Forgot your password?
typodupeerror

Become a fan of Slashdot on Facebook

Mars

ExoLance: Shooting Darts At Mars To Find Life 50

Posted by Unknown Lamer
from the lance-it-from-orbit-just-to-be-sure dept.
astroengine (1577233) writes To find life on Mars, some scientists believe you might want to look underground for microbes that may be hiding from the harsh radiation that bathes the red planet's surface. Various NASA rovers have scraped away a few inches at a time, but the real paydirt may lie a meter or two below the surface. That's too deep for existing instruments, so a team of space enthusiasts has launched a more ambitious idea: dropping arrow-like probes from the Martian atmosphere to pierce the soil like bunker-busting bug catchers. The "ExoLance" project aims to drop ground-penetrating devices, each of which would carry a small chemical sampling test to find signs of life. "One of the benefits of doing this mission is that there is less engineering," said Chris Carberry, executive director of Explore Mars, a non-profit space advocacy group pushing the idea. "With penetrators we can engineer them to get what we want, and send it back to an orbiter. We can theoretically check out more than one site at a time. We could drop five or six, which increases the chances of finding something." They will be performing a test run in the Mojave desert to see if their design stands any chance of working.
Security

Critical Vulnerabilities In Web-Based Password Managers Found 113

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"
Bug

Today In Year-based Computer Errors: Draft Notices Sent To Men Born In the 1800s 205

Posted by timothy
from the pa-dmv-never-did-me-any-favors-either dept.
sandbagger (654585) writes with word of a Y2K-style bug showing up in Y2K14: "The glitch originated with the Pennsylvania Department of Motor Vehicles during an automated data transfer of nearly 400,000 records. The records of males born between 1993 and 1997 were mixed with those of men born a century earlier. The federal agency didn't know it because the state uses a two-digit code to indicate birth year." I wonder where else two-digit years are causing problems; I still see lots of paper forms that haven't made the leap yet to four digits.
Bug

Bug In Fire TV Screensaver Tears Through 250 GB Data Cap 349

Posted by Unknown Lamer
from the should-have-stuck-to-xscreensaver dept.
jfruh (300774) writes Tech writer Tyler Hayes had never come close to hitting the 250 GB monthly bandwidth cap imposed by Cox Cable — until suddenly he was blowing right through it, eating up almost 80 GB a day. Using the Mac network utility little snitch, he eventually tracked down the culprit: a screensaver on his new Kindle Fire TV. A bug in the mosaic screensaver caused downloaded images to remain uncached.
Security

Are the Hard-to-Exploit Bugs In LZO Compression Algorithm Just Hype? 65

Posted by timothy
from the you'll-never-feel-it dept.
NotInHere (3654617) writes In 1996, Markus F. X. J. Oberhumer wrote an implementation of the Lempel–Ziv compression, which is used in various places like the Linux kernel, libav, openVPN, and the Curiosity rover. As security researchers have found out, the code contained integer overflow and buffer overrun vulnerabilities, in the part of the code that was responsible for processing uncompressed parts of the data. Those vulnerabilities are, however, very hard to exploit, and their scope is dependent on the actual implementation. According to Oberhumer, the problem only affects 32-bit systems. "I personally do not know about any client program that actually is affected", Oberhumer sais, calling the news about the possible security issue a media hype.
Android

KeyStore Vulnerability Affects 86% of Android Devices 71

Posted by timothy
from the that's-a-lot dept.
jones_supa (887896) writes "IBM security researchers have published an advisory about an Android vulnerability that may allow attackers to obtain highly sensitive credentials, such as cryptographic keys for some banking services and virtual private networks, and PINs or patterns used to unlock vulnerable devices. It is estimated that the flaw affects 86 percent of Android devices. Android KeyStore has a little bug where the encode_key() routine that is called by encode_key_for_uid() can overflow the filename text buffer, because bounds checking is absent. The advisory says that Google has patched only version 4.4 of Android. There are several technical hurdles an attacker must overcome to successfully perform a stack overflow on Android, as these systems are fortified with modern NX and ASLR protections. The vulnerability is still considered to be serious, as it resides in one of the most sensitive resources of the operating system."
Security

Exploiting Wildcards On Linux/Unix 215

Posted by Soulskill
from the teaching-a-new-dog-old-tricks dept.
An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.
Bug

Why Software Builds Fail 279

Posted by Soulskill
from the failure-to-bribe-the-hamster dept.
itwbennett writes: A group of researchers from Google, the Hong Kong University of Science and Technology and the University of Nebraska undertook a study of over 26 million builds by 18,000 Google engineers from November 2012 through July 2013 to better understand what causes software builds to fail and, by extension, to improve developer productivity. And, while Google isn't representative of every developer everywhere, there are a few findings that stand out: Build frequency and developer (in)experience don't affect failure rates, most build errors are dependency-related, and C++ generates more build errors than Java (but they're easier to fix).
Security

Over 300,000 Servers Remain Vulnerable To Heartbleed 74

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."
Bug

One Developer's Experience With Real Life Bitrot Under HFS+ 396

Posted by timothy
from the so-really-it's-both-plus-and-minus dept.
New submitter jackjeff (955699) writes with an excerpt from developer Aymeric Barthe about data loss suffered under Apple's venerable HFS+ filesystem. HFS+ lost a total of 28 files over the course of 6 years. Most of the corrupted files are completely unreadable. The JPEGs typically decode partially, up to the point of failure. The raw .CR2 files usually turn out to be totally unreadable: either completely black or having a large color overlay on significant portions of the photo. Most of these shots are not so important, but a handful of them are. One of the CR2 files in particular, is a very good picture of my son when he was a baby. I printed and framed that photo, so I am glad that I did not lose the original. (Barthe acknowledges that data loss and corruption certainly aren't limited to HFS+; "bitrot is actually a problem shared by most popular filesystems. Including NTFS and ext4." I wish I'd lost only 28 files over the years.)
Bug

European iPhone Chargers Prone To Overheating 128

Posted by Soulskill
from the marketed-as-the-only-incendiary-device-you'll-ever-need dept.
jones_supa sends word that Apple has launched an exchange program for European iPhone USB power adapters. The company says its A1300 adapters were bundled with the iPhone 3GS, iPhone 4, and iPhone 4S models, and were also sold on their own from Oct. 2009 to Sept. 2012. The reason for the recall is that the adapters "may overheat and pose a safety risk." No further details are provided (a YouTube video shows a teardown of the device).
Security

Project Un1c0rn Wants To Be the Google For Lazy Security Flaws 43

Posted by Unknown Lamer
from the always-blame-wordpress dept.
Daniel_Stuckey (2647775) writes "Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. Think of Project Un1c0rn as a Google for site security. Launched on May 15th, the site's creators say that so far it has indexed 59,000 websites and counting. The goal, according to its founders, is to document open leaks caused by the Heartbleed bug, as well as 'access to users' databases' in Mongo DB and MySQL. According to the developers, those three types of vulnerabilities are most widespread because they rely on commonly used tools. For example, Mongo databases are used by popular sites like LinkedIn, Expedia, and SourceForge, while MySQL powers applications such as WordPress, Drupal or Joomla, and are even used by Twitter, Google and Facebook."
Bug

SpaceX Landing Video Cleanup Making Progress 54

Posted by timothy
from the from-worse-to-bad dept.
Maddog Batty (112434) writes 'The fine people at the NASA Space Flight Forum are making good progress on restoring the corrupted landing video reported earlier. It worth looking at the original video to see how bad it was and then at the latest restored video. It is now possible to see the legs being deployed, the sea coming closer and a big flame ball as the rocket plume hits the water. An impressive improvement so far and it is still being actively worked on so further refinements are likely.' Like Maddog Batty, I'd suggest watching the restored version first (note: the video is lower on the page), to see just what a big improvement's been made so far.
Encryption

GnuTLS Flaw Leaves Many Linux Users Open To Attacks 127

Posted by Soulskill
from the with-many-eyes-all-maintainers-are-grumpy dept.
A new flaw has been discovered in the GnuTLS cryptographic library that ships with several popular Linux distributions and hundreds of software implementations. According to the bug report, "A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code." A patch is currently available, but it will take time for all of the software maintainers to implement it. A lengthy technical analysis is available. "There don't appear to be any obvious signs that an attack is under way, making it possible to exploit the vulnerability in surreptitious "drive-by" attacks. There are no reports that the vulnerability is actively being exploited in the wild."
Security

Heartbleed Bug Exploited Over Extensible Authentication Protocol 44

Posted by samzenpus
from the protect-ya-neck dept.
wiredmikey (1824622) writes "While most organizations have patched the Heartbleed bug in their OpenSSL installations, a security expert has uncovered new vectors for exploiting the vulnerability, which can impact enterprise wireless networks, Android devices, and other connected devices. Dubbed 'Cupid,' the new attack method was recently presented by Portuguese security researcher Luis Grangeia, who debunked theories that Heartbleed could only be exploited over TCP connections, and after the TLS handshake. Unlike the initial Heartbleed attack, which took place on TLS connections over TCP, the Cupid attack happens on TLS connections over the Extensible Authentication Protocol (EAP), an authentication framework typically used in wireless networks and peer-to-peer connections.

The researcher has confirmed that default installations of wpa_supplicant, hostapd, and freeradius (RADIUS server implementation) can be exploited on Ubuntu if a vulnerable version of OpenSSL is utilized. Mobile devices running Android 4.1.0 and 4.1.1 also use wpa_supplicant to connect to wireless networks, so they're also affected. Everything that uses OpenSSL for EAP TLS is susceptible to Cupid attacks. While he hasn't been able to confirm it, the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected."
Encryption

OpenSSL To Undergo Security Audit, Gets Cash For 2 Developers 132

Posted by timothy
from the can-we-send-them-snacks? dept.
Trailrunner7 (1100399) writes "Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project. The CII is backed by a who's who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing. Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites."
Security

Bug In DOS-Based Voting Machines Disrupts Belgian Election 193

Posted by samzenpus
from the slowing-things-down dept.
jfruh (300774) writes "In 20 cantons in Belgium's Flanders region, voting machines are x86 PCs from the DOS era, with two serial ports, a parallel port, a paltry 1 megabyte of RAM and a 3.5-inch disk drive used to load the voting software from a bootable DOS disk. A software bug in those machines is slowing the release of the results from yesterday's election, in which voters chose members of the regional, national, and European parliaments. The remaining voting machines, which are Linux-based, are unaffected, as were voters in the French-speaking Wallonia region of the country, most of whom use paper ballots."
Microsoft

New IE 8 Zero Day Discovered 134

Posted by samzenpus
from the no-shortage dept.
Trailrunner7 (1100399) writes "Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP's Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn't produced a patch. The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI's advisory says that an attacker can take advantage of it to run arbitrary code."
Bug

The 69 Words GM Employees Can Never Say 373

Posted by timothy
from the ok-and-you-can't-say-that-number-either dept.
bizwriter (1064470) writes "General Motors put together its take on a George Carlin list of words you can't say. Engineering employees were shown 69 words and phrases that were not to be used in emails, presentations, or memos. They include: defect, defective, safety, safety related, dangerous, bad, and critical. You know, words that the average person, in the context of the millions of cars that GM has recalled, might understand as indicative of underlying problems at the company. Oh, terribly sorry, 'problem' was on the list as well."

Real programs don't eat cache.

Working...