Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
revealingheart writes "Creative Commons has launched new versions of their flexible copyright licenses, after two years of input. Changes include waiving database and moral rights where possible, and adjustments to attribution requirements. Licenses are now designed to work internationally by default."
v3rgEz writes "Wish you were a little more organized? Have trouble finding that archived contract when you actually need it? Don't feel too bad: The National Security Agency has the same problem, claiming that its contract database is stored manually and impossible to search by topic, category, or even by vendor in most cases."
MojoKid writes "Benchmarks are serious business. Buying decisions are often made based on how well a product scores, which is why the press and analysts spend so much time putting new gadgets through their paces. However, benchmarks are only meaningful when there's a level playing field, and when companies try to 'game' the business of benchmarking, it's not only a form of cheating, it also bamboozles potential buyers who (rightfully) assume the numbers are supposed mean something. 3D graphics benchmark software developer Futuremark just 'delisted' a bunch of devices from its 3DMark benchmark results database because it suspects foul play is at hand. Of the devices listed, it appears Samsung and HTC in particular are indirectly being accused of cheating 3DMark for mobile devices. Delisted devices are stripped of their rank and scores. Futuremark didn't elaborate on which specific rule(s) these devices broke, but a look at the company's benchmarking policies reveals that hardware makers aren't allowed to make optimizations specific to 3DMark, nor are platforms allowed to detect the launch of the benchmark executable unless it's needed to enable multi-GPU and/or there's a known conflict that would prevent it from running."
First time accepted submitter conoviator writes "The NY Times has just published a piece providing more background on the healthcare.gov software project. One interesting aspect: 'Another sore point was the Medicare agency's decision to use database software, from a company called MarkLogic, that managed the data differently from systems by companies like IBM, Microsoft and Oracle. CGI officials argued that it would slow work because it was too unfamiliar. Government officials disagreed, and its configuration remains a serious problem.'" The story does not say that MarkLogic's software is bad in itself, only that the choice meant increased complexity on the project.
Bruce66423 writes with news that the IRS hasn't made much progress improving its poor IT security. From the article: "The Treasury Inspector General for Tax Administration found that the IRS had only partially implemented 42 percent of the corrective plans it checked off as completed in recent years. ... The review (PDF) showed that the IRS failed to properly track its progress toward completing many of the fixes auditors had recommended in recent years. The agency closed most of the cases without adequate documentation and did not always upload the necessary information into a database that helps ensure compliance."
recoiledsnake writes with news of Google tracking a bit more of your life. From the article: "Google is beta-testing a program that uses smartphone location data to determine when consumers visit stores, according to agency executives briefed on the program by Google employees. Google then connects these store visits to Google searches conducted on smartphones. If someone conducts a Google mobile search for 'screwdrivers,' for instance, a local hardware store could bid to have its store listing served to that user. By pairing that person's location data with its database of store listings, Google can see if the person who saw that ad subsequently visited the store.It is easiest for Google to conduct this passive location tracking on Android users, since Google has embedded location tracking into the software. Once Android users opt in to location services, Google starts collecting their location data as continuously as technologically possible."
First time accepted submitter binarstu writes "The New York Times reports that 'The C.I.A. is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company's vast database of phone records, which includes Americans' international calls, according to government officials. The cooperation is conducted under a voluntary contract, not under subpoenas or court orders compelling the company to participate, according to the officials.'"
An anonymous reader writes "I've recently been charged with updating our existing serial console access tools. We have 12 racks of servers each with a console server in it (OpenGear, ACS, and a few others). Several of these systems host virtual machines which are also configured to have 'serial' management (KVM, virt serial). In total it comes to about 600 'systems.' All the systems also have remote power management (various vendors). Right now our team has a set of home grown scripts and a cobbled together database for keeping this all together. Today any admin can simply ssh into the master, run 'manage hostname console' and automatically get a serial console or run 'manage hostname power off' to cut the power to a system. I'd rather use some tools with more of a community than just the 4 of us. What tool(s) should I move my group onto for remote serial/power management?"
tsu doh nimh writes "A compromise at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. Krebsonsecurity.com writes about the break-in, which involved the theft of information on celebrities like Tom Hanks and LeBron James, as well as lawmakers such as the chairman of the U.S. House Judiciary Committee. The story also examines the potential value of this database for spies, drawing a connection between recent personalized malware attacks against Kevin Mandia, the CEO of incident response firm Mandiant. In an interview last month with Foreign Policy magazine, Mandia described receiving spear phishing attacks that spoofed receipts for recent limo rides; according to Krebs, the info for Mandia and two other Mandiant employees was in the stolen limo company database."
Frequent contributor Bennett Haselton writes: "A Harvard biologist was able to get an intentionally flawed paper accepted for publication by a number of open-access academic journals, included that had supposedly been vetted for quality by advocates of open access. It seems the problem could be mitigated by consolidating journals within a field, so that there are much fewer of them, publishing much more articles per journal -- so the review processes take the same amount of labor, but you have fewer journals that have to be audited for procedural honesty." Read on for the rest, including his idea to solve the problem of fraudulent submissions (or even just sub-par science) through simplification.
starglider29a writes "Yesterday, a website I maintain that has a Twitter presence encountered an 'unsafe' warning when clicking on the tweets. 'This link has been flagged as potentially harmful.' After scanning the site and its database, then checking with Google and third-party site scanners, I found no evidence of harm. At noon, The Atlantic posted an article which describes the same issue with the Philadelphia City Paper. 'Perhaps most frustrating of all is that Twitter has not been particularly responsive to the paper's plight.' If the warnings are incorrect, how does Twitter justify this libel?"
realized writes "Experian — one of the three national U.S. credit bureaus — reportedly sold SSNs through its subsidiary, Court Ventures, to the operators of SuperGet.info who then offered all of the information online for a price. The website would advertise having '99% to 100% of all USA' in their database on websites frequented by carders. Hieu Minh Ngo, the website owner, was recently been indicted for 15-counts filed under seal in November 2012, charging him with conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit identity fraud, substantive identity fraud, aggravated identity theft, conspiracy to commit access device fraud, and substantive access device fraud."
An anonymous reader writes "Flow-based programming keeps resurfacing lately. FBP claims to make it easier for non-programmers to build applications by stringing together transformations built by expert programmers. Many projects have already been using similar approaches for a long time, with less (or different?) hype. Is it time to take a closer look at flow-based programming? 'Clean functions – functions without side effects – are effectively pure transformations. Something comes in, something goes out, and the results should be predictable. Functions that create side effects or rely on additional inputs (say, from a database) are more complicated to model, but it’s easier to train programmers to notice that complexity when it’s considered unusual. The difficulty, of course, is that decomposing programs into genuinely independent components in a fine-grained way is difficult. Many programmers have to re-orient themselves from orthodox object-oriented development, and shift to a world in which data structures are transparent but the behavior – the transformation – is not.'"
CowboyRobot writes "Penetration tester and long-time security professional Sumit 'Sid' Siddharth has developed a real-world SQL injection sandbox simulator, and invites the public for a capture the flag event later this month. 'The only way you can understand the true impact of vulnerabilities is by practicing exploitation. Even vulnerability identification goes hand-in-hand with exploitation,' says Siddharth. 'Sometimes identifying the vulnerability is really difficult, and it's only when you know advanced exploitation techniques that you can do so. We've also put together some really nice examples where identifying the vulnerability is really difficult, and we've asked people to find the needle in the haystack because that's how websites get compromised at the end of the day,'"
jones_supa writes "Greg Jorgensen specializes in debugging, fixing, maintaining, and extending legacy software systems. His typical client has a web site or internal application that works, more or less, but the original developer isn't available. Greg lists some things you can do in your own software projects to keep him in business. In summary, the list goes as follows: Customize your development environment a lot, don't make it easy for the next programmer to start working on the code. Create an elaborate build and deployment environment and remember to leave out the documentation. Don't bother with a testing/staging server but instead have secret logins and backdoor URLs to test new features, and mix test data with real data in your database. Don't bother with a well-understood framework, write everything from scratch instead. Add dependencies to specific versions of libraries and resources, but don't protect or document those dependencies. For the icing of the cake, use the coolest mix of cutting-edge programming languages."
Hugh Pickens DOT Com writes "No one wants to buy a stolen bike, but if you see a bike you're interested in on Craigslist or at a flea market, there isn't a good way to know if it's stolen. Now Kickstarter has an interesting project that is looking for funding to expand a searchable database that will help users protect their bikes by permanently saving the bike's serial number. 'We regularly saw people trying to sell stolen bikes, and would search for the bikes online — but it was too difficult to find definitive information about them because too few people save their serial numbers,' says Seth Herr, founder of the Bike Index and lead developer of the project. Herr envisions Bike Index as a way to solve the 'awareness problem' — awareness of existing registries and of a bike's identifying information. 'A common problem when people get their bikes stolen is that it's like the first time the owner thinks about "What was my serial number?" and other details that are important in recovering a stolen bike,' says Marcus Moore. If every bike shop integrated Bike Index registration at the point of sale, that would make it easy for victims of bike theft to accurately report a stolen bike, and for bike purchasers to verify that they aren't buying stolen goods. The Project plans to collaborate with Bryan Hance, the founder of stolenbikeregistry.com, one of the Internet's first-ever registries to track stolen bikes, which already has almost 20,000 bicycles in its registry."
theodp writes "Q. What do you get when Bill Gates and Rupert Murdoch put their heads together? A. inBloom (aka SLC), the Gates Foundation-bankrolled and News Corp. subsidiary-implemented collaboration whose stated mission is to 'inform and involve each student and teacher with data and tools designed to personalize learning.' It's noble enough sounding, but as the NY Times reports, the devil is in the details when it comes to deciding who sees students' academic and behavioral data. inBloom execs maintain their service has been unfairly maligned, saying it is entirely up to school districts or states to decide which details about students to store in the system and with whom to share them. However, a video on inBloom's Web site suggesting what this techno-utopia might look like may give readers of 1984 some pause. In one scene, a teacher with a tablet crouches next to a second-grader evaluating how many words per minute he can read: 55 words read; 43 correctly. Later, she moves to a student named Tyler and selects an e-book 'for at-risk students' for his further reading. The video follows Tyler home, where his mom logs into a parent portal for an update on his status — attendance, 86%; performance, 72% — and taps a button to send the e-book to play on the family TV. And another scene shows a geometry teacher reassigning students' seating assignments based on their 'character strengths', moving a green-coded female student ('actively participates: 98%') next to a red-and-yellow coded boy ('shows enthusiasm: 67%'). The NYT also mentions a parent's concern that school officials hoping to receive hefty Gates Foundation Grants may not think an agreement with the Gates-backed inBloom completely through."
The Guardian has released new documents from Edward Snowden showing how the U.S. National Security Agency targets internet anonymity tool Tor to gather intelligence. One of the documents, a presentation titled "Tor Stinks," bluntly acknowledges how effective the tool is: "We will never be able to de-anonymize all Tor users all the time. With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user in response to a TOPI request/on demand." (Other documents: presentation 1, presentation 2.) The NSA is able to extract information sometimes, though, and Bruce Schneier details what we know of that process in an article of his own. "The NSA creates 'fingerprints' that detect http requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool which NSA boasts allows its analysts to see "almost everything" a target does on the internet. ... After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems." Schneier explains in a related article why it's important that we figure out exactly what the NSA is doing. "Given how inept the NSA was at protecting its own secrets, it's extremely unlikely that Edward Snowden was the first sysadmin contractor to walk out the door with a boatload of them. And the previous leakers could have easily been working for a foreign government."