Forgot your password?
typodupeerror

Please create an account to participate in the Slashdot moderation system

Networking

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common? 9

Posted by Soulskill
from the common-enough-to-make-you-sad dept.
An anonymous reader writes: I do some contract work on the side, and am helping a client set up a new point-of-sale system. For the time being, it's pretty simple: selling products, keeping track of employee time, managing inventory and the like. However, it requires a small network because there are two clients, and one of the clients feeds off of a small SQL Express database from the first. During the setup, the vendor disabled the local firewall, and in a number of emails back and forth since (with me getting more and more aggravated) they went from suggesting that there's no need for a firewall, to outright telling me that's just how they do it and the contract dictates that's how we need to run it. This isn't a tremendous deal today, but with how things are going, odds are there will be e-Commerce worked into it, and probably credit card transactions... which worries the bejesus out of me.

So my question to the Slashdot masses: is this common? In my admittedly limited networking experience, it's been drilled into my head fairly well that not running a firewall is lazy (if not simply negligent), and to open the appropriate ports and call it a day. However, I've seen forum posts here and there with people admitting they run their clients without firewalls, believing that the firewall on their incoming internet connection is good enough, and that their client security will pick up the pieces. I'm curious how many real professionals do this, or if the forum posts I'm seeing (along with the vendor in question) are just a bunch of clowns.
The Military

Hackers Plundered Israeli Defense Firms That Built 'Iron Dome' Missile Defense 133

Posted by Soulskill
from the intercepting-missiles-is-easier-than-learning-not-to-click-on-attachments dept.
An anonymous reader writes: Brian Krebs reports on information from Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. that attackers thought to be operating out of China hacked into the corporate networks of three top Israeli defense technology companies. The attackers were seeking technical documents related to Iron Dome, Israel's air defense system. "IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. ... Once inside the IAI’s network, [the attackers] spent the next four months in 2012 using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files, CyberESI said. The actors compromised privileged credentials, dumped password hashes, and gathered system, file, and network information for several systems. The actors also successfully used tools to dump Active Directory data from domain controllers on at least two different domains on the IAI’s network. All told, CyberESI was able to identify and acquire more than 700 files — totaling 762 MB total size — that were exfiltrated from IAI’s network during the compromise. The security firm said most of the data acquired was intellectual property and likely represented only a small portion of the entire data loss by IAI." Most of the stolen material pertained to Arrow III missiles, UAVs, and ballistic rockets.
Android

Old Apache Code At Root of Android FakeID Mess 113

Posted by Soulskill
from the write-once-run-anywhere dept.
chicksdaddy writes: A four-year-old vulnerability in an open source component that is a critical part of Android leaves hundreds of millions of mobile devices susceptible to silent malware infections. The vulnerability affects devices running Android versions 2.1 to 4.4 ("KitKat"), according to a statement released by Bluebox. The vulnerability was found in a package installer in affected versions of Android. The installer doesn't attempt to determine the authenticity of certificate chains that are used to vouch for new digital identity certificates. In short, Bluebox writes, "an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."

The security implications of this are vast. Malicious actors could create a malicious mobile application with a digital identity certificate that claims to be issued by Adobe Systems. Once installed, vulnerable versions of Android will treat the application as if it was actually signed by Adobe and give it access to local resources, like the special webview plugin privilege, that can be used to sidestep security controls and virtual 'sandbox' environments that keep malicious programs from accessing sensitive data and other applications running on the Android device. The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.
Security

Ask Slashdot: Open Hard- & Software Based Security Token? 105

Posted by timothy
from the you-could-use-postcards-scanned-by-an-arduino dept.
Qbertino (265505) writes I've been musing about a security setup to allow my coworkers/users access to files from the outside. I want security to be a little safer than pure key- or password-based SSH access, and some super-expensive RSA Token setup is out of question. I've been wondering whether there are any feasible and working FOSS and open hardware-based security token generator projects out there. It'd be best with ready-made server-side scripts/daemons. Perhaps something Arduino or Raspberry Pi based? Has anybody tried something like this? What are your experiences? What do you use? How would you attempt an open hardware FOSS solution to this problem?
Security

Put Your Code in the SWAMP: DHS Sponsors Online Open Source Code Testing 60

Posted by timothy
from the they'll-take-a-look-see dept.
cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.
Privacy

Ask Slashdot: Preparing an Android Tablet For Resale? 110

Posted by timothy
from the link-free-cloth-and-a-.45 dept.
UrsaMajor987 (3604759) writes I have a Asus Transformer tablet that I dropped on the floor. There is no obvious sign of damage but It will no longer boot. Good excuse to get a newer model. I intend to sell it for parts (it comes with an undamaged keyboard) or maybe just toss it. I want to remove all my personal data. I removed the flash memory card but what about the other storage? I know how to wipe a hard drive, but how do you wipe a tablet? If you were feeling especially paranoid, but wanted to keep the hardware intact for the next user, what would you do?
The Internet

Internet Census 2012 Data Examined: Authentic, But Chaotic and Unethical 30

Posted by timothy
from the could-have-been-worse dept.
An anonymous reader writes "A team of researchers at the TU Berlin and RWTH Aachen presented an analysis of the Internet Census 2012 data set (here's the PDF) in the July edition of the ACM Sigcomm Computer Communication Review journal. After its release on March 17, 2013 by an anonymous author, the Internet Census data created an immediate media buzz, mainly due to its unethical data collection methodology that exploited default passwords to form the Carna botnet. The now published analysis suggests that the released data set is authentic and not faked, but also reveals a rather chaotic picture. The Census suffers from a number of methodological flaws and also lacks meta-data information, which renders the data unusable for many further analyses. As a result, the researchers have not been able to verify several claims that the anonymous author(s) made in the published Internet Census report. The researchers also point to similar but legal efforts measuring the Internet and remark that the illegally measured Internet Census 2012 is not only unethical but might have been overrated by the press."
Security

Attackers Install DDoS Bots On Amazon Cloud 25

Posted by timothy
from the fully-buzzword-compliant dept.
itwbennett (1594911) writes "Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers. Last week security researchers from Kaspersky Lab found new variants of Mayday, a Trojan program for Linux that's used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused, said Kaspersky Lab researcher Kurt Baumgartner Friday in a blog post."
Displays

The Oculus Rift DK2: In-Depth Review (and Comparison To DK1) 54

Posted by timothy
from the here-put-this-on-your-face dept.
Benz145 (1869518) writes "The hotly anticipated Oculus Rift DK2 has begun arriving at doorsteps. The DK2s enhancements include optical positional tracking and a higher resolution panel, up from 1280×800 to 1920×1080 (1080p) and moved to a pentile-matrix OLED panel for display duties. This means higher levels of resolvable detail and a much reduced screen door effect. The panel features low persistence of vision, a technology pioneered by Valve that aims to cut motion artefacts by only displaying the latest, most correct display information relative to the user's movements – as users of the DK1 will attest, its LCD panel was heavily prone to smearing, things are now much improved with the DK2."
Android

Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code 143

Posted by timothy
from the little-of-this-little-of-that dept.
New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.
Education

Valencia Linux School Distro Saves 36 Million Euro 153

Posted by timothy
from the oh-no-big-deal dept.
jrepin (667425) writes "The government of the autonomous region of Valencia (Spain) earlier this month made available the next version of Lliurex, a customisation of the Edubuntu Linux distribution. The distro is used on over 110,000 PCs in schools in the Valencia region, saving some 36 million euro over the past nine years, the government says." I'd lke to see more efforts like this in the U.S.; if mega school districts are paying for computers, I'd rather they at least support open source development as a consequence.
Bug

Linus Torvalds: "GCC 4.9.0 Seems To Be Terminally Broken" 706

Posted by timothy
from the you'll-never-believe-what-he-actually-said dept.
hypnosec (2231454) writes to point out a pointed critique from Linus Torvalds of GCC 4.9.0. after a random panic was discovered in a load balance function in Linux 3.16-rc6. in an email to the Linux kernel mailing list outlining two separate but possibly related bugs, Linus describes the compiler as "terminally broken," and worse ("pure and utter sh*t," only with no asterisk). A slice: "Lookie here, your compiler does some absolutely insane things with the spilling, including spilling a *constant*. For chrissake, that compiler shouldn't have been allowed to graduate from kindergarten. We're talking "sloth that was dropped on the head as a baby" level retardation levels here .... Anyway, this is not a kernel bug. This is your compiler creating completely broken code. We may need to add a warning to make sure nobody compiles with gcc-4.9.0, and the Debian people should probably downgrate their shiny new compiler."
IT

Ask Slashdot: What Would You Do With Half a Rack of Server Space? 206

Posted by timothy
from the give-it-a-piece-of-my-mind dept.
New submitter Christian Gainsbrugh (3766717) writes I work at a company that is currently transitioning all our servers into the cloud. In the interim we have half a rack of server space in a great datacenter that will soon be sitting completely idle for the next few months until our lease runs out. Right now the space is occupied by around 8 HP g series servers, a watchguard xtm firewall, Cisco switch and some various other equipment. All in all there are probably around 20 or so physical XEON processors, and probably close to 10 tb of storage among all the machines. We have a dedicated 10 mbs connection that is burstable to 100mbs.

I'm curious what Slashdot readers would do if they were in a similar situation. Is there anything productive that could be done with these resources? Obviously something revenue generating is great, but even if there is something novel that could be done with these servers we would be interested in putting them to good use.
Bug

Bad "Buss Duct" Causes Week-long Closure of 5,000 Employee Federal Complex 124

Posted by timothy
from the something-to-be-indignant-about dept.
McGruber (1417641) writes In Atlanta, an electrical problem in a "Buss Duct" has caused the Sam Nunn Atlanta Federal Center to be closed for at least a week. 5,000 federal employees work at the center. While many might view this as another example of The Infrastructure Crisis in the USA, it might actually be another example of mismanagement at the complex's landlord, the General Service Administration (GSA). Probably no one wants to go to work in an Atlanta July without a working A/C.
IOS

Private Data On iOS Devices Not So Private After All 100

Posted by timothy
from the it's-totally-intuitive dept.
theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference: Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. If you'd rather watch and listen, Zdziarski has posted a video showing how it's done.
Businesses

Cable Companies: We're Afraid Netflix Will Demand Payment From ISPs 199

Posted by timothy
from the who-pays-whom-for-what dept.
Dega704 (1454673) writes While the network neutrality debate has focused primarily on whether ISPs should be able to charge companies like Netflix for faster access to consumers, cable companies are now arguing that it's really Netflix who holds the market power to charge them. This argument popped up in comments submitted to the FCC by Time Warner Cable and industry groups that represent cable companies. (National Journal writer Brendan Sasso pointed this out.) The National Cable & Telecommunications Association (NCTA), which represents many companies including Comcast, Time Warner Cable, Cablevision, Cox, and Charter wrote to the FCC:

"Even if broadband providers had an incentive to degrade their customers' online experience in some circumstances, they have no practical ability to act on such an incentive. Today's Internet ecosystem is dominated by a number of "hyper-giants" with growing power over key aspects of the Internet experience—including Google in search, Netflix and Google (YouTube) in online video, Amazon and eBay in e-commerce, and Facebook in social media. If a broadband provider were to approach one of these hyper-giants and threaten to block or degrade access to its site if it refused to pay a significant fee, such a strategy almost certainly would be self-defeating, in light of the immediately hostile reaction of consumers to such conduct. Indeed, it is more likely that these large edge providers would seek to extract payment from ISPs for delivery of video over last-mile networks."
Related: an article at Gizmodo explains that it takes surprisingly little hardware to replicate (at least most of) Netflix's current online catalog in a local data center.
Encryption

Russia Posts $110,000 Bounty For Cracking Tor's Privacy 97

Posted by Soulskill
from the what-happens-in-siberia-stays-in-siberia dept.
hypnosec writes: The government of Russia has announced a ~$110,000 bounty to anyone who develops technology to identify users of Tor, an anonymising network capable of encrypting user data and hiding the identity of its users. The public description (in Russian) of the project has been removed now and it only reads "cipher 'TOR' (Navy)." The ministry said it is looking for experts and researchers to "study the possibility of obtaining technical information about users and users' equipment on the Tor anonymous network."
EU

Switching From Microsoft Office To LibreOffice Saves Toulouse 1 Million Euros 284

Posted by Soulskill
from the all-about-the-napoleans dept.
jrepin sends this EU report: The French city of Toulouse saved 1 million euro by migrating all its desktops from Microsoft Office to LibreOffice. This project was rooted in a global digital policy which positions free software as a driver of local economic development and employment. Former IT policy-maker Erwane Monthubert said, "Software licenses for productivity suites cost Toulouse 1.8 million euro every three years. Migration cost us about 800,000 euro, due partly to some developments. One million euro has actually been saved in the first three years. It is a compelling proof in the actual context of local public finance. ... France has a high value in free software at the international level. Every decision-maker should know this."
Encryption

New SSL Server Rules Go Into Effect Nov. 1 90

Posted by Soulskill
from the encrypt-your-calendars dept.
alphadogg writes: Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks. The concern is that SSL server digital certificates issued by CAs at present for internal corporate e-mail servers, Web servers and databases are not unique and can potentially be used in man-in-the-middle attacks involving the setup of rogue servers inside the targeted network, say representatives for the Certification Authority/Browser Forum (CA/B Forum), the industry group that sets security and operational guidelines for digital certificates. Members include the overwhelming bulk of public CAs around the globe, plus browser makers such as Microsoft and Apple. The problem today is that network managers often give their servers names like 'Server1' and allocate internal IP addresses so that SSL certificates issued for them through the public CAs are not necessarily globally unique, notes Trend Micro's Chris Bailey.
Idle

Poetry For Sysadmins: Shall I Compare Thee To a Lumbering Bear? 31

Posted by samzenpus
from the admin-admin-burning-bright-in-the-office-fluorescent-light dept.
itwbennett writes Don't forget that July 25th is Sysadmin Day — a good day to show love to the folks who save your butt again and again when you mess up your computer. Forget the chocolate and flowers, long-time sysadmin Sandra Henry-Stocker has tailored some poems to celebrate these under appreciated, hard-working souls.

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

Working...