×
Bug

Bugs Allowed Hackers To Make Malware Look Like Apple Software (vice.com) 72

An anonymous reader shares a report: For years, hackers could hide malware alongside legitimate Apple code and sneak it past several popular third-party security products for Mac computers, according to new research. This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple's APIs. A researcher from security firm Okta found that several security products for Mac -- including Little Snitch, xFence, and Facebook's OSquery -- could be tricked into believing malware was Apple code, and let it past their defenses. "I can take malicious code and make it look like it's signed by Apple," Josh Pitts, the security researcher at Okta who discovered these bugs, told Motherboard. In a blog post published Tuesday, Pitts explained that the issue lies with how the third-party security tools implemented Apple's code-signing APIs when dealing with Mac's executable files known as Universal or Fat files.
Patents

Inventor Says Google Is Patenting His Public Domain Work (arstechnica.com) 164

Rob Riggs writes: Jarek Duda, the inventor of a compression technique called asymmetric numeral systems (ANS), dedicated the invention to the public domain. Since 2014, Facebook, Apple, and Google have all created software based on his breakthrough. Google is now trying to patent a video encoding scheme using the compression technique. The inventor is fighting Google in the European courts and has won a preliminary ruling. The fight's not over and Google is also seeking a patent with the USPTO. A Google spokesperson says Duda came up with a theoretical concept that isn't directly patentable, "while Google's lawyers are seeking to patent a specific application of that theory that reflects additional work by Google's engineers," reports Ars Technica. "But Duda says he suggested the exact technique Google is trying to patent in a 2014 email exchange with Google engineers."
Transportation

Tesla's Autopilot To Get 'Full Self-Driving Feature' In August (reuters.com) 180

Earlier today, Tesla CEO Elon Musk tweeted that its Autopilot driver assistance system will get full self-driving features following a software upgrade in August. Reuters reports: Autopilot, a form of advanced cruise control, handles some driving tasks and warns those behind the wheel they are always responsible for the vehicle's safe operation. But a spate of recent crashes has brought the system under regulatory scrutiny. "To date, Autopilot resources have rightly focused entirely on safety. With V9, we will begin to enable full self-driving features," Musk tweeted here on Sunday, replying to a Twitter user.

Musk said the autopilot issue during lane-merging is better in the current software and will be fully fixed in the August update. However, it was not clear what self-driving features would be included in the August update. Tesla's documentation on its website about the "full self-driving capabilities" package says that it is not possible to know exactly when each element of the functionality will be available, as this is highly dependent on local regulatory approval.

Bitcoin

Apple's App Store Officially Bans Cryptocurrency Mining (venturebeat.com) 38

Apple has updated the App Store's Review Guidelines to explicitly ban on-device mining across any type of app, and all of Apple's platforms. The new section 3.1.5 (b), titled Cryptocurrencies, provides five clear rules for what will and won't be allowed in macOS, iOS, tvOS, and watchOS apps going forward. VentureBeat reports: The upshot of the new rules is that while Apple will permit cryptocurrencies to exist on its platforms, it's adding requirements to stop scammers and individuals from exploiting App Store customers, while making explicit that it's blocking developers from eating Apple device processing power for mining activities. As AppleInsider notes, the Review Guidelines were previously less concerned with cryptocurrencies, allowing an app to facilitate crypto and ICO transactions if it complied with the laws in the app's distributed territories.

Since the App Store is virtually the only place to acquire software for iPhones, iPads, iPod touches, Apple TVs, and Apple Watches, Apple's decision will effectively end crypto mining on those devices. On macOS, however, users will continue to be able to acquire apps outside of the Mac App Store, enabling mining and other activities to continue without Apple's seal of approval.

Math

Canada's 'Random' Immigration Lottery Uses Microsoft Excel, Which Isn't Actually Random (gizmodo.com) 224

An anonymous reader writes: Last year, Canada introduced a new lottery system used to extend permanent-resident status to the parents and grandparents of Canadian citizens. The process was designed to randomly select applicants in order to make the process fairer than the old first-come, first-served system. There's just one problem: the software used to run the lottery isn't actually random. The Globe and Mail reported the Immigration, Refugees and Citizenship Canada (IRCC) uses Microsoft Excel to run the immigration lottery to select 10,000 people for permanent resident status from a field of about 100,000 applications received each year. Experts warned that the random number generating function in Excel isn't actually random and may put some applicants at a disadvantage.

First, it's best to understand just how the lottery system works. An Access to Information request filed by The Globe and Mail shows that IRCC inputs the application number for every person entering the lottery into Excel, then assigns them a random number to each using a variation of the program's RAND command. They then sort the list from smallest to largest based on the random number assigned and take the first 10,000 applications with the lowest numbers. The system puts a lot of faith in Excel's random function, which it might not deserve. According to Universite de Montreal computer science professor Pierre L'Ecuyer, Excel is "very bad" at generating random numbers because it relies on an old generator that is out of date. He also warned that Excel doesn't pass statistical tests and is less random than it appears, which means some people in the lottery may actually have a lower chance of being selected than others.

Security

Hackers Stole Over $20 Million From Misconfigured Ethereum Clients (bleepingcomputer.com) 65

Catalin Cimpanu, writing for BleepingComputer: A group of hackers has stolen over $20 million worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported today. The cause of these thefts is Ethereum software applications that have been configured to expose an RPC [Remote Procedure Call] interface on port 8545. The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service -- such as a mineror wallet application that users or companies have set up for mining or managing funds. Because of its role, this RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds, or retrieve the owner's personal details.
Microsoft

Microsoft To Stop Offering Support For Windows 7, Windows 8.1, Old Surface Devices in Forums (betanews.com) 156

An anonymous reader shares a report: Microsoft has announced that starting next month it will no longer be participating in the technical support forums for Windows 7, 8.1, 8.1 RT and numerous other products. On the software front, the company says that it will also no longer provide support for Microsoft Security Essentials, Internet Explorer 10, Office 2010 and 2013 as of July. It is not just software that is affected. Microsoft is also stopping support for Surface Pro, Surface Pro 2, Surface RT, Surface 2, Microsoft Band and Zune. Some forums will be locked, preventing users from helping each other as well.
Debian

Systemd-Free Devuan 2.0 'ASCII' Officially Released (devuan.org) 313

"Dear Init Freedom Lovers..." begins the announcement at Devuan.org: We are happy to announce that Devuan GNU+Linux 2.0 ASCII Stable is finally available. Devuan is a GNU+Linux distribution committed to providing a universal, stable, dependable, free software operating system that uses and promotes alternatives to systemd and its components.

Devuan 2.0 ASCII runs on several architectures. Installer CD and DVD ISOs, as well as desktop-live and minimal-live ISOs, are available for i386 and amd64. Ready-to-use images can be downloaded for a number of ARM platforms and SOCs, including Raspberry Pi, BeagleBone, OrangePi, BananaPi, OLinuXino, Cubieboard, Nokia and Motorola mobile phones, and several Chromebooks, as well as for Virtualbox/QEMU/Vagrant. The Devuan 2.0 ASCII installer ISOs offer a variety of Desktop Environments including Xfce, KDE, MATE, Cinnamon, LXQt, with others available post-install. The expert install mode now offers a choice of either SysVinit or OpenRC as init system...

We would like to thank the entire Devuan community for the continued support, feedback, and collaboration....

The release notes include information on Devuan's new network of package repository mirrors, and they're also touting their "direct and easy upgrade paths" from Devuan Jessie, Debian Jessie and Debian Stretch.
Programming

Should Developers Abandon Agile? (ronjeffries.com) 438

An anonymous reader quotes InfoQ: Ron Jeffries, author, speaker, one of the creators of Extreme Programming (XP), and a signatory of the Agile Manifesto back in 2001, shared a post on his blog in which he advocates that developers should abandon "Agile". The post further elaborated that developers should stay away from the "Faux Agile" or "Dark Agile" forms, and instead get closer to the values and principles of the Manifesto. The terms "Faux Agile" and "Dark Agile" are used by the author to give emphasis to the variety of the so-called "Agile" approaches that have contributed, according to him, to make the life of the developers worse rather than better, which is the antithesis of one of the initial ideas of the Agile Manifesto...
Jeffries writes that "When 'Agile' ideas are applied poorly, they often lead to more interference with developers, less time to do the work, higher pressure, and demands to 'go faster'. This is bad for the developers, and, ultimately, bad for the enterprise as well, because doing 'Agile' poorly will result, more often than not, in far more defects and much slower progress than could be attained. Often, good developers leave such organizations, resulting in a less effective enterprise than prior to installing 'Agile'...

"it breaks my heart to see the ideas we wrote about in the Agile Manifesto used to make developers' lives worse, instead of better. It also saddens me that the enterprise isn't getting what it could out of the deal, but my main concern is for the people doing the work..." He argues developers should instead just focus on good general software development practices -- like regularly producing fully-tested software and consciously avoiding "crufty" complex designs.

But what do Slashdot's readers think? Should developers abandon Agile?
Transportation

Tesla Short-Sellers Lose $1 Billion (cnbc.com) 458

An anonymous reader quotes CNBC: A bullish call from a Wall Street analyst capped off a rough week for Tesla short sellers, with Nomura Instinet advising clients that the electric car maker's shares could rally 42 percent over the next year. The stock rose 1.7 percent Friday and is now up 10 percent on the week. One of the most shorted stocks in the United States, Tesla shares cost investors betting against the company more than $1 billion in losses on Wednesday alone after the stock rallied 9.7 percent. Adding to the short woes, the stock is up 13.5 percent in June and up 21 percent since April. More than 30 percent of Tesla's floating stock is currently sold short, according to FactSet.
Last week long-time Open Source advocate Bruce Perens (Slashdot reader #3,872) argued this is fueling Musk's anger at the press: [A] great many investors are desperate to see Tesla's stock reach a much lower price soon, or they'll be forced to buy it at its present price in order to fulfill their short positions, potentially bankrupting many of them and sending some out of the windows of Wall Street skyscrapers. These investors are desperately seeding, feeding, and writing negative stories about Tesla in the hope of depressing the stock price. Musk recently taunted them by buying another 10 million dollars in stock, making it even more likely that there won't be enough stock in the market to cover short positions. If that's the case, short-sellers could end up in debt for thousands of dollars per shorted share -- as the price balloons until enough stockholders are persuaded to sell. Will short-sellers do anything to give Tesla bad press? You bet.... Musk is stuck with a press that feeds negative stories about Tesla seeded by short-sellers, business competitors and the petroleum industry, and even the U.S. Government...

Musk is far from the only one who suffers from this abuse. I was personally involved while the Linux developers were hounded by bad press for years from Forbes and lesser entities, backed by a large software company we all know (and who is, surprisingly, funding more Open Source these days), based on SCO's unfounded lawsuit. Time proves them wrong, but don't expect them to admit it, nor should you hold your breath for an "I'm sorry".

And on Musk's plan to rate the credibility of news sites, Perens writes that "The world would be a better place if this was done honestly, with integrity, and well. Musk is one who has improved the world by going where conventional wisdom said he'd fail..."
Cloud

Ubisoft CEO: Cloud Gaming Will Replace Consoles After the Next Generation (arstechnica.com) 144

An anonymous reader quotes a report from Ars Technica: Better start saving up for that PlayStation 5, Xbox Two, or Nintendo Swatch (that last follow-up name idea is a freebie, by the way). That generation of consoles might be the last one ever, according to Ubisoft CEO Yves Guillemot. After that, he predicts cheap local boxes could provide easier access to ever-evolving high-end gaming streamed to the masses from cloud-based servers. "I think we will see another generation, but there is a good chance that step-by-step we will see less and less hardware," Guillemot said in a recent interview with Variety. "With time, I think streaming will become more accessible to many players and make it not necessary to have big hardware at home. There will be one more console generation and then after that, we will be streaming, all of us."
Security

Cisco Removes Backdoor Account, Fourth Incident in the Last Four Months (bleepingcomputer.com) 51

For the fourth time this year, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks. From a report: This time around, the hardcoded password was found in Cisco's Wide Area Application Services (WAAS), which is a software package that runs on Cisco hardware that can optimize WAN traffic management. This backdoor mechanism (CVE-2018-0329) was in the form of a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon. SNMP stands for Simple Network Management Protocol, an Internet protocol for collecting data about and from remote devices. The community string was there so SNMP servers knowing the string's value could connect to the remote Cisco device and gather statistics and system information about it.
Businesses

Oath is Killing Off Yahoo Messenger on July 17 (betanews.com) 50

Yahoo Messenger is to be discontinued in just over a month. Yahoo owner Oath has announced that it is killing off its famous Messenger service on July 17. From a report: After this date, chatting will no longer be available, and users have just six months to download their chat histories. At the moment, there is no direct replacement for Yahoo Messenger, but users are being advised that they can request an invite for the beta version of the invite-only group messaging app Yahoo Squirrel. In an FAQ about the announcement, Yahoo addresses why the decision to shutter the service was taken. "We know we have many loyal fans who have used Yahoo Messenger since its beginning as one of the first chat apps of its kind. As the communications landscape continues to change over, we're focusing on building and introducing new, exciting communications tools that better fit consumer needs."
Software

Should Apple Let Competitors Use FaceTime? (cnet.com) 211

In 2010, Steve Jobs first introduced FaceTime and promised it would become an open industry standard that could be used by Apple's competitors -- not just Apple. Well, eight years later and that still hasn't happened. CNET's Sean Hollister provides a theory as to why that is: There's also an ongoing lawsuit to consider -- as Ars Technica documented in 2013, Apple was forced to majorly change how FaceTime works to avoid infringing on the patents of a company called VirnetX. Instead of letting phones communicate directly with each other, Apple added "relay servers" to help the phones connect. Presumably, someone would have to pay for those servers, and/or figure out a way for them to talk to Google or Microsoft or other third-party servers if FaceTime were going to be truly open. But that doesn't make a broken promise less frustrating. Particularly now that Apple could potentially fix annoying business video calls as well. A Skype-killing video chat service that worked on Mac, iOS *and* Windows, Android and the open web? That's something I bet companies would be happy to pay for, too.
Power

Can An 'OS For Electricity' Double the Efficiency of the Grid? (vox.com) 147

New submitter mesterha shares an "interesting article [from Vox] on how to optimize our use of electricity": Waste on the grid is the result of poor power quality, which can be ameliorated through digital control. Real-time measurement makes that possible. 3DFS technology, which the company conceives of as an "operating system for electricity," can not only track what's happening on the electricity sine wave from nanosecond to nanosecond, it can correct the sine wave from microsecond to microsecond, perfectly adapting it to the load it serves, eliminating waste." "They claim energy reduction of around 15% but anticipate their AI tuning can get eventually get 30%," writes Slashdot reader mesterha. "Seems too good to be true, but it has the support of publications like Popular Mechanics." [3DFS won one of Popular Mechanics' "breakthrough awards" in 2017.]
Security

Severe Firmware Vulnerabilities Found In Popular Supermicro Server Products (bleepingcomputer.com) 45

An anonymous reader quotes a report from Bleeping Computer: Security researchers have uncovered vulnerabilities affecting the firmware of the very popular Supermicro enterprise-line server products. These vulnerabilities affect both older and newer models of Supermicro products, but the vendor is working on addressing the issues. These vulnerabilities do not put the safety of Supermicro products at direct risk, as they can only be exploited via malicious software/code (aka malware) already running on a system. Nevertheless, exploiting these vulnerabilities allows the malware to obtain an almost permanent foothold on infected systems by gaining the ability to survive server OS reinstalls by hiding in the hardware's firmware. Technical details are available in an Eclypsium blog post, while a list of affected servers is available here.
AI

Google Promises Its AI Will Not Be Used For Weapons (nytimes.com) 102

An anonymous reader quotes a report from The New York Times: Google, reeling from an employee protest over the use of artificial intelligence for military purposes, said Thursday that it would not use A.I. for weapons or for surveillance that violates human rights (Warning: source may be paywalled; alternative source). But it will continue to work with governments and the military. The new rules were part of a set of principles Google unveiled relating to the use of artificial intelligence. In a company blog post, Sundar Pichai, the chief executive, laid out seven objectives for its A.I. technology, including "avoid creating or reinforcing unfair bias" and "be socially beneficial."

Google also detailed applications of the technology that the company will not pursue, including A.I. for "weapons or other technologies whose principal purpose or implementation is to cause or directly facilitate injury to people" and "technologies that gather or use information for surveillance violating internationally accepted norms of human rights." But Google said it would continue to work with governments and military using A.I. in areas including cybersecurity, training and military recruitment. "We recognize that such powerful technology raises equally powerful questions about its use. How A.I. is developed and used will have a significant impact on society for many years to come," Mr. Pichai wrote.

Google

Google Launches Android P Beta 2 With Final APIs (venturebeat.com) 40

An anonymous reader writes: Google today launched the second Android P beta with final APIs and 157 new emoji. If you're a developer, this is your third Android P preview, and you can start testing your apps against this release by downloading the new preview from developer.android.com/preview. The preview includes an updated SDK with system images for the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, and the official Android Emulator. If you're already enrolled and received the Android P Beta 1 on your Pixel device, you'll automatically get the update to Beta 2.
Businesses

Robocallers Win Even if You Don't Answer (wsj.com) 153

Sarah Krouse, reporting for WSJ: Caller ID is feeding one of the very problems it was developed to stop: junk calls. Illegitimate robocallers, or outfits that flood American landlines with marketing calls, use the decades-old identification system to make money, even when no one picks up. While scammers' biggest paydays come from tricking victims into handing over credit card or bank account information, many robocallers make incremental cash along the way, thanks to little-known databases that try to identify who is calling.

Each time a caller's name is displayed, phone companies pay small fees -- typically fractions of pennies -- to databases that store such records. Some of these fees are handed back to the caller. With millions of automated calls a day, the amounts can add up. "It's slow nickels, not fast dimes" for scammers, but it helps offset the costs of making the calls, said Aaron Woolfson, president of TelSwitch, a company that licenses out telecommunications-billing software.

Operating Systems

tvOS 12 Brings Dolby Atmos Support, Zero Sign-In, and TV App Improvements (macworld.com) 47

If you're using an Apple TV as your main streaming box, you will be happy to know several big improvements are coming to the platform. Macworld reports of what's new in tvOS 12: With tvOS 12, Dolby Atmos comes to the Apple TV 4K. All you need for full 3D immersive audio is an Atmos-supporting sound bar or receiver. This makes Apple TV 4K the only streaming media box to be certified for both Dolby Vision and Dolby Atmos.

One of the best features of tvOS 11 is called Single Sign-on. You add your TV provider's login information to your Apple TV device. If an app supports Single Sign-on, you can log in with your TV provider with just a few taps. It's a big step forward, but still a little bit of a pain. With tvOS 12, Apple makes the whole process totally seamless with Zero Sign-on. Here's how it works: If your TV provider is your Internet provider (a very common occurrence here in the United States), and your Apple TV is connected to the Internet through that provider, you sign in automatically to any Apple TV app your provider gives you access to. Just launch the app, and you're signed in, no passwords or configuration needed at all.

Apple's breathtaking 4K video screensavers, called "Aerials," is one of those minor delights that Apple TV 4K users can't get enough of. In tvOS 12, they get better. You can tap the remote to see the location at which the Aerial was filmed. A new set of Aerials is the star of the show, however. Called "Earth," these are stunning videos from space, taken by astronauts at the International Space Station.
Furthermore, the TV app will provide live content from select TV providers; Charter Spectrum will support the app with live channels and content later this year. Apple is also now allowing third-party home control systems' remotes to control your Apple TV (including Siri).

Slashdot Top Deals