DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
The Military

Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98 (defenseone.com) 119

SmartAboutThings writes: The Pentagon is set to complete its Windows 10 transition by the end of this year, but nearly 75% of its control system devices still run Windows XP or other older versions, including Windows 95 and 98. A Pentagon official now wants the bug bounty program of the top U.S. defense agency expanded to scan for vulnerabilities in its critical infrastructure.
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."
Android

Open Ports Create Backdoors In Millions of Smartphones (bleepingcomputer.com) 112

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."
Patents

Apple Patent Hints At Wirelessly Charging Your iPhone Via Wi-Fi Routers (appleinsider.com) 137

According to AppleInsider, "Apple is experimenting with medium- to long-distance wireless charging technologies that could one day allow users to charge up their iPhones with nothing more than a Wi-Fi router." From the report: Detailed in Apple's patent application for "Wireless Charging and Communications Systems With Dual-Frequency Patch Antennas" is a method for transferring power to electronic devices over frequencies normally dedicated to data communications. In its various embodiments, the invention notes power transfer capabilities over any suitable wireless communications link, including cellular between 700 MHz and 2700 MHz, and Wi-Fi operating at 2.4 GHz and 5 GHz. More specifically, the document's claims apply to millimeter wave 802.11ad spectrum channels currently in use by the WiGig standard, which operates over the 60 GHz frequency band. Theoretically, the proposal opens the door to wire-free charging from in-home Wi-Fi routers to cellular nodes and even satellite signals. Of course, amplitude in a wireless system is normally a function of distance. Like conventional wireless charging techniques, Apple's design requires two devices -- a transmitter and receiver -- to function. Each device contains one or more antennas coupled to wireless circuitry capable of making phase and magnitude adjustments to transmitted and received signals. Such hardware can be employed in dynamic beam steering operations.
Businesses

Should Banks Let Ancient Programming Language COBOL Die? (thenextweb.com) 371

COBOL is a programming language invented by Hopper from 1959 to 1961, and while it is several decades old, it's still largely used by the financial sector, major corporations and part of the federal government. Mar Masson Maack from The Next Web interviews Daniel Doderlein, CEO of Auka, who explains why banks don't have to actively kill COBOL and how they can modernize and "minimize the new platforms' connections to the old systems so that COBOL can be switched out in a safe and cheap manner." From the report: According to [Doderlein], COBOL-based systems still function properly but they're faced with a more human problem: "This extremely critical part of the economic infrastructure of the planet is run on a very old piece of technology -- which in itself is fine -- if it weren't for the fact that the people servicing that technology are a dying race." And Doderlein literally means dying. Despite the fact that three trillion dollars run through COBOL systems every single day they are mostly maintained by retired programming veterans. There are almost no new COBOL programmers available so as retirees start passing away, then so does the maintenance for software written in the ancient programming language. Doderlein says that banks have three options when it comes to deciding how to deal with this emerging crisis. First off, they can simply ignore the problem and hope for the best. Software written in COBOL is still good for some functions, but ignoring the problem won't fix how impractical it is for making new consumer-centric products. Option number two is replacing everything, creating completely new core banking platforms written in more recent programming languages. The downside is that it can cost hundreds of millions and it's highly risky changing the entire system all at once. The third option, however, is the cheapest and probably easiest. Instead of trying to completely revamp the entire system, Doderlein suggests that banks take a closer look at the current consumer problems. Basically, Doderlein suggests making light-weight add-ons in more current programming languages that only rely on COBOL for the core feature of the old systems.
The Almighty Buck

Computer Program Prevents 116-Year-Old Woman From Getting Pension (theguardian.com) 214

Bruce66423 quotes a report from The Guardian: Born at the turn of the past century, Maria Felix is old enough to remember the Mexican Revolution -- but too old to get the bank card needed to collect her monthly 1,200 pesos ($63) welfare payment. Felix turns 117 in July, according to her birth certificate, which local authorities recognize as authentic. She went three months without state support for poor elderly Mexicans after she was turned away from a branch of Citibanamex in the city of Guadalajara for being too old, said Miguel Castro, development secretary for the state of Jalisco. Welfare beneficiaries now need individual bank accounts because of new transparency rules, Castro said. "They told me the limit was 110 years," Felix said with a smile in the plant-filled courtyard of her small house in Guadalajara. In an emailed statement, Citibanamex, a unit of Citigroup Inc, said Felix's age exceeded the "calibration limits" of its system and it was working to get her the bank card as soon as possible. It said it was adjusting its systems to avoid a repeat of the situation.
Software

Ask Slashdot: Are Accurate Software Development Time Predictions a Myth? (medium.com) 220

New submitter DuroSoft writes: For myself and the vast majority of people I have talked to, this is the case. Any attempts we make to estimate the amount of time software development tasks will take inevitably end in folly. Do you find you can make accurate estimates, or is it really the case, as the author, DuroSoft Technologies' CTO/Co-CEO Sam Johnson, suggests via Hacker Noon, that "writing and maintaining code can be seen as a fundamentally chaotic activity, subject to sudden, unpredictable gotchas that take up an inordinate amount of time" and that therefore attempting to make predictions in the first place is itself a waste of our valuable time?
Microsoft

Maybe Don't Manually Install Windows 10 Creators Update, Says Microsoft (betanews.com) 114

Two weeks after Microsoft started rolling out Windows 10 Creators Update, the company has asked the users to avoid manually installing the major update. A report adds: But why? Because the update is causing problems for users. The first phase of the rollout targeted newer devices -- those most likely to be able to run the OS update with the minimum of problems -- and Microsoft is using the feedback from that first batch of updated systems to decide when to begin the next phase of the rollout. "For example, our feedback process identified a Bluetooth accessory connectivity issue with PCs that use a specific series of Broadcom radios," an executive said.
Windows

Windows is Bloated, Thanks to Adobe's Extensible Metadata Platform (bit.ly) 134

An anonymous reader shares a report: Over the weekend, I put together a little tool that scans executable files for PNG images containing useless Adobe Extensible Metadata Platform (XMP) metadata. I ran it against a vanilla Windows 10 image and was surprised that Windows contains a lot of this stuff. Adobe XMP, generally speaking, is an Adobe technology that serializes metadata like titles, internal identifiers, GPS coordinates, and color information into XML and jams it into things, like images. This data can be extremely valuable in some cases but Windows doesn't need or use this stuff. It just eats up disk space and CPU cycles. Thanks to horrible Adobe Photoshop defaults, it's very easy to unknowingly include this metadata in your final image assets. So easy, almost all the images on this site are chock full of it. But you can appreciate my surprise when a bunch of important Windows binaries showed up in my tool.
Security

Antivirus Webroot Deletes Windows Files, Causes Serious Problems For Users (pcworld.com) 67

Users of Webroot's endpoint security product, consumers and businesses alike, had a nasty surprise Monday when the program started flagging Windows files as malicious. From a report: The reports quickly popped up on Twitter and continued on the Webroot community forum -- 14 pages and counting. The company came up with a manual fix to address the issue, but many users still had problems recovering their affected systems. The problem is what's known in the antivirus industry as a "false positive" -- a case where a clean file is flagged as malicious and is blocked or deleted. False positive incidents can range in impact from merely annoying -- for example, when a program cannot run anymore -- to crippling, where the OS itself is affected and no longer boots. The Webroot incident falls somewhere in the middle because it affected legitimate Windows files and sent them to quarantine. This is somewhat unusual because antivirus firms typically build whitelists of OS files specifically to prevent false positive detections.
Botnet

BrickerBot, the Permanent Denial-of-Service Botnet, Is Back With a Vengeance (arstechnica.com) 112

An anonymous reader quotes a report from Ars Technica: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks -- with 1,295 attacks coming in just 15 hours -- it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day. Shortly after BrickerBot.3 began attacking, Geenens discovered BrickerBot.4. Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves that someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.
Operating Systems

NSA's DoublePulsar Kernel Exploit a 'Bloodbath' (threatpost.com) 186

msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.
Bug

Linux 4.11 Delayed For a Week (theregister.co.uk) 48

Linux kernel creator Linus Torvalds said over the weekend that v4.11 version of Linux has hit a speed bump in the form of "NVMe power management that apparently causes problems on some machines." The Register adds: "It's not entirely clear what caused the [NVMe] issue (it wasn't just limited to some NVMe hardware, but also particular platforms), but let's test it." Which sounds like a good idea, given that flash memory on the PCIe bus is increasingly mainstream. That problem and "a couple of really annoying" bugs mean that Torvalds has decided to do an eighth release candidate for Linux 4.11. "I did get fixes for the issues that popped up, so I could have released 4.11 as-is," Torvalds wrote, "but it just doesn't feel right."
Open Source

Systemd-Free Devuan Announces Its First Stable Release Candidate 'Jessie' 1.0.0 (devuan.org) 367

Long-time reader jaromil writes: Devuan 1.0.0-RC is announced, following its beta 2 release last year. The Debian fork that spawned over systemd controversy is reaching stability and plans long-term support. Devuan deploys an innovative continuous integration setup: with fallback on Debian packages, it overlays its own modifications and then uses the merged source repository to ship images for 11 ARM targets, a desktop and minimal live, vagrant and qemu virtual machines and the classic installer isos. The release announcement contains several links to projects that have already adopted this distribution as a base OS.
"Dear Init Freedom Lovers," begins the announcement, "Once again the Veteran Unix Admins salute you!" It points out that Devuan "can be adopted as a flawless upgrade path from both Debian Wheezy and Jessie. This is a main goal for the Devuan Jessie stable release and has proven to be a very stable operation every time it has been performed. "
Government

WikiLeaks Releases New CIA Secret: Tapping Microphones On Some Samsung TVs (fossbytes.com) 100

FossBytes reports: The whistleblower website Wikileaks has published another set of hacking tools belonging to the American intelligence agency CIA. The latest revelation includes a user guide for CIA's "Weeping Angel" tool... derived from another tool called "Extending" which belongs to UK's intelligence agency MI5/BTSS, according to Wikileaks. Extending takes control of Samsung F Series Smart TV. The highly detailed user guide describes it as an implant "designed to record audio from the built-in microphone and egress or store the data."

According to the user guide, the malware can be deployed on a TV via a USB stick after configuring it on a Linux system. It is possible to transfer the recorded audio files through the USB stick or by setting up a WiFi hotspot near the TV. Also, a Live Liston Tool, running on a Windows OS, can be used to listen to audio exfiltration in real-time. Wikileaks mentioned that the two agencies, CIA and MI5/BTSS made collaborative efforts to create Weeping Angel during their Joint Development Workshops.

Education

EFF Says Google Chromebooks Are Still Spying On Students (softpedia.com) 84

schwit1 quotes a report from Softpedia: In the past two years since a formal complaint was made against Google, not much has changed in the way they handle this. Google still hasn't shed its "bad guy" clothes when it comes to the data it collects on underage students. In fact, the Electronic Frontier Foundation says the company continues to massively collect and store information on children without their consent or their parents'. Not even school administrators fully understand the extent of this operation, the EFF says. According to the latest status report from the EFF, Google is still up to no good, trying to eliminate students privacy without their parents notice or consent and "without a real choice to opt out." This, they say, is done via the Chromebooks Google is selling to schools across the United States.
Android

Samsung Will Fix the Galaxy S8 Red Tint Issue With a Software Update (xda-developers.com) 31

When the Galaxy S8 and S8+ first launched, several users reported a red tint to the displays. But then a few days passed and more reports emerged about the issue being widespread, especially in South Korea where many owners are facing this issue. According to XDA Developers, Samsung is aware of the issue and will be issuing a software update to fix it. From the report: Some thought this was just the nature of OLED technology. Because it's organic, it is expected to have some sort of variance from one device to another. We've seen this time and time again on Samsung devices, and others which are using AMOLED panels that were sourced from Samsung. This is generally not a widespread issue though and most of the time the difference is rather small. For whatever reason though, this doesn't seem to be the case with the Galaxy S8 and the Galaxy S8+. This new OTA update to fix the red tint issue is said to be coming next week at the end of April, and Samsung assures their customers that there isn't a problem with the phone itself.
Cloud

Leaked Document Sheds Light On Microsoft's Chromebook Rival (windowscentral.com) 91

Microsoft has announced plans to host an event next month where it is expected to unveil Windows 10 Cloud operating system. Microsoft will be positioning the new OS as a competitor to Chrome OS, according to several reports. Windows Central has obtained an internal document which sheds light on the kind of devices that will be running Windows 10 Cloud. The hardware requirement that Microsoft has set for third-party OEMs is as follows: 1. Quad-core (Celeron or better) processor.
2. 4GB of RAM.
3. 32GB of storage (64GB for 64-bit). 4. A battery larger than 40 WHr.
5. Fast eMMC or solid state drive (SSD) for storage technology.
6. Pen and touch (optional).
The report adds that Microsoft wants these laptops to offer over 10-hour of battery life, and the "cold boot" should not take longer than 20 seconds.
Facebook

Neuroscientists Offer a Reality Check On Facebook's 'Typing By Brain' Project (ieee.org) 58

the_newsbeagle writes: Yesterday, Facebook announced that it's working on a "typing by brain" project, promising a non-invasive technology that can decode signals from the brain's speech center and translate them directly to text (see the video beginning at 1:18:00). What's more, Facebook exec Regina Dugan said, the technology will achieve a typing rate of 100 words per minute. Here, a few neuroscientists are asked: Is such a thing remotely feasible? One neuroscientist points out that his team set the current speed record for brain-typing earlier this year: They enabled a paralyzed man to type 8 words per minute, and that was using an invasive brain implant that could get high-fidelity signals from neurons. To date, all non-invasive methods that read brain signals through the scalp and skull have performed much worse. Thomas Naselaris, an assistant professor at the Medical University of South Carolina, says, "Our understanding of the way the words and their phonological and semantic attributes are encoded in brain activity is actually pretty good currently, but much of this understanding has been enabled by fMRI, which is noninvasive but very slow and not at all portable," he said. "So I think that the bottleneck will be the [optical] imaging technology," which is what Facebook's gear will be using.
Windows

File System Improvements To the Windows Subsystem for Linux (microsoft.com) 109

An anonymous reader shares a new article published on MSDN: In the latest Windows Insider build, the Windows Subsystem for Linux (WSL) now allows you to manually mount Windows drives using the DrvFs file system. Previously, WSL would automatically mount all fixed NTFS drives when you launch Bash, but there was no support for mounting additional storage like removable drives or network locations. Now, not only can you manually mount any drives on your system, we've also added support for other file systems such as FAT, as well as mounting network locations. This enables you to access any drive, including removable USB sticks or CDs, and any network location you can reach in Windows all from within WSL.
Microsoft

Microsoft Says It Will Release Two Feature Updates Per Year For Windows 10, Office (petri.com) 63

Microsoft is making a few changes to how it will service Windows, Office 365 ProPlus and System Center Configuration Manager. From a report: Announced today, Microsoft will be releasing two feature updates a year for Windows 10 in March in September and with each release, System Center Configuration Manager will support this new aligned update model for Office 365 ProPlus and Windows 10, making both easier to deploy and keep up to date. This is a big change for Microsoft as Windows will now be on a more predictable pattern for major updates and by aligning it with Office 365 Pro Plus, this should make these two platforms easier to service from an IT Pro perspective. The big news here is also that Microsoft is announcing when Redstone 3 is targeted for release. The company is looking at a September release window but it is worth pointing out that they traditionally release the month after the code is completed.

Slashdot Top Deals