First time accepted submitter Jizzbug writes "The X Window System made release X11 7.7 last night (June 9th): 'This release incorporates both new features and stability and correctness fixes, including support for reporting multi-touch events from touchpads and touchscreens which can report input from more than one finger at a time, smoother scrolling from scroll wheels, better cross referencing and formatting of the documentation, pointer barriers to control cursor movement, and synchronization fences to coordinate between X and other rendering engines such as OpenGL.'"
Catch up on stories from the past week (and beyond) at the Slashdot story archive
HappyDude writes "I've been asked to manage a department in our IT group. It's comprised of UNIX, VMWare, Citrix, EMC and HP SAN Admins, Technicians and Help Desk personnel. The group covers the spectrum in years of experience. I am a 20-year Admin veteran of Engineering and Health Care IT systems including UNIX, Oracle DBA, Apache HTTP/Tomcat, WebSphere, software design plus other sundry jack-of-all-trades kinds of stuff. Although I consider myself a hack at most of those trades, I'm reasonably good at any one of them when I'm submerged. I also have 10 years of Project Management experience in Engineering and Health Care related IT organizations. I do have formal PM training, but haven't bothered to seek credentialing. I'm being told that I'll be worth less to the organization as a supervisor than what I'm making now, but the earning potential is greater if I accept the management position. Out of the kindness of their hearts, they're offering to start me in the new position at the same wage I'm currently making. Does this make any sense, Slashdot? " Read on for further details.
UnderAttack writes "A common joke in infosec is that you can't hack a server that is turned off. You better make sure that the power cord is unplugged, too. Otherwise, you may be exposed via IPMI, a component present on many servers for remote management that can be used to flash firmware, get a remote console and power cycle the server even after the normal power button has been pressed to turn the server off."
fmatthew5876 writes "I have a friend who graduated with a degree in philosophy and sociology. He has been spending a lot of his spare time for the last couple years learning system administration and web development. He has set up web servers, database servers, web proxies and more. He has taught himself PHP, MySQL, and how to use Linux and openBSD without any formal education. I believe that if given the chance with an entry level position somewhere and a good mentor he could really be a great Unix admin, but the problem is that he doesn't have a degree in computer science or any related field. He is doing stuff now that a lot of people I graduated with (I was a CS major) could not do when they had a bachelor's degree. Does Slashdot have any advice on what my friend could do to build up his resume and find a job? I know a lot of people think certifications are pretty useless or even harmful, but in his case do you think it would be a good idea?"
Harperdog writes "Scott Kemp writes about the similarities between the nuclear arms race and the use of cyberweaponry for offensive purposes. As the article points out, offensive cyberwarfare leaves a nation's own citizenry vulnerable to attack as government agencies seek to keep weaknesses in operating systems (such as Windows) secret. Quoting: 'In the world of armaments, cyber weapons may require the fewest national resources to build. That is not to say that highly developed nations are not without their advantages during early stages. Countries like Israel and the United States may have more money and more talented hackers. Their software engineers may be more skilled and exhibit more creativity and critical thinking owing to better training and education. However, each new cyberattack becomes a template for other nations — or sub-national actors — looking for ideas.'"
Trailrunner7 writes "Adobe has released a new version of their Flash player that now gives Firefox users the additional security of a sandbox and also includes a background update mechanism for Mac users. Flash has run in a sandbox on Google Chrome and Internet Explorer for some time already. The big security news in Flash player 11.3 is the addition of the protected mode sandbox for Firefox on Windows. That's a major change for Adobe, which has been adding sandbox to its main product lines for a couple of years now. Adobe Reader X has run in protected mode — which is what Adobe calls its sandbox — since its release, and the company also added a sandbox to Flash on Google Chrome. The sandbox is designed to prevent attackers from using vulnerabilities in Flash to break out of the application and move to other apps or the OS itself."
CowboyRobot writes "Following yesterday's post about Poul-Henning Kamp no longer supporting md5crypt, the author has a new column at the ACM where he details all the ways that LinkedIn failed, specifically related to how they failed to 'salt' their passwords, making them that much easier to crack. 'On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt.'"
DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."
angry tapir writes "The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame's creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control."
snydeq writes "As the self-proclaimed 'cloud OS for the datacenter,' OpenStack is fast becoming one of the more intriguing movements in open source — complete with lofty ambitions, community in-fighting, and commercial appeal. But questions remain whether this project can reach its potential of becoming the new Linux. 'The allure of OpenStack is clear: Like Linux, OpenStack aims to provide a kernel around which all kinds of software vendors can build businesses. But with OpenStack, we're talking multiple projects to provide agile cloud management of compute, storage, and networking resources across the data center — plus authentication, self-service, resource monitoring, and a slew of other projects. It's hugely ambitious, perhaps the most far-reaching open source project ever, although still at a very early stage. ... Clearly, the sky-high aspirations of OpenStack both fuel its outrageous momentum and incur the risk of overreach and collapse, as it incites all manner of competition. The promise is big, but the success of OpenStack is by no means assured.'"
darthcamaro writes "So how did World IPv6 Launch go? Surprisingly well, according to participants at the event. Google said it has seen 150% growth in IPv6 traffic, Facebook now has 27 million IPv6 users and Akamai is serving 100x more IPv6 traffic. But it's still a 'brocolli' technology. 'I've said in the past that IPv6 is a 'broccoli' technology,' Leslie Daigle, CTO of the Internet Society said. 'I still think it is a tech everybody knows it would be good if we ate more of it but nobody wants to eat it without the cheese sauce.'" Reader SmartAboutThings adds a few data points: "According to Google statistics, Romania leads the way with a 6.55% adoption rate, followed by France with 4.67%. Japan is on the third place so far with 1.57% but it seems here 'users still experience significant reliability or latency issues connecting to IPv6-enabled websites.' In the U.S. and China the users have noticed infrequent issues connecting to the new protocol, but still the adoption rate is 0.93% and 0.58%, respectively."
An anonymous reader writes "CERT/CC has called out AMD for having insecure video drivers. AMD/ATI video drivers are incompatible with system-wide ASLR. 'Always On' DEP combined with 'Always On' ASLR are effective exploit mitigations. However, most people don't know about 'Always On' ASLR since Microsoft had to hide it from EMET with an 'EnableUnsafeSettings' registry key — because AMD/ATI video drivers will cause a BSOD on boot if 'Always On' ASLR is enabled."
As reported here recently, millions of LinkedIn password hashes have been leaked online. An anonymous reader writes "Now, Poul-Henning Kamp a developer known for work on various projects and the author of the md5crypt password scrambler asks everybody to migrate to a stronger password scrambler without undue delay. From the blog post: 'New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days. The default algorithm for storing password hashes in /etc/shadow is MD5. RHEL / CentOS / FreeBSD user can migrate to SHA-512 hashing algorithms.'" Reader Curseyoukhan was one of several to also point out that dating site eHarmony got the same treatment as LinkedIn. Update: 06/07 20:13 GMT by T : An anonymous reader adds a snippet from Help Net Security, too: "Last.fm has piped up to warn about a leak of their own users' passwords. Users who have logged in to the site were greeted today by a warning asking them to change their password while the site investigates a security problem. Following the offered link to learn more, they landed on another page with another warning."
concertina226 writes to note that it's not just the U.S. that's increasingly open about using malware as an offensive tool of state security: From the TechWorld story: "According to German reports, the Bonn-based Computer Network Operations (CNO) unit had existed since 2006 but was only now being readied for deployment under the control of the country's military. 'The initial capacity to operate in hostile networks has been achieved,' a German press agency reported the brief document as saying. The unit had already conducted closed lab simulations of cyber-attacks." "Unlike physical attacks," concertina226 writes, "cyber-weapons can't be isolated from their surroundings with the same degree of certainty. If, as a growing body of evidence suggests, the U.S. Government sanctioned the use of cyber-malware such as Stuxnet, are the authorities also held responsible should such campaigns hit unintended victims?"
An anonymous reader writes "In spite of Linux's great networking capabilities, there seems to be a shortage of suitable hardware for building an enterprise-grade networking platform. I've had success on smaller projects with the Soekris offerings but they are suboptimal for large-scale deployment due to their single-board non-redundant design (eg., single power supply, lack of backup 'controller'). What is the closest thing to a modular Linux-capable platform with some level of hardware redundancy and substantial bus/backplane throughput?"