Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Space

Incorrectly Built SLS Welding Machine To Be Rebuilt 77

Posted by timothy
from the but-in-a-crash-you'd-be-totally-safe dept.
schwit1 writes A giant welding machine, built for NASA's multi-billion dollar Space Launch System (SLS), has to be taken apart and rebuilt because the contractor failed to reinforce the floor, as required, prior to construction: "Sweden's ESAB Welding & Cutting, which has its North American headquarters in Florence, South Carolina, built the the roughly 50-meter tall Vertical Assembly Center as a subcontractor to SLS contractor Boeing at NASA's Michoud Assembly Facility in New Orleans.

ESAB was supposed to reinforce Michoud's floor before installing the welding tool, but did not, NASA SLS Program Manager Todd May told SpaceNews after an April 15 panel session during the 31st Space Symposium here. As a result, the enormous machine leaned ever so slightly, cocking the rails that guide massive rings used to lift parts of the 8.4-meter-diameter SLS stages The rings wound up 0.06 degrees out of alignment, which may not sound like much, "but when you're talking about something that's 217 feet [66.14 meters] tall, that adds up," May said.

Asked why ESAB did not reinforce the foundation as it was supposed to, May said only it was a result of "a miscommunication between two [Boeing] subcontractors and ESAB."

It is baffling how everyone at NASA, Boeing, and ESAB could have forgotten to do the reinforcing, even though it was specified in the contract. It also suggests that the quality control in the SLS rocket program has some serious problems.
GUI

KDE Plasma 5.3 Beta Brings Lot of Improvements 62

Posted by timothy
from the gui-not-gooey dept.
jones_supa writes: The KDE project today announced the release of KDE Plasma 5.3 beta. It brings better power management, improved Bluetooth support, improved widgets, Wayland support, new media center, and nearly 350 bugfixes. The power management improvements include settings that can be independently configured per activity, there is a new energy usage monitor available in KInfoCenter, and a battery applet identifies applications that hog power. Bluetooth applet brings added support for blocking and unblocking devices. New touchpad module has been added as well. The combined window manager and compositor KWin is now able to start a nested XWayland server, which acts as a bridge between the old X11 and the new Wayland world.

Amazing bug-sized robots developed in DARPA project

Posted by Slashdot Staff
Researchers in Silicon Valley have developed insect-size robots that can manufacture microstructures that are too small and complex to be built by current machinery or by hand. The robots are part of work by SRI International into next-generation manufacturing technology funded by the Defense Advanced Projects Agency (DARPA), the U.S. military's research and development arm.
Windows

Remote Code Execution Vulnerability Found In Windows HTTP Stack 118

Posted by Soulskill
from the another-day,-another-vuln dept.
jones_supa writes: A remote code execution vulnerability exists in the Windows HTTP stack that is caused when HTTP.SYS parses specially-crafted HTTP requests. An attacker who has successfully exploited this vulnerability could execute arbitrary code under the SYSTEM context. Details of the bug are withheld, but exploit code is floating around. Microsoft describes the issue in security bulletin MS15-034. An update (KB3042553) is already available for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. As a workaround, Microsoft offers disabling IIS kernel caching.
Data Storage

New Samsung SSD 840 EVO Read Performance Fix Coming Later This Month 72

Posted by Soulskill
from the slower-than-fastest-but-faster-than-slowest dept.
An anonymous reader writes: The Samsung SSD 840 EVO read performance bug has been on the table for over six months now. Initially Samsung acknowledged the issue fairly quickly and provided a fix only a month after the news hit the mainstream tech media, but reports of read performance degradation surfaced again a few weeks after the fix had been released, making it clear that the first fix didn't solve the issue for all users. Two months ago Samsung announced that a new fix is in the works and last week Samsung sent out the new firmware along with Magician 4.6 for testing, which will be available to the public later this month.
Bug

Google Lollipop Bricking Nexus 5 and Nexus 7 Devices 179

Posted by timothy
from the upgrade-is-not-always-the-right-word dept.
First time accepted submitter Zape (303550) writes The Lollipop update has turned sour for me and several other Nexus 7, Gen 2 (and Nexus 5) owners. It seems that I'm not alone in having my tablet boot to the Google Logo since a couple of days after updating to Android 5.0.2. Now Nexus 5 owners are reporting a reboot loop in Android 5.1. My device, like many others, is a couple of months out of warranty, but worked great until the latest OTA update from Google. They branded it, and they updated it, but Google claims it is between the buyers and ASUS, the manufacturer.
Security

Heartbleed One Year Later: Has Anything Changed? 53

Posted by Soulskill
from the vulnerability-names-have-gotten-a-lot-more-annoying dept.
darthcamaro writes: It was on April 7, 2014 that the CVE-2014-0160 vulnerability titled "TLS heartbeat read overrun" in OpenSSL was first publicly disclosed — but to many its a bug known simply as Heartbleed. A new report from certificate vendor Venafi claims that 76% of organizations are still at risk, though it's a statistic that is contested by other vendors as well as other statistics. Qualys' SSL Pulse claims that only 0.3 percent of sites are still at risk. Whatever the risk is today, the bottom line is that Heartbleed did change the security conversation — but did it change it for the better or the worse? A related article explores how Heartbleed could have been found earlier.
Firefox

Mozilla Rolls Back Firefox 37's Opportunistic Encryption Over Security Issue 42

Posted by Soulskill
from the generates-too-many-opportunities dept.
darthcamaro writes: Barely a week ago, Mozilla released Firefox 37, which had a key new feature called opportunistic encryption. The basic idea is that it will do some baseline encryption for data that would have otherwise been sent by a user via clear text. Unfortunately, Mozilla has already issued Firefox 37.0.1, which removes opportunistic encryption. A security vulnerability was reported in the underlying Alternative Services capability that helps to enable opportunistic encryption. "If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle, replacing the original certificate with their own." They plan to re-enable opportunistic encryption when this issue is investigated and fixed.
Bug

Are Bug Bounties the Right Solution For Improving Security? 58

Posted by timothy
from the 10-bucks-says-they-might-be dept.
saccade.com writes Coding Horror's Jeff Atwood is questioning if the current practice of paying researchers bounties for the software vulnerabilities they find is really improving over-all security. He notes how the Heartbleed bug serves as a counter example to "Linus's Law" that "Given enough eyeballs, all bugs are shallow." "...If you want to find bugs in your code, in your website, in your app, you do it the old fashioned way: by paying for them. You buy the eyeballs. While I applaud any effort to make things more secure, and I completely agree that security is a battle we should be fighting on multiple fronts, both commercial and non-commercial, I am uneasy about some aspects of paying for bugs becoming the new normal. What are we incentivizing, exactly?
Windows

The Most Highly Voted Requests In Windows 10 Feedback Pool 159

Posted by timothy
from the those-sound-reasonable dept.
jones_supa writes: Some of you have probably used the Feedback app of Windows 10 Technical Preview, which has enabled us to submit feature requests and bug reports directly to Microsoft in order to improve the operating system as the company approaches the final release. While Microsoft tries to make some of the requests available, it also depends on the number of votes that each submission gets. Softpedia takes a look at the top 5 requests right now: make Feedback app available in final Windows, too; improve network connections management; allow task view drag windows between desktops; give Cortana the ability to open programs; and bring back resize options for Start Menu.
Bug

'Bar Mitzvah Attack' Plagues SSL/TLS Encryption 23

Posted by timothy
from the process-not-product dept.
ancientribe writes Once again, SSL/TLS encryption is getting dogged by outdated and weak options that make it less secure. This time, it's the weak keys in the older RC4 crypto algorithm, which can be abused such that an attacker can sniff credentials or other data in an SSL session, according to a researcher who revealed the hack today at Black Hat Asia in Singapore. A slice: Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, [researcher Itsik] Mantin says. But MITM could be used as well, though, for hijacking a session, he says.
Bug

MIT Debuts Integer Overflow Debugger 40

Posted by timothy
from the measure-twice-cut-once dept.
msm1267 writes Students from M.I.T. have devised a new and more efficient way to scour raw code for integer overflows, the troublesome programming bugs that serve as a popular exploit vector for attackers and often lead to the crashing of systems. Researchers from the school's Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection. As part of an experiment, the researchers tested DIODE on code from five different open source applications. While the system was able to generate inputs that triggered three integer overflows that were previously known, the system also found 11 new errors. Four of the 11 overflows the team found are apparently still lingering in the wild, but the developers of those apps have been informed and CSAIL is awaiting confirmation of fixes.
Bug

OS X Users: 13 Characters of Assyrian Can Crash Your Chrome Tab 119

Posted by timothy
from the cat-like-typing-detected dept.
abhishekmdb writes No browsers are safe, as proved yesterday at Pwn2Own, but crashing one of them with just one line of special code is slightly different. A developer has discovered a hack in Google Chrome which can crash the Chrome tab on a Mac PC. The code is a 13-character special string which appears to be written in Assyrian script. Matt C has reported the bug to Google, who have marked the report as duplicate. This means that Google are aware of the problem and are reportedly working on it.
Encryption

OpenSSL Security Update Less Critical Than Expected, Still Recommended 64

Posted by timothy
from the man-nips-dog dept.
An anonymous reader writes As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues. The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers. Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.
Programming

NTP's Fate Hinges On "Father Time" 287

Posted by samzenpus
from the time-will-tell dept.
Esther Schindler writes In April, one of the open source code movement's first and biggest success stories, the Network Time Protocol, will reach a decision point, writes Charlie Babcock. At 30 years old, will NTP continue as the preeminent time synchronization system for Macs, Windows, and Linux computers and most servers on networks? Or will this protocol go into a decline marked by drastically slowed development, fewer bug fixes, and greater security risks for the computers that use it? The question hinges to a surprising degree on the personal finances of a 59-year-old technologist in Talent, Ore., named Harlan Stenn.
Microsoft

Incomplete Microsoft Patch Left Machines Exposed To Stuxnet LNK Vulnerability 33

Posted by Soulskill
from the fixing-the-fix-that-fixed-not-much-at-all dept.
msm1267 writes: A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010. Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released Aug. 2, 2010. "That patch didn't completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch," said Brian Gorenc, manager of vulnerability research with HP's Zero Day Initiative. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.
Google

TSYNC Not a Hard Requirement For Google Chrome After All 46

Posted by timothy
from the what-we-meant-was dept.
An anonymous reader writes A few days ago it appeared that Google began requiring new versions of the Linux kernel for the Chrome/Chromium web browser. To some people, such requirement smelled funny, and it turns out that those people had the right hunch. Google does not intend for there to be a hard requirement on the latest versions of the Linux kernel that expose SECCOMP_FILTER_FLAG_TSYNC, but instead many users are hitting an issue around it. A Chromium developer commented on the related bug: "Updating the title so that people who have been mislead into thinking non-TSYNC kernels were deprecated immediately understand that there is simply 'some unknown bug' hitting some users." Of course, a user having the TSYNC feature in his kernel will still get a security benefit.
Bug

Exploiting the DRAM Rowhammer Bug To Gain Kernel Privileges 180

Posted by Soulskill
from the flipping-tables-over-flipped-bits dept.
New submitter netelder sends this excerpt from the Project Zero blog: 'Rowhammer' is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access (PDF) to all of physical memory.
Bug

Google Chrome Requires TSYNC Support Under Linux 338

Posted by timothy
from the what-you-gotta-do dept.
An anonymous reader writes Google's Chrome/Chromium web browser does not support slightly older versions of the Linux kernel anymore. Linux 3.17 is now the minimum requirement. According to a thread on the Debian mailing list, a kernel feature called TSYNC is what makes the difference. When a backported patch for the Debian 8 kernel was requested, there were hostile replies about not wanting to support "Google spyware."
Ubuntu

Ubuntu To Officially Switch To systemd Next Monday 765

Posted by Soulskill
from the dissenting-dachshund dept.
jones_supa writes: Ubuntu is going live with systemd, reports Martin Pitt in the ubuntu-devel-announce mailing list. Next Monday, Vivid (15.04) will be switched to boot with systemd instead of UpStart. The change concerns desktop, server, and all other current flavors. Technically, this will flip around the preferred dependency of init to systemd-sysv | upstart in package management, which will affect new installs, but not upgrades. Upgrades will be switched by adding systemd-sysv to ubuntu-standard's dependencies. If you want, you can manually do the change already, but it's advisable to do an one-time boot first. Right now it is important that if you run into any trouble, file a proper bug report in Launchpad (ubuntu-bug systemd). If after some weeks it is found that there are too many or too big regressions, Ubuntu can still revert back to UpStart.