Forgot your password?
typodupeerror

Please create an account to participate in the Slashdot moderation system

United Kingdom

Secret Policy Allows GCHQ Bulk Access To NSA Data 93

Posted by samzenpus
from the have-some-data dept.
hazeii writes Though legal proceedings following the Snowden revelations, Liberty UK have succeeded in forcing GCHQ to reveal secret internal policies allowing Britain's intelligence services to receive unlimited bulk intelligence from the NSA and other foreign agencies and to keep this data on a massive searchable databases, all without a warrant. Apparently, British intelligence agencies can "trawl through foreign intelligence material without meaningful restrictions", and can keep copies of both content and metadata for up to two years. There is also mention of data obtained "through US corporate partnerships". According to Liberty, this raises serious doubts about oversight of the UK Intelligence and Security Committee and their reassurances that in every case where GCHQ sought information from the US, a warrant for interception signed by a minister was in place.

Eric King, Deputy Director of Privacy international, said: "We now know that data from any call, internet search, or website you visited over the past two years could be stored in GCHQ's database and analyzed at will, all without a warrant to collect it in the first place. It is outrageous that the Government thinks mass surveillance, justified by secret 'arrangements' that allow for vast and unrestrained receipt and analysis of foreign intelligence material is lawful. This is completely unacceptable, and makes clear how little transparency and accountability exists within the British intelligence community."
Databases

Python-LMDB In a High-Performance Environment 98

Posted by Soulskill
from the fast-enough-to-cause-drama dept.
lkcl writes: In an open letter to the core developers behind OpenLDAP (Howard Chu) and Python-LMDB (David Wilson) is a story of a successful creation of a high-performance task scheduling engine written (perplexingly) in Python. With only partial optimization allowing tasks to be executed in parallel at a phenomenal rate of 240,000 per second, the choice to use Python-LMDB for the per-task database store based on its benchmarks, as well as its well-researched design criteria, turned out to be the right decision. Part of the success was also due to earlier architectural advice gratefully received here on Slashdot. What is puzzling, though, is that LMDB on Wikipedia is being constantly deleted, despite its "notability" by way of being used in a seriously-long list of prominent software libre projects, which has been, in part, motivated by the Oracle-driven BerkeleyDB license change. It would appear that the original complaint about notability came from an Oracle employee as well.
Security

Drupal Fixes Highly Critical SQL Injection Flaw 54

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."
Oracle

Oracle Database Certifications Are No Longer Permanent 108

Posted by Soulskill
from the you're-now-allowed-to-forget-things dept.
jfruh writes: It used to be that you could get an Oracle database certification and declare yourself Oracle-certified for the rest of your career. That time is now over, causing a certain amount of consternation among DBAs. On the one hand, it makes sense that someone who's only been certified on a decade-old version of the product should need to prove they've updated their skills. On the other, Oracle charges for certification and will definitely profit from this shift."
Security

Snapchat Says Users Were Victimized By Their Use of Third-Party Apps 90

Posted by Soulskill
from the illusion-of-impermanence dept.
Lucas123 writes: Reports that the servers of photo messaging site Snapchat were hacked are being denied by the company, which is now is saying its users were instead victimized by their use of third-party apps to send and receive Snaps. Hackers on 4chan have said broke into the site and they're preparing to release 200,000 photos or videos in their own database that will be searchable by Snapchatter name. According to one report, the third-party Snapchat client app enabled access for years to the data that was supposed have been deleted. The hackers have said they have a 13GB photo library. For its part, Snapchat in a statement reiterated its Terms of Use Policy, that "expressly prohibits" third-party app use "because they compromise our users' security."
Advertising

Why Do Contextual Ads Fail? 249

Posted by timothy
from the pandemic-tone-deafness dept.
minstrelmike writes If we give up all our privacy on-line for contextual ads, then how come so many of them are so far off the mark? Personal data harvesting for contextual ads and content should be a beautiful thing. They do it privately and securely, and it's all automated so that no human being actually learns anything about you. And then the online world becomes customized, just for you. The real problem with this scenario is that is we're paying for contextual ads and content with our personal data, but we're not getting what we pay for. Facebook advertising is off target and almost completely irrelevant. The question is: Why? Facebook has a database of our explicitly stated interests, which many users fill out voluntarily. Facebook sees what we post about. It knows who we interact with. It counts our likes, monitors our comments and even follows us around the Web. Yet, while the degree of personal data collection is extreme, the advertising seems totally random.
Medicine

Professor Kevin Fu Answers Your Questions About Medical Device Security 21

Posted by samzenpus
from the listen-up dept.
Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you'll find his answers to your old but not forgotten questions.
Privacy

Dubai Police To Use Google Glass For Facial Recognition 122

Posted by samzenpus
from the watching-you-better dept.
cold fjord sends word about what the Dubai police plan on doing with their Google Glass. Police officers in Dubai will soon be able to identify suspects wanted for crimes just by looking at them. Using Google Glass and a custom-developed facial recognition software, Dubai police will be able to capture photos of people around them and search their faces in a database of people wanted for crimes ... When a match is made in the database, the Glass device will receive a notification. .... What's particularly interesting about the project is that facial recognition technology is banned by the Google Glass developer policy. ... The section of the policy that addresses such technology seems to disqualify the Dubai police force's plan for Glass."
United States

Obama Names National Medal of Science, Technology & Innovation Winners 53

Posted by samzenpus
from the have-a-medal dept.
alphadogg writes Computer scientists who made breakthroughs in areas such as software architectures and database management systems were among those named National Medal of Technology and Innovation winners by President Barack Obama. These awards, along with the National Medal of Science, are the nation's highest honors for achievement and leadership in advancing the fields of science and technology. Overall, 18 medalists were named.
Businesses

Ask Slashdot: Software Issue Tracking Transparency - Good Or Bad? 159

Posted by samzenpus
from the to-show-them-or-not-to-show-them dept.
First time accepted submitter Mike Sheen writes I'm the lead developer for an Australian ERP software outfit. For the last 10 years or so we've been using Bugzilla as our issue tracking system. I made this publicly available to the degree than anyone could search and view bugs. Our software is designed to be extensible and as such we have a number of 3rd party developers making customization and integrating with our core product.

We've been pumping out builds and publishing them as "Development Stream (Experimental / Unstable" and "Release Stream (Stable)", and this is visible on our support site to all. We had been also providing a link next to each build with the text showing the number of bugs fixed and the number of enhancements introduced, and the URL would take them to the Bugzilla list of issues for that milestone which were of type bug or enhancement.

This had been appreciated by our support and developer community, as they can readily see what issues are addressed and what new features have been introduced. Prior to us exposing our Bugzilla database publicly we produced a sanitized list of changes — which was time consuming to produce and I decided was unnecessary given we could just expose the "truth" with simple links to the Bugzilla search related to that milestone.

The sales and marketing team didn't like this. Their argument is that competitors use this against us to paint us as producers of buggy software. I argue that transparency is good, and beneficial — and whilst our competitors don't publish such information — but if we were to follow our competitors practices we simply follow them in the race to the bottom in terms of software quality and opaqueness.

In my opinion, transparency of software issues provides:

Identification of which release or build a certain issue is fixed.
Recognition that we are actively developing the software.
Incentive to improve quality controls as our "dirty laundry" is on display.
Information critical to 3rd party developers.
A projection of integrity and honesty.

I've yielded to the sales and marketing demands such that we no longer display the links next to each build for fixes and enhancements, and now publish "Development Stream (Experimental / Unstable" as simply "Development Stream") but I know what is coming next — a request to no longer make our Bugzilla database publicly accessible. I still have the Bugzilla database publicly exposed, but there is now only no longer the "click this link to see what we did in this build".

A compromise may be to make the Bugzilla database only visible to vetted resellers and developers — but I'm resistant to making a closed "exclusive" culture. I value transparency and recognize the benefits. The sales team are insistent that exposing such detail is a bad thing for sales.

I know by posting in a community like Slashdot that I'm going to get a lot of support for my views, but I'm also interested in what people think about the viewpoint that such transparency could be bad thing.
Databases

PostgreSQL Outperforms MongoDB In New Round of Tests 147

Posted by Soulskill
from the there-can-be-only-lots dept.
New submitter RaDag writes: PostgreSQL outperformed MongoDB, the leading document database and NoSQL-only solution provider, on larger workloads than initial performance benchmarks. Performance benchmarks conducted by EnterpriseDB, which released the framework for public scrutiny on GitHub, showed PostgreSQL outperformed MongoDB in selecting, loading and inserting complex document data in key workloads involving 50 million records. This gives developers the freedom to combine structured and unstructured data in a single database with ACID compliance and relational capabilities.
OS X

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild 318

Posted by timothy
from the oy-oy-oy dept.
The recently disclosed bug in bash was bad enough as a theoretical exploit; now, reports Ars Technica, it could already be being used to launch real attacks. In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion web pages that at least partially fit the profile for the Shellshock exploit. More bad news: "[T]he initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry." And CNET is not the only one to say that Shellshock, which can affect Macs running OS X as well as Linux and Unix systems, could be worse than Heartbleed.
Piracy

The Raid-Proof Hosting Technology Behind 'The Pirate Bay' 144

Posted by timothy
from the pesky-vikings-and-their-lessons dept.
HughPickens.com writes Ernesto reports at TorrentFreak that despite its massive presence the Pirate Bay doesn't have a giant server park but operates from the cloud, on virtual machines that can be quickly moved if needed. The site uses 21 "virtual machines" (VMs) hosted at different providers, up four machines from two years ago, in part due to the steady increase in traffic. Eight of the VMs are used for serving the web pages, searches take up another six machines, and the site's database currently runs on two VMs. The remaining five virtual machines are used for load balancing, statistics, the proxy site on port 80, torrent storage and for the controller. In total the VMs use 182 GB of RAM and 94 CPU cores. The total storage capacity is 620 GB. One interesting aspect of The Pirate Bay is that all virtual machines are hosted with commercial cloud hosting providers, who have no clue that The Pirate Bay is among their customers. "Moving to the cloud lets TPB move from country to country, crossing borders seamlessly without downtime. All the servers don't even have to be hosted with the same provider, or even on the same continent." All traffic goes through the load balancer, which masks what the other VMs are doing. This also means that none of the IP-addresses of the cloud hosting providers are publicly linked to TPB. For now, the most vulnerable spot appears to be the site's domain. Just last year TPB burnt through five separate domain names due to takedown threats from registrars. But then again, this doesn't appear to be much of a concern for TPB as the operators have dozens of alternative domain names standing by.
Privacy

FBI Completes New Face Recognition System 129

Posted by Soulskill
from the they-know-what-you-did-last-summer dept.
Advocatus Diaboli writes: According to a report from Gizmodo, "After six years and over one billion dollars in development, the FBI has just announced that its new biometric facial recognition software system is finally complete. Meaning that, starting soon, photos of tens of millions of U.S. citizen's faces will be captured by the national system on a daily basis. The Next Generation Identification (NGI) program will logs all of those faces, and will reference them against its growing database in the event of a crime. It's not just faces, though. Thanks to the shared database dubbed the Interstate Photo System (IPS), everything from tattoos to scars to a person's irises could be enough to secure an ID. What's more, the FBI is estimating that NGI will include as many as 52 million individual faces by next year, collecting identified faces from mug shots and some job applications." Techdirt points out that an assessment of how this system affects privacy was supposed to have preceded the actual rollout. Unfortunately, that assessment is nowhere to be found.

Two recent news items are related. First, at a music festival in Boston last year, face recognition software was tested on festival-goers. Boston police denied involvement, but were seen using the software, and much of the data was carelessly made available online. Second, both Ford and GM are working on bringing face recognition software to cars. It's intended for safety and security — it can act as authentication and to make sure the driver is paying attention to the road.
Databases

UK's National Health Service Moves To NoSQL Running On an Open-Source Stack 198

Posted by Soulskill
from the deciding-to-DROP-it dept.
An anonymous reader sends this news from El Reg: The U.K.'s National Health Service has ripped the Oracle backbone from a national patient database system and inserted NoSQL running on an open-source stack. Spine2 has gone live following successful redevelopment including redeployment on new, x86 hardware. The project to replace Spine1 had been running for three years with Spine2 now undergoing a 45-day monitoring period. Spine is the NHS’s main secure patient database and messaging platform, spanning a vast estate of blades and SANs. It logs the non-clinical information on 80 million people in Britain – holding data on everything from prescriptions and payments to allergies. Spine is also a messaging hub, serving electronic communications between 20,000 applications that include the Electronic Prescription Service and Summary Care Record. It processes more than 500 complex messages a second.
Security

Privacy Vulnerabilities In Coursera, Including Exposed Student Email Addresses 31

Posted by timothy
from the don't-I-know-you-from-the-semiotics-class? dept.
An anonymous reader writes Coursera, the online education platform with over 9 million students, appears to have some serious privacy shortcomings. According to one of Stanford's instructors, 'any teacher can dump the entire user database, including over nine million names and email addresses.' Also, 'if you are logged into your Coursera account, any website that you visit can list your course enrollments.' The attack even has a working proof of concept [note: requires Coursera account]. A week after the problems were reported, Coursera still hasn't fixed them.
The Courts

First US Appeals Court Hears Arguments To Shut Down NSA Database 199

Posted by Soulskill
from the good-luck-with-that dept.
An anonymous reader writes: The second of two lawsuits filed against the U.S. government regarding domestic mass surveillance, ACLU vs. Clapper, was heard on Tuesday by "a three-judge panel on the U.S. Court of Appeals for the 2nd Circuit." The proceeding took an unprecedented two hours (the norm is about 30 minutes), and C-SPAN was allowed to record the whole thing and make the footage available online (video). ACLU's lawyers argued that mass surveillance without warrants violates the 4th Amendment, while lawyers for the federal government argued that provisions within the Patriot Act that legalize mass surveillance without warrants have already been carefully considered and approved by all three branches of government. The judges have yet to issue their ruling.
Government

US Government Fights To Not Explain No-Fly List Selection Process 248

Posted by Soulskill
from the you-can-trust-us dept.
An anonymous reader writes: On August 6, U.S. District Judge Anthony Trenga ordered the federal government to "explain why the government places U.S. citizens who haven't been convicted of any violent crimes on its no-fly database." Unsurprisingly, the federal government objected to the order, once more claiming that to divulge their no-fly list criteria would expose state secrets and thus pose a national security threat. When the judge said he would read the material privately, the government insisted that reading the material "would not assist the Court in deciding the pending Motion to Dismiss (PDF) because it is not an appropriate means to test the scope of the assertion of the State Secrets privilege." The federal government has until September 7 to comply with the judge's order unless the judge is swayed by the government's objection.
Red Hat Software

How Red Hat Can Recapture Developer Interest 232

Posted by Soulskill
from the cookies-will-do-the-trick dept.
snydeq writes: Developers are embracing a range of open source technologies, writes Matt Asay, virtually none of which are supported or sold by Red Hat, the purported open source leader. "Ask a CIO her choice to run mission-critical workloads, and her answer is a near immediate 'Red Hat.' Ask her developers what they prefer, however, and it's Ubuntu. Outside the operating system, according to AngelList data compiled by Leo Polovets, these developers go with MySQL, MongoDB, or PostgreSQL for their database; Chef or Puppet for configuration; and ElasticSearch or Solr for search. None of this technology is developed by Red Hat. Yet all of this technology is what the next generation of developers is using to build modern applications. Given that developers are the new kingmakers, Red Hat needs to get out in front of the developer freight train if it wants to remain relevant for the next 20 years, much less the next two."
Businesses

Companies That Don't Understand Engineers Don't Respect Engineers 371

Posted by Soulskill
from the if-you-aren't-part-of-the-solution,-you're-part-of-the-preciptate dept.
An anonymous reader writes Following up on a recent experiment into the status of software engineers versus managers, Jon Evans writes that the easiest way to find out which companies don't respect their engineers is to learn which companies simply don't understand them. "Engineers are treated as less-than-equal because we are often viewed as idiot savants. We may speak the magic language of machines, the thinking goes, but we aren't business people, so we aren't qualified to make the most important decisions. ... Whereas in fact any engineer worth her salt will tell you that she makes business decisions daily–albeit on the micro not macro level–because she has to in order to get the job done. Exactly how long should this database field be? And of what datatype? How and where should it be validated? How do we handle all of the edge cases? These are in fact business decisions, and we make them, because we're at the proverbial coal face, and it would take forever to run every single one of them by the product people and sometimes they wouldn't even understand the technical factors involved. ... It might have made some sense to treat them as separate-but-slightly-inferior when technology was not at the heart of almost every business, but not any more."

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...