Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Businesses

IT Jobs With the Best (and Worst) ROI 46

Posted by Soulskill
from the becoming-borg-is-at-both-the-top-and-the-bottom dept.
Nerval's Lobster writes: Over at Dice, there's a breakdown of which tech jobs have the greatest return on investment, with regard to high starting salaries and growth potential relative to how much you need to spend on degrees and certifications. Which jobs top this particular calculation? No shockers here: DBAs, software engineers, programmers, and Web developers all head up the list, with salaries that tick into six-figure territory. How about those with the worst ROI? Graphic designers, sysadmins, tech support, and software QA testers often present a less-than-great combination of relatively little money and room for advancement, even if you possess a four-year degree or higher, unless you're one of the lucky few.
China

China's Foreign Ministry: China Did Not Attack Github, We Are the Major Victims 109

Posted by samzenpus
from the it-wasn't-us dept.
An anonymous reader writes At the Regular Press Conference on March 30, China's Foreign Ministry Spokesperson Hua Chunying responded on the charge of DDoS attack over Github. She said: "It is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I'd like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner."
Government

Sign Up At irs.gov Before Crooks Do It For You 232

Posted by samzenpus
from the real-you dept.
tsu doh nimh writes If you're an American and haven't yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. Brian Krebs shows how easy it is for scammers to register an account in your name and view your current and past W2s and tax filings with the IRS, and tells the story of a New York man who — after receiving notice from the agency that someone had filed a phony return in his name — tried to get a copy of his transcript and found someone had already registered his SSN to an email address that wasn't his. Apparently, having a credit freeze prevents thieves from doing this, because the IRS relies on easily-guessed knowledge-based authentication questions from Equifax.
Advertising

How Malvertising Abuses Real-Time Bidding On Ad Networks 93

Posted by samzenpus
from the rotten-apples dept.
msm1267 writes Dark corners of the Internet harbor trouble. They're supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That's the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes. Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.
Government

India Mandates Use of Open Source Software In Government 60

Posted by samzenpus
from the free-at-last dept.
jrepin writes The Indian government announced a policy yesterday that makes it mandatory to use open-source software in building apps and services, in an effort to "ensure efficiency, transparency and reliability of such services at affordable costs." The new policy (PDF) states that all government organizations must include a requirement for their software suppliers to consider open-source options when implementing e-governance applications and systems. The move will bring the Indian government in line with other countries including the US, UK and Germany that opt for open-source software over proprietary tools.
United States

Secret Service Plans New Fence, Full Scale White House Replica, But No Moat 173

Posted by samzenpus
from the forget-the-drawbridge dept.
HughPickens.com writes The NYT reports that the Secret Service is recruiting some of its best athletes to serve as pretend fence jumpers at a rural training ground outside Washington in a program to develop a new fence around the White House that will keep intruders out without looking like a prison. Secret Service officials acknowledge that they cannot make the fence foolproof; that would require an aesthetically unacceptable and politically incorrect barrier. Prison or Soviet-style design is out, and so is anything that could hurt visitors, like sharp edges or protuberances. Instead, the goal is to deter climbers or at least delay them so that officers and attack dogs have a few more seconds to apprehend them. In addition, there might be alterations to the White House grounds but no moat, as recently suggested by Representative Steve Cohen of Tennessee. "When I hear moat, I think medieval times," says William Callahan, assistant director for the office of protective operation at the Secret Service.

The Times also reports that the Secret Service wants to spend $8 million to build a detailed replica of the White House in Beltsville, Maryland to aid in training officers and agents to protect the real thing. "Right now, we train on a parking lot, basically," says Joseph P. Clancy, the director of the Secret Service. "We put up a makeshift fence and walk off the distance between the fence at the White House and the actual house itself. We don't have the bushes, we don't have the fountains, we don't get a realistic look at the White House." The proposed replica would provide what Clancy describes as a "more realistic environment, conducive to scenario-based training exercises," for instructing those who must protect the president's home. It would mimic the facade of the White House residence, the East and West Wings, guard booths, and the surrounding grounds and roads. The request comes six months after an intruder scaled a wrought-iron fence around the White House and ran through an unlocked front door of the residence and into the East Room before officers tackled him.
United Kingdom

Europol Chief Warns About Computer Encryption 155

Posted by samzenpus
from the I-can't-read-this dept.
An anonymous reader writes The law enforcement lobbying campaign against encryption continues. Today it's Europol director Rob Wainwright, who is trying to make a case against encryption. "It's become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism," he explained. "It's changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn't provide that anymore." This is the same man who told the European Parliament that Europol is not going to investigate the alleged NSA hacking of the SWIFT (international bank transfer) system. The excuse he gave was not that Europol didn't know about it, because it did. Very much so. It was that there had been no formal complaint from any member state.
Government

NSA: We Mulled Ending Phone Program Before Edward Snowden Leaks 136

Posted by samzenpus
from the we-meant-to-do-that dept.
Mark Wilson writes Edward Snowden is heralded as both a hero and villain. A privacy vigilante and a traitor. It just depends who you ask. The revelations he made about the NSA's surveillance programs have completely changed the face of online security, and changed the way everyone looks at the internet and privacy. But just before the whistle was blown, it seems that the NSA was considering bringing its telephone data collection program to an end. Intelligence officials were, behind the scenes, questioning whether the benefits of gathering counter-terrorism information justified the colossal costs involved. Then Snowden went public and essentially forced the agency's hand.
Twitter

SeaWorld and Others Discover That a Hashtag Can Become a Bashtag 119

Posted by samzenpus
from the getting-hit-with-your-own-stick dept.
HughPickens.com writes Alison Griswold writes that in an effort to improve its tanking image, SeaWorld launched a new advertising campaign this week to educate the public about its "leadership in the care of killer whales" and other work to protect whales in captivity and in the wild. As part of that head-on initiative, someone at SeaWorld decided to invite Twitter users to pose their questions to the company directly using the hashtag #AskSeaWorld. That was not a good idea as twitter users bashed Sea World relentlessly.. "As easy as it is to make fun of SeaWorld here, the real question is why any company still thinks hosting an open Twitter forum could be good for public relations," writes Griswold. "So maybe SeaWorld's social and PR folks just really have no idea what they're doing. Even so, you'd think they'd have learned from the corporate failures before them."

Let's review some of the times this has backfired, starting with the infamous McDonald's #McDStories Twitter campaign of January 2012. Rather than prompting customers to share their heart-warming McDonald's anecdotes, the hashtag gave critics a highly visible forum to share their top McDonald's horror stories. MacDonalds pulled the campaign within two hours but they discovered that crowd-sourced campaigns are hard to control. Three years later the #McDStories hashtag is still gathering comments. "Twitter Q&As are a terrible idea.," concludes Griswold. "A well-meaning hashtag gives critics an easy way to assemble and voice their complaints in a public forum. Why companies still try them is a great mystery. Maybe they'll all finally learn from SeaWorld and give this one horrible PR trick up for good."
Security

Startups Increasingly Targeted With Hacks 49

Posted by Soulskill
from the waiting-for-the-easy-marks-to-ripen dept.
ubrgeek writes: Slack, makers of the popular communications software, announced yesterday that they'd suffered a server breach. This follows shortly after a similar compromise of Twitch.tv, and is indicative of a growing problem facing start-up tech companies. As the NY Times reports, "Breaches are becoming a kind of rite of passage for fledgling tech companies. If they gain enough momentum with users, chances are they will also become a target for hackers looking to steal, and monetize, the vast personal information they store on users, like email addresses and passwords."
Open Source

European Commission Will Increase Use of Open Source Software 37

Posted by Soulskill
from the leading-by-example dept.
jrepin writes: The European Commission has updated its strategy for internal use of Open Source Software. The Commission, which is already using open source for many of its key ICT services and software solutions, will further increase the role of this type of software internally. The renewed strategy puts a special emphasis on procurement, contribution to open source software projects, and providing more of the software developed within the Commission as open source.
United Kingdom

UK Licensing Site Requires MSIE Emulation, But Won't Work With MSIE 157

Posted by timothy
from the strange-circlings-back dept.
Anne Thwacks writes The British Government web site for applying for for a licence to be a security guard requires a plugin providing Internet Explorer emulation on Firefox to login and apply for a licence. It won't work with Firefox without the add-on, but it also wont work with Internet Explorer! (I tried Win XP and Win7 Professional). The error message says "You have more than one browser window open on the same internet connection," (I didn't) and "to avoid this problem, close your browser and reopen it." I did. No change.

I tried three different computers, with three different OSes. Still no change. I contacted their tech support and they said "Yes ... a lot of users complain about this. We have known about it since September, and are working on a fix! Meanwhile, we have instructions on how to use the "Fire IE" plugin to get round the problem." Eventually, I got this to work on Win7pro. (The plugin will not work on Linux). The instructions require a very old version of the plugin, and a bit of trial and error is needed to get it to work with the current one. How can a government department concerned with security not get this sort of thing right?"
China

Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From Chinese Government 114

Posted by Soulskill
from the year-of-the-ddos dept.
An anonymous reader writes: During the past two days, popular code hosting site GitHub has been under a DDoS attack, which has led to intermittent service interruptions. As blogger Anthr@X reports from traceroute lists, the attack originated from MITM-modified JavaScript files for the Chinese company Baidu's user tracking code, changing the unencrypted content as it passed through the great firewall of China to request the URLs github.com/greatfire/ and github.com/cn-nytimes/. The Chinese government's dislike of widespread VPN usage may have caused it to arrange the attack, where only people accessing Baidu's services from outside the firewall would contribute to the DDoS. This wouldn't have been the first time China arranged this kind of "protest."
Security

Big Vulnerability In Hotel Wi-Fi Router Puts Guests At Risk 40

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel's reservation and keycard systems. The vulnerability, which was discovered by Justin W. Clarke of the security firm Cylance, gives attackers read-write access to the root file system of the ANTlabs devices. The discovery of the vulnerable systems was particularly interesting to them in light of an active hotel hacking campaign uncovered last year by researchers at Kaspersky Lab. In that campaign, which Kaspersky dubbed DarkHotel.
Businesses

Millennial Tech Workers Losing Ground In US 400

Posted by samzenpus
from the no-work-for-you dept.
Nerval's Lobster writes Millennial tech workers are entering the U.S. workforce at a comparable disadvantage to other tech workers throughout the industrialized world, according to study earlier this year from Educational Testing Services (PDF). How do U.S. millennials compare to their international peers, at least according to ETS? Those in the 90th percentile (i.e., the top-scoring) actually scored lower than top-scoring millennials in 15 of the 22 studied countries; low-scoring U.S. millennials ranked last (along with Italy and England/Northern Ireland). While some experts have blamed the nation's education system for the ultimate lack of STEM jobs, other studies have suggested that the problem isn't in the classroom; a 2014 report from the U.S. Census Bureau suggested that many of the people who earned STEM degrees didn't actually go into careers requiring them. In any case, the U.S. is clearly wrestling with an issue; how can it introduce more (qualified) STEM people into the market?
Businesses

Win Or Lose, Discrimination Suit Is Having an Effect On Silicon Valley 346

Posted by samzenpus
from the to-pay-or-not-to-pay-that-is-the-question dept.
SpzToid sends word that the Ellen Pao vs. Kleiner Perkins Caufield & Byers discrimination case wrapped up yesterday. No matter what the outcome turns out to be, it has already affected how business is being done in Silicon Valley. "'Even before there's a verdict in this case, and regardless of what the verdict is, people in Silicon Valley are now talking,' said Kelly Dermody, managing partner at Lieff Cabraser Heimann & Bernstein, who chairs the San Francisco law firm's employment practice group. 'People are second-guessing and questioning whether there are exclusionary practices [and] everyday subtle acts of exclusion that collectively limit women's ability to succeed or even to compete for the best opportunities. And that's an incredibly positive impact.' Women in tech have long complained about an uneven playing field — lower pay for equal work, being passed over for promotions and a hostile 'brogrammer' culture — and have waited for a catalyst to finally overhaul the status quo. This trial — pitting a disgruntled, multimillionaire former junior partner against a powerful Menlo Park, Calif., venture capital firm — was far from the open-and-shut case that many women had hoped for. More gender discrimination suits against big tech firms are expected to follow; some already have, including lawsuits against Facebook Inc. and Twitter Inc."
Encryption

Generate Memorizable Passphrases That Even the NSA Can't Guess 261

Posted by timothy
from the exercise-for-the-reader dept.
HughPickens.com writes Micah Lee writes at The Intercept that coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you'll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion. But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You'll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You'll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like "cap liz donna demon self", "bang vivo thread duct knob train", and "brig alert rope welsh foss rang orb". If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.

After you've generated your passphrase, the next step is to commit it to memory.You should write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn't take more than two or three days before you no longer need the paper, at which point you should destroy it. "Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It's a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training."
Bug

'Bar Mitzvah Attack' Plagues SSL/TLS Encryption 23

Posted by timothy
from the process-not-product dept.
ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.
Bug

MIT Debuts Integer Overflow Debugger 40

Posted by timothy
from the measure-twice-cut-once dept.
msm1267 writes Students from M.I.T. have devised a new and more efficient way to scour raw code for integer overflows, the troublesome programming bugs that serve as a popular exploit vector for attackers and often lead to the crashing of systems. Researchers from the school's Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection. As part of an experiment, the researchers tested DIODE on code from five different open source applications. While the system was able to generate inputs that triggered three integer overflows that were previously known, the system also found 11 new errors. Four of the 11 overflows the team found are apparently still lingering in the wild, but the developers of those apps have been informed and CSAIL is awaiting confirmation of fixes.
Security

RSA Conference Bans "Booth Babes" 326

Posted by timothy
from the can-I-ask-you-some-technical-questions dept.
netbuzz writes In what may be a first for the technology industry, RSA Conference 2015 next month apparently will be bereft of a long-controversial trade-show attraction: "booth babes." New language in its exhibitor contract, while not using the term 'booth babe," leaves no doubt as to what type of salesmanship RSA wants left out of its event. Says a conference spokeswoman: "We thought this was an important step towards making all security professionals feel comfortable and equally respected during the show." Easier at a venue like RSA; the annual Consumer Electronics Show, not so much.