Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×
Graphics

Do We Need More Emojis? 91

mikejuk writes to note that the Unicode Consortium has accepted 38 new emoji characters as candidates for Unicode 9.0, including characters depicting bacon and a duck."Why could we possibly need a duck? Many of the new characters are the 'other half' of gender-matched pairs, so the Dancer emoji (which is usually rendered as Apple's salsa dancing woman) gets a Man Dancing emoji, who frankly looks like a cross between John Travolta in Saturday Night Fever and your dad at the wedding disco. ... Other additions include carrot, cucumber, and avocado, and bacon. ... The list of additions is rounded off with new animal emojis. Some are the 'missing' zodiac symbols (lion and crab). Others are as baffling as ever – is there *really* a demand for a mallard duck? Sorry: it's in fact a drake!
Security

Abusing Symbolic Links Like It's 1999 35

An anonymous reader writes with this snippet from James Forshaw's recent post at Google's Project Zero, which begins For the past couple of years I've been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I've used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context. Symbolic links in themselves are not vulnerabilities, instead they're useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use. Click through that link to see examples of this abuse in action, but also information about how the underlying risks have been (or can be) mitigated.
Security

Systemd Absorbs "su" Command Functionality 510

jones_supa writes: With a pull request systemd now supports a su command functional and can create privileged sessions that are fully isolated from the original session. The su command is seen as bad because what it is supposed to do is ambiguous. On one hand it's supposed to open a new session and change a number of execution context parameters, and on the other it's supposed to inherit a lot concepts from the originating session. Lennart Poettering's long story short: "`su` is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one." The replacement command provided by systemd is machinectl shell.
Transportation

Uber Hires Hackers Who Remotely Killed a Jeep 30

An anonymous reader writes: The past several weeks have been rife with major vulnerabilities in modern cars, but none were so dramatic as when Charlie Miller and Chris Valasek tampered with the systems on a moving Jeep Cherokee. Now, Miller and Valasek have left their jobs to join a research laboratory for Uber. It's the same lab that became home for a number of autonomous vehicle experts poached from Carnegie Mellon University. From the article: "As Uber plunges more deeply into developing or adapting self-driving cars, Miller and Valasek could help the company make that technology more secure. Uber envisions autonomous cars that could someday replace its hundreds of thousands of contract drivers. The San Francisco company has gone to top-tier universities and research centers to build up this capability."
Security

Symantec Researchers Find 49 New Modules of Regin Spying Tool 23

itwbennett writes: Security researchers from Symantec have identified 49 more modules (bringing the total number found so far to 75) of the sophisticated Regin cyberespionage platform that many believe is used by the U.S. National Security Agency and its close allies. Some of the modules implement basic malware functions, while other modules are much more specialized and built with specific targets in mind. 'One module was designed to monitor network traffic to Microsoft Internet Information Services (IIS) web servers, another was observed collecting administration traffic for mobile telephony base station controllers, while another was created specifically for parsing mail from Exchange databases,' the Symantec researchers said in an updated version of their white paper (PDF) published Thursday.
Privacy

Ashley Madison CEO Steps Down, Reporter Finds Clues To Hacker's Identity 199

Dave Knott writes: Following the recent hacks on the infidelity website Ashley Madison, Noel Biderman has stepped down as CEO of both AshleyMadison.com and its parent company. Avid Life Media Inc., the company that owns the site and many others, announced Biderman's move in a short press release on Friday: "Noel Biderman, in mutual agreement with the company, is stepping down as chief executive officer of Avid Life Media Inc. (ALM) and is no longer with the company. Until the appointment of a new CEO, the company will be led by the existing senior management team." Before the data hack, the company was planning an IPO in London that would have taken in as much as $200 million from investors. According to regulatory filings, the company had $115 million in revenue last year, more than four times the amount it obtained in 2009.

Meanwhile, in related news, Brian Krebs (the reporter who first uncovered the hack) says he has uncovered clues to the possible identity of the hacker. Krebs says he noticed the Twitter account operated by a known hacker recently posted a link to Ashley Madison's stolen proprietary source code before it was made public. Intrigued by the poster's apparent access, he examined the account's posting history and noticed a predilection for the music of Australian hard rock band AC/DC. This jibes with the behavior of the hacker(s), who had displayed threatening messages on the computers of Ashley Madison employees, accompanied by AC/DC song Thunderstruck. In a series of tweets, the owner of the account, one Thadeus Zu, appears to deny that he was behind the hack, and indeed makes several suggestions that the account itself isn't even run by one person, but is instead an amalgam of like-minded digital vigilantes.
The NY Times also reports that people whose details were contained in the leak are beginning to face threats of blackmail.
Chrome

Chrome To Freeze Flash Ads On Sight From September 1 166

An anonymous reader writes: Shaun Nichols from the Register reports that unimportant Flash content will be click-to-play by default in Google Chrome from September 1. He writes, "Google is making good on its promise to strangle Adobe Flash's ability to auto-play in Chrome. The web giant has set September 1, 2015 as the date from which non-important Flash files will be click-to-play in the browser by default – effectively freezing out 'many' Flash ads in the process. Netizens can right-click over the security-challenged plugin and select 'Run this' if they want to unfreeze an ad. Otherwise, the Flash files will remain suspended in a grey box, unable to cause any harm nor any annoyance."
Businesses

Ask Slashdot: Advice On Enterprise Architect Position 191

dave562 writes: I could use some advice from the community. I have almost 20 years of IT experience, 5 of it with the company I am currently working for. In my current position, the infrastructure and applications that I am responsible for account for nearly 80% of the entire IT infrastructure of the company. In broad strokes our footprint is roughly 60 physical hosts that run close to 1500 VMs and a SAN that hosts almost 4PB of data. The organization is a moderate sized (~3000 employees), publicly traded company with a nearly $1 billion market value (recent fluctuations not withstanding).

I have been involved in a constant struggle with the core IT group over how to best run the operations. They are a traditional, internal facing IT shop. They have stumbled through a private cloud initiative that is only about 30% realized. I have had to drag them kicking and screaming into the world of automated provisioning, IaaS, application performance monitoring, and all of the other IT "must haves" that a reasonable person would expect from a company of our size. All the while, I have never had full access to the infrastructure. I do not have access to the storage. I do not have access to the virtualization layer. I do not have Domain Admin rights. I cannot see the network.

The entire organization has been ham strung by an "enterprise architect" who relies on consultants to get the job done, but does not have the capability to properly scope the projects. This has resulted in failure after failure and a broken trail of partially implemented projects. (VMware without SRM enabled. EMC storage hardware without automated tiering enabled. Numerous proof of concept systems that never make it into production because they were not scoped properly.)

After 5 years of succeeding in the face of all of these challenges, the organization has offered me the Enterprise Architect position. However they do not think that the position should have full access to the environment. It is an "architecture" position and not a "sysadmin" position is how they explained it to me. That seems insane. It is like asking someone to draw a map, without being able to actually visit the place that needs to be mapped.

For those of you in the community who have similar positions, what is your experience? Do you have unfettered access to the environment? Are purely architectural / advisory roles the norm at this level?
Advertising

Inside the Booming, Unhinged, and Dangerous Malvertising Menace 233

mask.of.sanity writes: The Register has a feature on the online malicious advertising (malvertising) menace that has become an explosively potent threat to end-user security on the internet. Experts say advertising networks and exchanges need to vet their customers, and publishers need to vet the third party content they display. Users should also consider script and ad blockers in the interim. From the article: "Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year's end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks. Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions."
Security

Most Healthcare Managers Admit Their IT Systems Have Been Compromised 122

Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.
Communications

A "Public Health" Approach To Internet of Things Security 44

New submitter StewBeans writes: Guaranteeing your personal privacy in an era when more and more devices are connecting our daily lives to the Internet is becoming increasingly difficult to do. David Bray, CIO of the FCC, emphasizes the exponential growth we are facing by comparing the Internet we know today to a beachball, and the Internet of Everything future to the Sun. Bray says unless you plan to unplug from the Internet completely, every consumer needs to assume some responsibility for the security and overall health of the Internet of Everything. He says this might look similar to public health on the consumer side — the digital equivalent of hand washing — and involve an open, opt-in model for the rapid detection of abnormal trends across global organizations and networks.
Graphics

AMD Unveils Radeon R9 Nano, Targets Mini ITX Gaming Systems With a New Fury 59

MojoKid writes: AMD today added a third card to its new Fury line that's arguably the most intriguing of the bunch, the Radeon R9 Nano. True to its name, the Nano is a very compact card, though don't be fooled by its diminutive stature. Lurking inside this 6-inch graphics card is a Fiji GPU core built on a 28nm manufacturing process paired with 4GB of High Bandwidth Memory (HBM). It's a full 1.5 inches shorter than the standard Fury X, and unlike its liquid cooled sibling, there's no radiator and fan assembly to mount. The Fury Nano sports 64 compute units with 64 stream processors each for a total of 4,096 stream processors, just like Fury X. It also has an engine clock of up to 1,000MHz and pushes 8.19 TFLOPs of compute performance. That's within striking distance of the Fury X, which features a 1,050MHz engine clock at 8.6 TFLOPs. Ars Technica, too, takes a look at the new Nano.
Operating Systems

Contiki 3.0 Released, Retains Support For Apple II, C64 43

An anonymous reader writes that on Wednesday the Contiki team announced the release of Contiki 3.0, the latest version of the open source IoT operating system. The 3.0 release is a huge step up from the 2.x branch and brings support for new and exciting hardware, a set of new network protocols, a bunch of improvements in the low-power mesh networking protocols, along with a large number of general stability improvements. And, yes, the system still runs on the Commodore 64/128, Apple II, Atari.
Programming

In Praise of the Solo Programmer 108

HughPickens.com writes: Jean-Louis Gassée writes that once upon a time, we were awestruck by the solo programmer who could single-handedly write a magnum opus on a barebones machine like the Apple ][ with its 64 kilobytes of memory and an 8-bit processor running at 1MHz. Once such giant was Paul Lutus, known as the Oregon Hermit, who won a place next to Jobs and Wozniak in the Bandley Drive Hall of Fame for his Apple Writer word processor. "Those were the days Computers and their operating systems were simple and the P in Personal Computers applied to the programmer," writes Gassée. "There's no place for a 2015 Paul Lutus. But are things really that dire?"

As it turns out, the size and complexity of operating systems and development tools do not pose completely insurmountable obstacles; There are still programs of hefty import authored by one person. One such example is Preview, Mac's all-in-one file viewing and editing program. The many superpowers of Apple's Preview does justice to the app's power and flexibility authored by a solo, unnamed programmer who has been at it since the NeXT days. Newer than Preview but no less ambitious, is Gus Mueller's Acorn, an "Image Editor for Humans", now in version 5 at the Mac App Store. Mueller calls his Everett, WA company a mom and pop shop because his spouse Kristin does the documentation when she isn't working as a Physical Therapist. Gus recently released Acorn 5 fixing hundreds of minor bugs and annoyances. "It took months and months of work, it was super boring and mind numbing and it was really hard to justify, and it made Acorn 5 super late," writes Mueller. "But we did it anyway, because something in us felt that software quality has been going downhill in general, and we sure as heck weren't going to let that happen to Acorn."
Verizon

Verizon Retrofits Vintage Legacy Vehicles With Smart Features 87

An anonymous reader writes: Verizon have released an after-market system called Hum that can bring 'smart' features to 150 million existing cars of various vintages going as far back as 1999. The system consists of an on-board diagnostic (OBD) reader plugged into the vehicle's OBD port and a Bluetooth-enabled device clipped to the visor. It's the presence of the ODB port that limits the maximum age of the car to 1996. Hum comes with an app, and enables features such as automatic accident reporting, roadside assistance services and the tracking of stolen cars. The service will cost $14.99 per month via subscription.
IBM

IBM Tells Administrators To Block Tor On Security Grounds 70

Mickeycaskill writes: IBM says Tor is increasingly being used to scan organizations for flaws and launch DDoS, ransomware and other attacks. Tor, which provides anonymity by obscuring the real point of origin of Internet communications, was in part created by the US government, which helps fund its ongoing development, due to the fact that some of its operations rely on the network. However, the network is also widely used for criminal purposes. A report by the IBM says administrators should block access to Tor , noting a "steady increase" an attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic. "Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic," said IBM. "Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions."
AT&T

AT&T Hotspots Now Injecting Ads 178

An anonymous reader writes: Computer scientist Jonathan Mayer did some investigating after seeing some unexpected ads while he browsed the web at an airport (Stanford hawking jewelry? The FCC selling shoes?). He found that AT&T's public Wi-Fi hotspot was messing with HTTP traffic, injecting advertisements using a service called RaGaPa. As an HTML pages loads over HTTP, the hotspot adds an advertising stylesheet, injects a simple advertisement image (as a backup), and then injects two scripts that control the loading and display of advertising content. Mayer writes, "AT&T has an (understandable) incentive to seek consumer-side income from its free Wi-Fi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user's browsing activity to an undisclosed and untrusted business. It clutters the user's web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service.3 And it introduces security and breakage risks, since website developers generally don't plan for extra scripts and layout elements."
Android

Many Android Users Susceptible To Plug-In Exploit -- And Many Of Them Have It 61

Ars Technica reports that a recently reported remote access vulnerability in Android is no longer just theoretical, but is being actively exploited. After more than 100,000 downloads of a scanning app from Check Point to evaluate users' risk from the attack, says Ars, In a blog post published today, Check Point researchers share a summary of that data—a majority (about 58 percent) of the Android devices scanned were vulnerable to the bug, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices already carrying the vulnerable plug-in was LG—over 72 percent of LG devices scanned in the anonymized pool had a vulnerable version of the plug-in.
Bug

Backwards S-Pen Can Permanently Damage Note 5 157

tlhIngan writes: Samsung recently released a new version of its popular Galaxy Note series phablet, the Note 5. However, it turns out that there is a huge design flaw in the design of its pen holder (which Samsung calls the S-pen). If you insert it backwards (pointy end out instead of in), it's possible for it get stuck damaging the S-pen detection features. While it may be possible to fix it (Ars Technica was able to, Android Police was not), there's also a chance that your pen is also stuck the wrong way in permanently as the mechanism that holds the pen in grabs the wrong end and doesn't let go.
Businesses

Ask Slashdot: New Employee System Access Tracking? 87

New submitter mushero writes: We are a fast-growing IT services company with dozens of systems, SaaS tools, dev tools and systems, and more that a new employee might need access to. We struggle to track this, both in terms of what systems a given set of roles will need and then has it been done, as different people manage various systems. And of course the reverse when an employee leaves. Every on-boarding or HR system we've looked at has zero support for this; they are great at getting tax info, your home address, etc. but not for getting you a computer nor access to a myriad of systems. I know in a perfect world it'd all be single-sign-on, but not realistic yet and we have many, many SaaS service that will never integrate. So what have you used for this, how do you track new employee access across dozens of systems, hundreds of employees, new hires every day, etc.?