angry tapir writes "Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster. Ormandy has released a scathing 30-page analysis (PDF) 'Sophail: Applied attacks against Sophos Antivirus,' in which he details several flaws 'caused by poor development practices and coding standards,' topped off by the company's sluggishly response to the warning he had working exploits for those flaws. One of the exploits Ormandy details is for a flaw in Sophos' on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the 'wormable, pre-authentication, zero-interaction, remote root' affected all platforms running Sophos. (Ormandy released the paper as an independent researcher, not in his role as a Google employee.)"
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
Several readers have submitted news of the inevitable problems involved with trying to securely collect information from tens of millions of people on the same day. A video is making the rounds of a touchscreen voting machine registering a vote for Mitt Romney when Barack Obama was selected. A North Carolina newspaper is reporting that votes for Romney are being switched to Obama. Voters are being encouraged to check and double-check that their votes are recorded accurately. In Ohio, some recently-installed election software got a pass from a District Court Judge. In Galveston County, Texas, poll workers didn't start their computer systems early enough to be ready for the opening of the polls, which led to a court order requiring the stations to be open for an extra two hours at night. Yesterday we discussed how people in New Jersey who were displaced by the storm would be allowed to vote via email; not only are some of the emails bouncing, but voters are being directed to request ballots from a county clerk's personal Hotmail account. If only vote machines were as secure as slot machines. Of course, there's still the good, old fashioned analog problems; workers tampering with ballots, voters being told they can vote tomorrow, and people leaving after excessively long wait times.
Riskable writes "Version 1.1 of Gate One (HTML5 terminal emulator/SSH client) was just released (download). New features include security enhancements, major performance improvements, mobile browser support, improved terminal emulation, automatic syntax highlighting of syslog messages, PDFs can now be captured/displayed just like images, Python 3 support, Internet Explorer (10) support, and quite a lot more (full release notes). There's also a new demo where you can try out vim in your browser, play terminal games (nethack, vitetris, adventure, zangband, battlestar, greed, robotfindskitten, and hangman), surf the web in lynx, and a useful suite of IPv6-enabled network tools (ping, traceroute, nmap, dig, and a domain name checker)." Gate One is dual licensed (AGPLv3/Commercial Licensing); for individuals, it's pay-as-you-please.
Mark.JUK writes "Scientists working under an EU funded (3 Million Euros) project out of Bangor University in Wales (United Kingdom) have developed a commercially-exploitable way of boosting broadband speeds over end-user fibre optic lines by using Optical Orthogonal Frequency Division Multiplexing (OOFDM) technology, which splits a laser down to multiple different optical frequencies (each of which can be used to carry data), and low-cost off-the-shelf components. The scientists claim that their solution has the ability to 'increase broadband transmission by up to two thousand times the current speed and capacity' (most UK Fibre-to-the-Home or similar services currently offer less than 100 Megabits per second) and it can do this alongside a 'significant reduction in electrical power consumption.'"
dstates writes "Want a good job in IT? Detroit of all places may be the place to be. GM is bringing IT development back in house to speed innovation. Among other initiatives, a self driving Cadillac is planned by mid decade. Ford is also actively developing driver assist technology and is betting big on voice recognition. Ann Arbor has thousands of smart cars wirelessly connected on the road. Think about all those aging baby boomers with houses in the burbs and no desire to move as their vision and reflexes decline. The smart car is a huge market. Seriously, Detroit and SE Michigan have good jobs, great universities, cheap housing and easy access to great sports and outdoors activities."
Gunkerty Jeb writes "Side-channel attacks against cryptography keys have, until now, been limited to physical machines. Researchers have long made accurate determinations about crypto keys by studying anything from variations in power consumption to measuring how long it takes for a computation to complete. A team of researchers from the University of North Carolina, University of Wisconsin, and RSA Security has ramped up the stakes, having proved in controlled conditions (PDF) that it's possible to steal a crypto key from a virtual machine. The implications for sensitive transactions carried out on public cloud infrastructures could be severe should an attacker land his malicious virtual machine on the same physical host as the victim. Research has already been conducted on how to map a cloud infrastructure and identify where a target virtual machine is likely to be."
Esther Schindler writes "Why is it that young developers imagine that older programmers can't program in a modern environment? Too many of us of a 'certain age' are facing an IT work environment that is hostile to older workers. Lately, Steven Vaughan-Nichols has been been noticing that the old meme about how grandpa can't understand iPhones, Linux, or the cloud is showing up more often even as it's becoming increasingly irrelevant. The truth is: Many older developers are every bit as good as young programmers, and he cites plenty of example of still-relevant geeks to prove it. And he writes, 'Sadly, while that should have put an end to the idea that long hours are a fact of IT life, this remnant of our factory-line past lingers both in high tech and in other industries. But what really matters is who's productive and who's not.'"
derekmead writes "By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line. Comment, the group of Chinese hackers suspected in the recent-reported Coke breach, also broke into the computers of the world's largest steel company, ArcelorMittal. ArcelorMittal doesn't know exactly how much was stolen and didn't think it was relevant to share news of the attack with its shareholders. Same goes for Lockheed Martin who fended off a 'significant and tenacious' attack last May but failed to disclose the details to investors and the Securities Exchange Commission. Dupont got hit twice by Chinese hackers in 2009 and 2010 and didn't say a word. Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. Because the potential losses, do hacked companies have a responsibility to report security breaches to investors?"
New submitter Journe writes "Anonymous claims to have begun a hacking spree for the 5th of November. In their spree, they've laid waste to several Australian Government sites, and, for some reason, the site of Saturday Night Live. They also claim to have leaked VMware source code, along with user and employee info from Paypal and Symantec. There's some argument however that Anonymous is falsely taking claim for Symantec."
MojoKid writes "AMD's new Piledriver-based Opterons are launching today, completing a product refresh that the company began last spring with its Trinity APUs. The new 12 & 16-core Piledriver parts are debuting as the Opteron 6300 series. AMD predicts performance increases of about 8% in integer and floating-point operations. With this round of CPUs, AMD has split its clock speed Turbo range into 'Max' and 'Max All Cores.' The AMD Opteron 6380, for example, is a 2.5GHz CPU with a Max Turbo speed of 3.4GHz and a 2.8GHz Max All Cores Turbo speed."
First time accepted submitter BluPhenix316 writes "I'm currently in school for Network Administration. I was discussing Linux with my instructor and he said the problem he has with Linux is he doesn't know of a good alternative to Active Directory. I did some research and from what I've read Samba4 seems very promising. What are your thoughts?"
First time accepted submitter danbuter writes "In probably the most poorly thought-out reaction to allowing people displaced by Hurricane Sandy in New Jersey [to take part in the 2012 presidential election], residents will be allowed to vote by email. Of course, this will be completely secure and work perfectly!" Writes user Beryllium Sphere: "There's no mention of any protocol that might possibly make this acceptable. Perhaps the worst thing that could happen would be if it appears to work OK and gains acceptance." I know someone they should consult first.
An anonymous reader writes "Dragonfly BSD recently announced the release of version 3.2 of their operating system. Improvements include: USB4BSD, a second-generation USB stack; merging of a GSoC project to provide CPU topology awareness to the scheduler, giving a nice boost for hyperthreading Intel CPUs; and last but not least, a new largely rewritten scheduler. Some background is in order for the last one. PostgreSQL 9.3 will move from SysV shared memory to mmap for its shared memory needs. It turned out that the switch much hurts its performance on the BSDs. Matthew Dillon was fast to respond with a search for bottlenecks and got the performance up to par with Linux."
snydeq writes "Facebook has said that it will soon open source Prism, an internal project that supports geographically distributed Hadoop data stores, thereby removing the limits on Hadoop's capacity to crunch data. 'The problem is that Hadoop must confine data to one physical data center location. Although Hadoop is a batch processing system, it's tightly coupled, and it will not tolerate more than a few milliseconds delay among servers in a Hadoop cluster. With Prism, a logical abstraction layer is added so that a Hadoop cluster can run across multiple data centers, effectively removing limits on capacity.'"
hessian writes "Scholars who study the role of media in society say no long-term studies have been done that adequately show how and if student attention span has changed because of the use of digital technology. But there is mounting indirect evidence that constant use of technology can affect behavior, particularly in developing brains, because of heavy stimulation and rapid shifts in attention."