entertainment, Sony has all the right parts to make it happen. For the company that invented the Walkman, dreaming up another hit shouldn't be so hard.
Businesses

Nokia Uses Lawsuit To Make Apple Its Friend (bbc.com) 8

Apple has settled a patent dispute with Finnish telecom equipment maker Nokia and agreed to buy more of its network products and services. The deal means Nokia will get bigger royalties from Apple for using its mobile phone patents, helping offset the impact of waning demand for its mobile network hardware. Nokia's shares were up by seven percent following the announcement. WSJ puts things into perspective: Nokia's deal with Apple follows a highly unusual playbook: using a lawsuit to win business from your adversary (could be paywalled). When the first iPhone was unveiled a decade ago, Apple became a major competitor to the Finnish group, which was then the world's leading mobile-phone maker. As Nokia's business dwindled, the companies became legal antagonists. Now they are set to become business partners. The settlement announced Tuesday involves Apple paying Nokia a lump sum plus royalties for each device it sells using Nokia's technology. This is broadly the same kind of agreement the two sides reached in 2011 following a two-year lawsuit. The previous deal expired last year, which is why both sides launched fresh suits in December. In the aftermath of the lawsuit last year, Apple had pulled all Withings products from its stores. As part of the settlement, Apple said it will reverse that move.
IBM

Ex-IBM Employee Guilty of Stealing Secrets For China (fortune.com) 71

An anonymous reader quotes Fortune: A former developer for IBM pled guilty on Friday to economic espionage and to stealing trade secrets related to a type of software known as a clustered file system, which IBM sells to customers around the world. Xu Jiaqiang stole the secrets during his stint at IBM from 2010 to 2014 "to benefit the National Health and Family Planning Commission of the People's Republic of China," according to the U.S. Justice Department. In a press release describing the criminal charges, the Justice Department also stated that Xu tried to sell secret IBM source code to undercover FBI agents posing as tech investors. (The agency does not explain if Xu's scheme to sell to tech investors was to benefit China or to line his own pockets).

Part of the sting involved Xu demonstrating the stolen software, which speeds computer performance by distributing works across multiple servers, on a sample network. The former employee acknowledged that others would know the software had been taken from IBM, but said he could create extra computer scripts to help mask its origins.

At one point 31-year-old Xu even showed undercover FBI agents the part of the source code that identified it as coming from IBM "as well as the date on which it had been copyrighted."
Communications

Soon You'll Be Able To Build Your Own 4G Network Over Wi-Fi Frequencies (hpe.com) 52

Long-time Slashdot reader Esther Schindler writes: An industry consortium called MulteFire wants to help you build your own LTE-like network that uses the Wi-Fi spectrum, with no need for carriers or providers, writes Andy Patrizio. Just don't expect to get started today. "In its basic specification, MulteFire Release 1.0 defines an LTE-like network that can run entirely on unlicensed spectrum frequencies. The alliance didn't try to do too much with the 1.0 spec; it simply wanted to get it out the door so partners and manufacturers could begin adoption. For 1.0, the alliance focused on the 5-GHz band. More functionality and more spectrums will be supported in future specs." Why would you want it? As Patrzio explains, MulteFire's target audience is fairly obvious: anyone who needs speed, scalability, and security beyond what Wi-Fi offers. "MulteFire is enabling cellular technologies to run in unassigned spectrum, where they are free to use it so long as they follow the rules of the spectrum band," says Mazen Chmaytelli, president of the MulteFire Alliance." Is this something you think would make a difference?
The alliance includes Qualcomm and Cisco Systems, and the article points out some advantages. LTE cell towers "can be miles apart versus Wi-Fi's range of just a few feet. Plus, LTE's security has never been breached, as far as we know."
Transportation

Texas Legislature Clears Road For Uber and Lyft To Return To Austin (austinmonitor.com) 107

schwit1 shared this article from the Austin Monitor: The Texas Legislature has cleared the road for Uber and Lyft to return to Austin on their own terms. On Wednesday, the state Senate overwhelmingly approved House Bill 100 on second and third readings, sending the statewide ride-hailing regulations to Governor Greg Abbott's desk for his signature. If Abbott signs it, as he is expected to do, the new law will preempt regulations City Council passed in December 2015 that both Uber and Lyft deemed too restrictive on transportation network companies such as themselves.
The new rules still require criminal background checks, but drop the requirement for fingerprinting. "We find it unfortunate that the 36 lobbyists deployed by the Silicon Valley giants were effective in convincing the State Legislature that there was a need to overrule the Austin voters," said a local ride-sharing company, which vowed to continue operating -- and to at least continue fingerprinting their own drivers. Houston's mayor complained the new statewide rules handed down are "another example of the legislature circumventing local control to allow corporations to profit at the expense of public safety."
AI

The Working Dead: Which IT Jobs Are Bound For Extinction? (infoworld.com) 580

Slashdot reader snydeq shares an InfoWorld article identifying "The Working Dead: IT Jobs Bound For Extinction." Here's some of its predictions.
  • The president of one job leadership consultancy argues C and C++ coders will soon be as obsolete as Cobol programmers. "The entire world has gone to Java or .Net. You still find C++ coders in financial companies because their systems are built on that, but they're disappearing."
  • A data scientist at Stack Overflow "says demand for PHP, WordPress, and LAMP skills are seeing a steady decline, while newer frameworks and languages like React, Angular, and Scala are on the rise."
  • The CEO and co-founder of an anonymous virtual private network service says "The rise of Azure and the Linux takeover has put most Windows admins out of work. Many of my old colleagues have had to retrain for Linux or go into something else entirely."
  • In addition, "Thanks to the massive migration to the cloud, listings for jobs that involve maintaining IT infrastructure, like network engineer or system administrator, are trending downward, notes Terence Chiu, vice president of careers site Indeed Prime."
  • The CTO of the job site Ladders adds that Smalltalk, Flex, and Pascal "quickly went from being popular to being only useful for maintaining older systems. Engineers and programmers need to continually learn new languages, or they'll find themselves maintaining systems instead of creating new products."
  • The president of Dice.com says "Right now, Java and Python are really hot. In five years they may not be... jobs are changing all the time, and that's a real pain point for tech professionals."

But the regional dean of Northeastern University-Silicon Valley has the glummest prediction of all. "If I were to look at a crystal ball, I don't think the world's going to need as many coders after 2020. Ninety percent of coding is taking some business specs and translating them into computer logic. That's really ripe for machine learning and low-end AI."


IBM

New OS/2 Warp Operating System 'ArcaOS' 5.0 Released (arcanoae.com) 145

The long-awaited modern OS/2 distribution from Arca Noae was released Monday. martiniturbide writes: ArcaOS 5.0 is an OEM distribution of IBM's discontinued OS/2 Warp operating system. ArcaOS offers a new set of drivers for ACPI, network, USB, video and mouse to run OS/2 in newer hardware. It also includes a new OS installer and open source software like Samba, Libc libraries, SDL, Qt, Firefox and OpenOffice... It's available in two editions, Personal ($129 with an introductory price of $99 for the first 90 days [and six months of support and maintenance updates]) and Commercial ($239 with one year of support and maintenance).

The OS/2 community has been called upon to report supported hardware, open source any OS/2 software, make public as much OS/2 documentation as possible and post the important platform links. OS2World insists that open source has helped OS/2 in the past years and it is time to look under the hood to try to clone internal components like Control Program, Presentation Manager, SOM and Workplace Shell.

By Tuesday Arca Noae was reporting "excessive traffic on the server which is impacting our ordering and delivery process," though the actual downloads of the OS were unaffected, the server load issues were soon mitigated, and they thanked OS/2 enthusiasts for a "truly overwhelming response."
Social Networks

Facebook Now Battles Clickbait On a Post-by-Post Basis (engadget.com) 45

Facebook is taking further steps to decrease the reach and prevalence of clickbait headlines on its social network. Facebook says it will target clickbait on an individual post level and not just by analyzing the bulk posts of a page. It will also look at two distinct signals: whether a headline "withholds information or if it exaggerates information separately." From a report: This should "more precisely" downplay the number of misleading stories cluttering your timeline, the social network says. Moreover, it's promising a more exacting approach when it looks at individual headlines. Until now, Facebook examined clickbait titles in a holistic way: it looked for both the exaggerated language ("you have to see this!") and deliberate attempts to withhold info ("eat this every day").
Security

Any Half-Decent Hacker Could Break Into Mar-a-Lago (alternet.org) 327

MrCreosote writes: Properties owned and run by the Trump Organization, including places where Trump spends much of his time and has hosted foreign leaders, are a network security nightmare. From a report via ProPublica (co-published with Gizmodo): "We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained. A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation. We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information. The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises."
Power

How the Lights Have Gone Out For the People of Syria (bbc.co.uk) 126

dryriver shares an excerpt from a report via the BBC that shows what the impact of the Syrian war looks like from space: Six years of war in Syria have had a devastating effect on millions of its people. One of the most catastrophic impacts has been on the country's electricity network. Images from NASA, obtained by BBC Arabic, show clearly how the lights have gone out during the course of the conflict, leaving people to survive with little to no power. Each timelapse frame shows an average of the light emitted at night every month from 2012, one year after the war began. They show that the areas where Syrians can turn lights on at night, power their daily lives and get access to life-saving medical equipment, have shrunk dramatically. The city of Aleppo was Syria's powerhouse and home to over two million people. But the country's industrial hub became a battleground and remained so for more than four years. Russian airstrikes against Syrian rebels began in October 2015 and the timelapse shows the city in almost complete darkness at night throughout 2016, when the battle for Aleppo was at its peak. As mains power supplies dropped off, ordinary people had to be creative in finding alternative sources for light and power.

Slashdot Top Deals