Bug

RealTek SDK Introduces Vulnerability In Some Routers 35

Posted by Soulskill
from the won't-fix dept.
jones_supa writes: SOHO routers from manufacturers including at least Trendnet and D-Link allow attackers anywhere in the world to execute malicious code on the devices, according to a security advisory issued over the weekend. The remote command-injection vulnerability resides in the "miniigd SOAP service" as implemented by the RealTek SDK. Before someone asks, there is no comprehensive list of manufacturers or models that are affected. Nerds may be able to spot them by using the Metasploit framework to query their router. If the response contains "RealTek/v1.3" or similar, the device is likely vulnerable. For now, the vulnerable routers should be restricted to communicate only with trusted devices. HP's Zero Day Initiative reported the bug confidentially to RealTek in August 2013, but the issue was disclosed 20 months later as no fix has been provided.
HP

Carly Fiorina Calls Apple's Tim Cook a 'Hypocrite' On Gay Rights 653

Posted by timothy
from the fightin'-words dept.
HughPickens.com (3830033) writes "David Knowles reports at Bloomberg that former Hewlett-Packard CEO and potential 2016 presidential candidate Carly Fiorina called out Apple CEO Tim Cook as a hypocrite for criticizing Indiana and Arkansas over their Religious Freedom Restoration Acts while at the same time doing business in countries where gay rights are non-existent. "When Tim Cook is upset about all the places that he does business because of the way they treat gays and women, he needs to withdraw from 90% of the markets that he's in, including China and Saudi Arabia," Fiorina said. "But I don't hear him being upset about that."

In similar criticism of Hillary Clinton on the Fox News program Hannity, Fiorina argued that Clinton's advocacy on behalf of women was tarnished by donations made to the Clinton Foundation from foreign governments where women's rights are not on par with those in America. ""I must say as a woman, I find it offensive that Hillary Clinton travels the Silicon Valley, a place where I worked for a long time, and lectures Silicon Valley companies on women's rights in technology, and yet sees nothing wrong with taking money from the Algerian government, which really denies women the most basic human rights. This is called, Sean, hypocrisy." While Hillary Clinton hasn't directly addressed Fiorina's criticisms, her husband has. "You've got to decide, when you do this work, whether it will do more good than harm if someone helps you from another country," former president Bill Clinton said in March. "And I believe we have done a lot more good than harm. And I believe this is a good thing.""
Transportation

World's First 1 Megawatt All-Electric Race Car 106

Posted by timothy
from the never-offer-them-a-jump dept.
New submitter MotoJ writes: A Latvian company has announced plans to race a one megawatt all-electric race car. It has a 50 kWh lithium-ion battery pack and is propelled by six YASA-400 electric motors. It provides 1020 kW (1368 hp) and a top speed of 260 km/h. It has a real chance to become the first overall winner of the Pikes Peak International Hill Climb competition with an electric vehicle. That's something to look forward to and curious who will pilot this machine. The race is on June 28, 2015. The same company has an equally interesting all-electric off-road racer.
HP

Former HP CEO Carly Fiorina Near Launching Presidential Bid 353

Posted by samzenpus
from the in-the-hunt dept.
Rambo Tribble writes Former Hewlett-Packard CEO Carly Fiorina announced on Fox News Sunday that she stood a 'higher than 90 percent' chance of running as a presidential candidate in 2016. Fiorina's tenure at HP was marked by controversy over her leadership, and it is unclear what level of name recognition she enjoys. Her only previous political experience appears to be a failed U.S. Senate seat effort in 2010, as the Republican candidate challenging sitting Democrat Barbara Boxer, in California. Fiorina lost by 10%.
The Military

Islamic State Doxes US Soldiers, Airmen, Calls On Supporters To Kill Them 336

Posted by samzenpus
from the directions-to-a-murder dept.
An anonymous reader writes in with this story about the latest weapon used by ISIS: doxing. "Middle East terrorist organization Islamic State (ISIS) has called on its followers take the fight to 100 members of the United States military residing in the US. A group calling itself the 'Islamic State Hacking Division' has posted names, addresses, and photographs of soldiers, sailors, and airmen online, asking its 'brothers residing in America' to murder them, according to Reuters. Although the posting purports to come from the 'Hacking Division,' US Department of Defense officials say that none of their systems appear to have been breached by the group. Instead, the personal data was almost certainly culled from publicly available sources, a DoD official told the New York Times on the condition of anonymity."
Security

LightEater Malware Attack Places Millions of Unpatched BIOSes At Risk 83

Posted by timothy
from the nothing's-perfect dept.
Mark Wilson writes Two minutes is all it takes to completely destroy a computer. In a presentation entitled 'How many million BIOSes would you like to infect?' at security conference CanSecWest, security researchers Corey Kallenberg and Xeno Kovah revealed that even an unskilled person could use an implant called LightEater to infect a vulnerable system in mere moments. The attack could be used to render a computer unusable, but it could also be used to steal passwords and intercept encrypted data. The problem affects motherboards from companies including Gigabyte, Acer, MSI, HP and Asus. It is exacerbated by manufactures reusing code across multiple UEFI BIOSes and places home users, businesses and governments at risk.
Chrome

Every Browser Hacked At Pwn2own 2015, HP Pays Out $557,500 In Awards 237

Posted by Soulskill
from the another-four-bite-the-dust dept.
darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.
Science

Scientific Study Finds There Are Too Many Scientific Studies 112

Posted by Soulskill
from the my-study-can-beat-up-your-study dept.
HughPickens.com writes: Chris Matyszczyk reports at Cnet that a new scientific study concludes there are too many scientific studies — scientists simply can't keep track of all the studies in their field. The paper, titled "Attention Decay in Science," looked at all publications (articles and reviews) written in English till the end of 2010 within the database of the Thomson Reuters (TR) Web of Science. For each publication they extracted its year of publication, the subject category of the journal in which it is published and the corresponding citations to that publication. The 'decay' the researchers investigated is how quickly a piece of research is discarded measured by establishing the initial publication, the peak in its popularity and, ultimately, its disappearance from citations in subsequent publications.

"Nowadays papers are forgotten more quickly. Attention, measured by the number and lifetime of citations, is the main currency of the scientific community, and along with other forms of recognition forms the basis for promotions and the reputation of scientists," says the study. "Typically, the citation rate of a paper increases up to a few years after its publication, reaches a peak and then decreases rapidly. This decay can be described by an exponential or a power law behavior, as in ultradiffusive processes, with exponential fitting better than power law for the majority of cases (PDF). The decay is also becoming faster over the years, signaling that nowadays papers are forgotten more quickly." Matyszczyk says,"If publication has become too easy, there will be more and more of it."
Businesses

Open Source Hardware Approaching Critical Mass 64

Posted by Soulskill
from the nuclear-metaphors dept.
angry tapir writes: The Open Compute Project, which wants to open up hardware the same way Linux opened up software, is starting to tackle its forklift problem. You can't download boxes or racks, so open-source hardware needs a supply chain, said OCP President and Chairman Frank Frankovsky, kicking off the Open Compute Project Summit in San Jose. The companies looking to adopt this kind of gear include some blue-chip names: Bank of America, Goldman Sachs and Capital One are members. The idea is that if a lot of vendors build hardware to OCP specifications, IT departments will have more suppliers to choose from offering gear they can easily bring into their data centers. Standard hardware can also provide more platforms for innovative software, Frankovsky said. Now HP and other vendors are starting to deliver OCP systems in a way the average IT department understands. At the same time, the organization is taking steps to make sure new projects are commercially viable rather than just exercises in technology.
Microsoft

Incomplete Microsoft Patch Left Machines Exposed To Stuxnet LNK Vulnerability 33

Posted by Soulskill
from the fixing-the-fix-that-fixed-not-much-at-all dept.
msm1267 writes: A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010. Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released Aug. 2, 2010. "That patch didn't completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch," said Brian Gorenc, manager of vulnerability research with HP's Zero Day Initiative. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.
Portables

Ultralight Convertibles Approaching Desktop Performance 161

Posted by timothy
from the lots-of-moving-parts-to-break dept.
MojoKid writes Laptops with fully articulating hinges are starting to show up from more vendors than just Lenovo, though the company certainly got some mileage out of their Yoga brand of machines. Now it appears HP is getting in on the action as well, with the new HP Spectre X360 that's powered by Intel's new Core i5-5200U Broadwell-based processor with integrated Intel HD 5500 series graphics, along with 8GB of DDR3-1600 memory, a 256GB Solid State Drive (a Samsung M.2 PCIe SSD), 802.11ac WiFi, and a 13.3" Full HD (1920x1080) multi-touch screen. The Spectre X360 has a geared and spring-assisted hinges. The hinges swing open easily, and then offer more resistance as the screen is moved into an upright position, or swung around into tent, stand, or tablet modes. What's also interesting about this new breed of convertibles, beyond just its ability to contort into tablet mode and various other angles, is that performance for these ultralight platforms is scaling up nicely, with faster, low-power processors and M.2 PCIe Solid State Drives offering up a very responsive experience and under 10 second boot times. It has gotten to the point that 3 pound and under notebooks feel every bit as nimble as desktop machines, at least for mainstream productivity and media consumption usage models.
Earth

Most Americans Support Government Action On Climate Change 458

Posted by Soulskill
from the politics-of-science dept.
mdsolar points out this report in the NY Times: An overwhelming majority of the American public, including nearly half of Republicans, support government action to curb global warming, according to a poll conducted by The New York Times, Stanford University and the nonpartisan environmental research group Resources for the Future. In a finding that could have implications for the 2016 presidential campaign, the poll also found that two-thirds of Americans say they are more likely to vote for political candidates who campaign on fighting climate change. They are less likely to vote for candidates who question or deny the science of human-caused global warming.

Among Republicans, 48 percent said they are more likely to vote for a candidate who supports fighting climate change, a result that Jon A. Krosnick, a professor of political science at Stanford University and an author of the survey, called "the most powerful finding" in the poll. Many Republican candidates either question the science of climate change or do not publicly address the issue.
Communications

Mozilla Dusts Off Old Servers, Lights Up Tor Relays 80

Posted by timothy
from the good-citizenship dept.
TechCurmudgeon writes According to The Register, "Mozilla has given the Tor network a capacity kick with the launch of 14 relays that will help distribute user traffic. Engineers working under the Foundation's Polaris Project inked in November pulled Mozilla's spare and decommissioned hardware out of the cupboard for dedicated use in the Tor network. It included a pair of Juniper EX4200 switches and three HP SL170zG6 (48GB ram, 2*Xeon L5640, 2*1Gbps NIC) servers, along with a dedicated existing IP transit provider (2 X 10Gbps). French Mozilla engineer Arzhel Younsi (@xionoxfr) said its network was designed to fall no lower than half of its network capacity in the event of maintenance or failure. The Polaris initiative was a effort of Mozilla, the Tor Project and the Centre for Democracy and Technology to help build more privacy controls into technology."
Businesses

The Tech Industry's Legacy: Creating Disposable Employees 271

Posted by Soulskill
from the train-your-replacement-to-train-your-replacement dept.
An anonymous reader writes: VentureBeat is running an indictment of the tech industry's penchant for laying off huge numbers of people, which they say is responsible for creating a culture of "disposable employees." According to recent reports, layoffs in the tech sector reached over 100,000 last year, the highest total since 2009. Of course, there are always reasons for layoffs: "Companies buy other companies and need to rationalize headcount. And there's all that disruption. Big companies, in particular, are seeing their business models challenged by startups, so they need to shed employees with skills they no longer need, and hire people with the right skills."

But the article argues that this is often just a smokescreen. "The notion here is that somehow these companies are backed into a corner, with no other option than to fire people. And that's just not true. These companies are making a choice. They're deciding that it's faster and cheaper to chuck people overboard and find new ones than it is to retrain them. The economics of cutting rather than training may seem simple, but it's a more complex calculation than most people believe. ... Many of these companies are churning through employees, laying off hundreds on one hand, while trying to hire hundreds more."
HP

Serious Fraud Office Drop Investigation Into Autonomy Accounting 53

Posted by Soulskill
from the government-agencies-with-funny-names dept.
mrspoonsi sends up an update on the investigation into Autonomy, a software company acquired by HP in 2011. HP paid a staggering $11.7 billion in the deal, then later wrote off $8.8 billion and claimed Autonomy's management intentionally defrauded them. The UK Serious Fraud Office opened a case on the matter in 2013, but that investigation has now been dropped. According to the Office's press release, they felt there was "insufficient evidence for a realistic prospect of conviction," given the information they had to work with. Autonomy is not off the hook, however — the case has now been entirely ceded to U.S. authorities.
Programming

Interviews: Alexander Stepanov and Daniel E. Rose Answer Your Questions 42

Posted by samzenpus
from the read-all-about-it dept.
samzenpus (5) writes "Alexander Stepanov is an award winning programmer who designed the C++ Standard Template Library. Daniel E. Rose is a programmer, research scientist, and is the Chief Scientist for Search at A9.com. In addition to working together, the duo have recently written a new book titled, From Mathematics to Generic Programming. Earlier this month you had a chance to ask the pair about their book, their work, or programming in general. Below you'll find the answers to those questions."
Security

Adobe Patches Nine Vulnerabilities In Flash 95

Posted by samzenpus
from the protect-ya-neck dept.
jones_supa writes Adobe has patched nine vulnerabilities in Flash Player — four of which are considered "critical" — in order to protect against malicious attackers who could exploit the bugs to take control of an affected system. Adobe acknowledged security researchers from Google, McAfee, HP, and Verisign. Flash's security bulletin contains more information on the vulnerabilities. The issues are fixed in mainline Flash Player 16.0.0.257 (incl. Google Chrome Linux version), extended support release 13.0.0.260, and Linux standalone plugin 11.2.202.429.
Linux

Sloppy File Permissions Make Red Star OS Vulnerable 105

Posted by Soulskill
from the helps-to-feed-your-developers dept.
An anonymous reader writes: Red Star OS Desktop 3.0, the official Linux distro of North Korea, which recently found its way onto torrents and various download sites in form of an ISO image, is interesting for a number of reasons, including its attempt to look like commercial operating systems (currently OS X, earlier versions mimicked the Windows GUI). Hackers are also poking Red Star for security vulnerabilities. An pseudonymous researcher noted in a post to the Open Source Software Security (oss-sec) mailing list, that the OS has one significant security hole: Red Star 3.0 ships with a world-writeable udev rule file /etc/udev/rules.d/85-hplj10xx.rules (originally designed for HP LaserJet 1000 series printers) which can be modified to include RUN+= arguments executing arbitrary commands as root by Udev. In the post he also mentions how the older Red Star 2.0 shipped with another schoolboy mistake: /etc/rc.d/rc.sysinit was world-writeable.
Open Source

Big Names Dominate Open Source Funding 32

Posted by Soulskill
from the all-about-the-open-source-benjamins dept.
jones_supa writes: Network World's analysis of publicly listed sponsors of 36 prominent open-source non-profits and foundations reveals that the lion's share of financial support for open-source groups comes from a familiar set of names. Google was the biggest supporter, appearing on the sponsor lists of eight of the 36 groups analyzed. Four companies – Canonical, SUSE, HP and VMware – supported five groups each, and seven others (Nokia, Oracle, Cisco, IBM, Dell, Intel and NEC) supported four. For its part, Red Hat supports three groups (Linux Foundation, Creative Commons and the Open Virtualization Alliance).

It's tough to get more than a general sense of how much money gets contributed to which foundations by which companies – however, the numbers aren't large by the standards of the big contributors. The average annual revenue for the open-source organizations considered in the analysis was $4.36 million, and that number was skewed by the $27 million taken in by the Wikimedia Foundation (whose interests range far beyond OSS development) and the $17 million posted by Linux Foundation.