News

Drones Could 3D-Map Scores of Hectares of Land In Just a Few Hours

slashdot - Wed, 10/29/2014 - 15:22
sciencehabit writes: Unmanned drones aren't just for warfare. In recent years, they've been used to map wildlife and monitor crop growth. But current software can't always handle the vast volume of images they gather. Now, researchers have developed an algorithm that will allow drones to 3D-map scores of hectares of land in less than a day — an advance that is important for cost-effective farming, disaster relief, and surveillance operations. Their computer program directly projects the points from each photo onto a 3D space without knowing the exact shape of the land or the camera positions. As a result, the tie points don't necessarily match up, which means the same corn plant can have two projections on the model. When that happens, the algorithm automatically takes the middle point between the two projections as the more accurate location and adjusts the camera position accordingly, one image at a time. Because the algorithm tweaks far fewer things at each step, the shortcut drastically speeds up calculations. Once the software has adjusted the camera positions for all the photos, the software repeats the entire process — starting from projecting the points to the 3D space — to correct for any errors.

Share on Google+

Read more of this story at Slashdot.








Dangerous Vulnerability Fixed In Wget

slashdot - Wed, 10/29/2014 - 15:01
jones_supa writes: A critical flaw has been found and patched in the open source Wget file retrieval utility that is widely used on UNIX systems. The vulnerability is publicly identified as CVE-2014-4877. "It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov writes in Red Hat Bugzilla. A malicious FTP server can stomp over your entire filesystem, tweets HD Moore, chief research officer at Rapid 7, who is the original reporter of the bug.

Share on Google+

Read more of this story at Slashdot.








Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

drupal - Wed, 10/29/2014 - 14:39
Description

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Simply updating to Drupal 7.32 will not remove backdoors.

If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

Data and damage control

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

Take a look at our help documentation, ”Your Drupal site got hacked, now what”

Recovery

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.

Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.

The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014:

  1. Take the website offline by replacing it with a static HTML page
  2. Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
  3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  4. Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
  5. Update or patch the restored Drupal core code
  6. Put the restored and patched/updated website back online
  7. Manually redo any desired changes made to the website since the date of the restored backup
  8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.

For more information, please see our FAQ on SA-CORE-2014-005.

Written by Coordinated by Contact and More Information

We've prepared a FAQ on this release. Read more at FAQ on SA-CORE-2014-005.

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x

Windows 10 Gets a Package Manager For the Command Line

slashdot - Wed, 10/29/2014 - 14:21
aojensen writes: ExtremeTech reports that the most recent build of Windows 10 Technical Preview shows that Windows is finally getting a package manager. The package manager is built for the PowerShell command line based on OneGet. OneGet is a command line utility for PowerShell very similar to classic Linux utilities such as apt-get and yum, which enable administrators and power users comfortable with the command line to install software packages without the need for a graphical installer. ExtremeTech emphasizes that "you can open up PowerShell and use OneGet to install thousands of applications with commands such as Find-Package VLC and Install-Package Firefox." It's a missing feature Linux advocates have long used to argue against Windows in terms of automation and scale. The package manage is open to any software repository and is based on the Chocolatey format for defining package repositories."

Share on Google+

Read more of this story at Slashdot.








Skilled Foreign Workers Treated as Indentured Servants

slashdot - Wed, 10/29/2014 - 13:40
theodp writes: A year-long investigation by NBC Bay Area's Investigative Unit and The Center for Investigative Reporting (CIR) raises questions about the H-1B visa program. In a five-part story that includes a mini-graphic novel called Techsploitation, CIR describes how the system rewards job brokers who steal wages and entrap Indian tech workers in the U.S., including the awarding of half a billion dollars in Federal tech contracts to those with labor violations. "Shackling workers to their jobs," CIR found after interviewing workers and reviewing government agency and court documents, "is such an entrenched business practice that it has even spread to U.S. nationals. This bullying persists at the bottom of a complex system that supplies workers to some of America's richest and most successful companies, such as Cisco Systems Inc., Verizon and Apple Inc." In a presumably unrelated move, the U.S. changed its H-1B record retention policy last week, declaring that records used for labor certification, whether in paper or electronic, "are temporary records and subject to destruction" after five years under the new policy. "There was no explanation for the change, and it is perplexing to researchers," reports Computerworld. "The records under threat are called Labor Condition Applications (LCA), which identify the H-1B employer, worksite, the prevailing wage, and the wage paid to the worker." Lindsay Lowell, director of policy studies at the Institute for the Study of International Migration at Georgetown University, added: "It undermines our ability to evaluate what the government does and, in today's world, retaining electronic records like the LCA is next to costless [a full year's LCA data is less than 1 GB]." President Obama, by the way, is expected to use his executive authority to expand the H-1B program after the midterm elections.

Share on Google+

Read more of this story at Slashdot.








Next Steps for the Drupal.org Terms of Service and Privacy Policy

drupal - Wed, 10/29/2014 - 13:11

Thanks to the hard work of staff and the Drupal.org Content Working Group, we have completed another round of updates to our draft privacy policy and terms of service. We were able to respond to much of the feedback provided in our earlier announcement.

The biggest issues pointed out by the community had to do with the tone of the language in the documents. Many pointed out that it did not match the values of our community. We took a closer look at organizations such as the Wikimedia Foundation and Mozilla, incorporating some of the approaches they took to make our terms a bit more human. We trimmed and shortened what we could. We clarified where things were ambiguous. The end result is much more in line with our community values.

Some examples of changes include the following:

  • When possible, we changed the tone of both documents to make them more friendly.
  • We removed capital letters and used other means to make specific parts of the document noticeable.
  • We deleted a couple of references to collecting data that we do not actually collect.
  • We clarified that we won’t block accounts “for any and no reason”, but only in cases of Terms of Service, Code of Conduct and Git access policy violations.
  • We clarified active notification of users about material changes to policy. We will send an email at least 72 hours prior to changes going into effect. This will give users time to delete their accounts if they don’t want to accept new policies.
  • We added contact info and updated all phone numbers, addresses etc. to be formatted according to international standards.
  • We clarified that you don’t need to create an account to access the Website, just some parts of it.
  • We clarified how to notify us in case of unauthorized access to user account.
  • We clarified how long do we store data after it has been removed from user profile.

We did leave some things from the previous draft without major changes, such as bullet points under section C, for example. And we did it for a reason. One of our goals is to make Drupal.org a place where everyone feels comfortable. Additionally, we have to ensure that Drupal.org is protected if a legal issue does arise. Those bullet points are there not because we want to be able to police or censor the activity on the site. This language exists because it protects Drupal.org if one user takes issue with content from another user. We will still use the process outlined in the Drupal Code of Conduct to resolve any issues whenever we can.

With that in mind, please take a look at the latest drafts:

Terms of Service
Privacy Policy

We will be putting these documents into place on Wednesday, 5 November, 2014. All comments added to this thread will be included in our planning for the next revision. We hope to review the Terms of Service and Privacy Policy quarterly and update them with community feedback.

Thank you for all your help in building these documents.

Verizon Launches Tech News Site That Bans Stories On US Spying

slashdot - Wed, 10/29/2014 - 12:57
blottsie writes: The most-valuable, second-richest telecommunications company in the world is bankrolling a technology news site called SugarString.com. The publication, which is now hiring its first full-time editors and reporters, is meant to rival major tech websites like Wired and the Verge while bringing in a potentially giant mainstream audience to beat those competitors at their own game. There's just one catch: In exchange for the major corporate backing, tech reporters at SugarString are expressly forbidden from writing about American spying or net neutrality around the world, two of the biggest issues in tech and politics today.

Share on Google+

Read more of this story at Slashdot.








Getting Lost In the Scientific Woods Is Good For You

slashdot - Wed, 10/29/2014 - 09:18
StartsWithABang writes: Wandering into the woods unprepared and without a plan sounds like a terrible idea. But if you're interested in scientific exploration at the frontiers, confronting the unknown with whatever you happen to have at your disposal, you have to take that risk. You have to be willing to take those steps. And you have to be okay with putting your best ideas out there — for all to see — knowing full well that you might get the entire thing wrong. Sometimes, that's indeed what happens. Some of the most revered and famous scientific minds in history confronted the great mysteries of nature, and came away having done nothing but set us back many years by leading the field down a blind alley. But other times, the greatest leaps forward in our understanding occur as a result. The article shares some notable examples, and explains why this is vital for scientific progress.

Share on Google+

Read more of this story at Slashdot.








16-Teraflops, £97m Cray To Replace IBM At UK Meteorological Office

slashdot - Wed, 10/29/2014 - 07:37
Memetic writes: The UK weather forecasting service is replacing its IBM supercomputer with a Cray XC40 containing 17 petabytes of storage and capable of 16 TeraFLOPS. This is Cray's biggest contract outside the U.S. With 480,000 CPUs, it should be 13 times faster than the current system. It will weigh 140 tons. The aim is to enable more accurate modeling of the unstable UK climate, with UK-wide forecasts at a resolution of 1.5km run hourly, rather than every three hours, as currently happens. (Here's a similar system from the U.S.)

Share on Google+

Read more of this story at Slashdot.








Open Consultation Begins On Italy's Internet Bill of Rights

slashdot - Wed, 10/29/2014 - 06:19
Anita Hunt (lissnup) writes: Hot on the heels of Brazil's recent initiative in this area, Italy has produced a draft [PDF] Declaration of Internet Rights, and on Monday opened the bill for consultation on the Civici [Italian] platform, a first in Europe. "[A]s it is now, it consists of a preamble and 14 articles that span several pages. Topics range from the 'fundamental right to Internet access' and Net Neutrality to the notion of 'informational self-determination.' The bill also includes provisions on the right to anonymity and tackles the highly debated idea of granting online citizens a 'right to be forgotten.' Measures are taken against algorithmic discriminations and the opacity of the terms of service devised by 'digital platform operators' who are 'required to behave honestly and fairly' and, most of all, give 'clear and simple information on how the platform operates.'"

Share on Google+

Read more of this story at Slashdot.








Largest Sunspot In a Quarter Century Spews Flares

slashdot - Wed, 10/29/2014 - 05:06
schwit1 writes: The largest sunspot seen in about a quarter century has produced another powerful X-class flare today, the sixth in less than a week. "This was the sixth X-class solar flare from NOAA 2192, a record for the number of X-class flares generated by a single group so far this solar cycle. It was also the fourth X-class flare since last Friday, continuing a period of intense flaring activity. This sunspot group has grown again a bit, and maintains its magnetic complexity. A degradation of the HF radio-communication was observed over South-America, the Caribbean, and West-Africa." The last sentence is referring to some radio communications blackouts that have occurred in these areas because of the flares.

Share on Google+

Read more of this story at Slashdot.








Help a Journalist With An NFC Chip Implant Violate His Own Privacy and Security

slashdot - Wed, 10/29/2014 - 04:12
An anonymous reader writes: His wife thinks he's crazy, but this guy got an NFC chip implanted in his arm, where it will stay for at least a year. He's inviting everyone to come up with uses for it. Especially ones that violate his privacy and security. There must be something better to do than getting into the office or unlocking your work PC. He says, "The chip we are using is the xNTi, an NFC type 2 NTAG216, which is about the size of a grain of rice and is manufactured by the Dutch semiconductor company NXP, maker of the NFC chip for the new iPhone. It is a glass transponder with an operating frequency of 13.56MHz, developed for mass-market applications such as retail, gaming and consumer electronics. ... The chip's storage capacity is pretty limited, the UID (unique identifier) is 7 bytes, while the read/write memory is 888 bytes. It can be secured with a 32-bit password and can be overwritten about 100,000 times, by which point the memory will be quite worn. Data transmission takes place at a baud rate of 106 kbit/s and the chip is readable up to 10 centimeters, though it is possible to boost that distance."

Share on Google+

Read more of this story at Slashdot.








Tech Giants Donate $750 Million In Goods and Services To Underprivileged Schools

slashdot - Wed, 10/29/2014 - 02:00
mrspoonsi sends news that a group of major tech companies has combined to donate $750 million worth of gadgets and services to students in 114 schools across the U.S. Apple is sending out $100 million worth of iPads, MacBooks, and other products. O'Reilly Media is making $100 million worth of educational content available for free. Microsoft and Autodesk are discounting software, while Sprint and AT&T are offering free wireless service. This is part of the ConnectED Initiative, a project announced by the Obama Administration last year to bring modern technology to K-12 classrooms. The FCC has also earmarked $2 billion to improve internet connectivity in schools and libraries over the next two years. Obama also plans to seek funding for training teachers to utilize this infusion of technology.

Share on Google+

Read more of this story at Slashdot.








Antares Rocket Explodes On Launch

slashdot - Tue, 10/28/2014 - 23:40
sneakyimp writes: The Antares rocket operated by Orbital Sciences Corporation exploded on launch due to a "catastrophic anomaly" after a flawless countdown. No injuries are reported and all personnel are accounted for. According to the audio stream hosted by local news affiliate WTVR's website, the Cygnus spacecraft contained classified crypto technology and efforts are being made to cordon off the wreckage area. Additionally, interviews of personnel and witness reports are to be limited to appropriate government agencies so that an accident report can be generated. This accident is likely to have a detrimental effect on the stock price of Orbital Sciences Corp, traded on the NYSE. The Antares rocket's engines are based on old soviet designs from the '60s. While this is sure to be a blow to NASA due to the cost, it may well boost the fortunes of SpaceX, a chief competitor of Orbital Sciences. Both companies were recently awarded resupply contracts by NASA.

Share on Google+

Read more of this story at Slashdot.








US Post Office Increases Secret Tracking of Mail

slashdot - Tue, 10/28/2014 - 23:21
HughPickens.com writes: Ron Nixon reports in the NY Times that the United States Postal Service says it approved nearly 50,000 requests last year from law enforcement agencies and its own internal inspection unit to secretly monitor the mail of Americans for use in criminal and national security investigations, in many cases without adequately describing the reason or having proper written authorization. In addition to raising privacy concerns, the audit questioned the efficiency and accuracy of the Postal Service in handling the requests. The surveillance program, officially called mail covers, is more than a century old, but is still considered a powerful investigative tool. The Postal Service said that from 2001 through 2012, local, state and federal law enforcement agencies made more than 100,000 requests to monitor the mail of Americans. That would amount to an average of some 8,000 requests a year — far fewer than the nearly 50,000 requests in 2013 that the Postal Service reported in the audit (PDF). In Arizona in 2011, Mary Rose Wilcox, a Maricopa County supervisor, discovered that her mail was being monitored by the county's sheriff, Joe Arpaio. Wilcox had been a frequent critic of Arpaio, objecting to what she considered the targeting of Hispanics in his immigration sweeps. Wilcox sued the county, was awarded nearly $1 million in a settlement in 2011 and received the money this June when the Ninth Circuit Court of Appeals upheld the ruling. Andrew Thomas, the former county attorney, was disbarred for his role in investigations into the business dealings of Ms. Wilcox and other officials and for other unprofessional conduct. "I don't blame the Postal Service," says Wilcox, "but you shouldn't be able to just use these mail covers to go on a fishing expedition. There needs to be more control."

Share on Google+

Read more of this story at Slashdot.








Location of Spilled Oil From 2010 Deepwater Horizon Event Found

slashdot - Tue, 10/28/2014 - 22:36
Chipmunk100 writes: A study published in the journal Proceedings of the National Academy of Sciences (abstract) claims to have identified the location of two million barrels of submerged oil thought to be trapped in the deep ocean following the 2010 Deepwater Horizon spill. By analyzing data from more than 3,000 samples collected at 534 locations over 12 expeditions, they identified a 1,250-square-mile patch of the deep sea floor upon which 2 to 16 percent of the discharged oil was deposited. The fallout of oil to the sea floor created thin deposits most intensive to the southwest of the Macondo well. The oil was most concentrated within the top half inch of the sea floor and was patchy even at the scale of a few feet."

Share on Google+

Read more of this story at Slashdot.








Google Developing a Pill To Detect Cancer

slashdot - Tue, 10/28/2014 - 21:52
An anonymous reader writes: The Google X research lab has unveiled a new project: developing a pill capable of detecting cancer, imminent heart attacks, and other diseases. According to the article, "the company is fashioning nanoparticles—particles about one billionth of a meter in width—that combine a magnetic material with antibodies or proteins that can attach to and detect other molecules inside the body." When a person ingests the pill, these particles interact with the particular markers for a given disease. Since they're magnetic, they can then be guided back to a particular spot where they can be scanned to determine if any interactions took place. Google X's head of life sciences, Andrew Conrad, said, "What we are trying to do is change medicine from reactive and transactional to proactive and preventative. Nanoparticles... give you the ability to explore the body at a molecular and cellular level."

Share on Google+

Read more of this story at Slashdot.








Ken Ham's Ark Torpedoed With Charges of Religious Discrimination

slashdot - Tue, 10/28/2014 - 21:08
McGruber writes: Back on February 4, "Science Guy" Bill Nye debated Creationist Kenneth Alfred "Ken" Ham. That high-profile debate helped boost support for Ham's $73 million "Ark Encounter" project, allowing Ham to announce on February 25 that a municipal bond offering had raised enough money to begin construction. Nye said he was "heartbroken and sickened for the Commonwealth of Kentucky" after learning that the project would move forward. Nye said the ark would eventually draw more attention to the beliefs of Ham's ministry, which preaches that the Bible's creation story is a true account, and as a result, "voters and taxpayers in Kentucky will eventually see that this is not in their best interest." In July, the Kentucky Tourism Development Finance Authority unanimously approved $18.25 million worth of tax incentives to keep the ark park afloat. The funds are from a state program that allows eligible tourism attractions a rebate of as much as 25 percent of the investment in the project. Since then, the Ark Park's employment application has became public: "Nestled among the requirements for all job applicants were three troubling obligatory documents: 'Salvation testimony,' 'Creation belief statement,' and a 'Confirmation of your agreement with the AiG statement of faith.' (AiG is Answers in Genesis, Ham's ministry and Ark Encounter's parent company.)" That caused the Kentucky Tourism, Arts and Heritage Cabinet to halt its issuance of tax incentives for the ark park. Bob Stewart, secretary of the cabinet, wrote to Ham that "the Commonwealth does not provide incentives to any company that discriminates on the basis of religion and we will not make any exception for Ark Encounter, LLC." Before funding could proceed, Stewart explained, "the Commonwealth must have the express written assurance from Ark Encounter, LLC that it will not discriminate in any way on the basis of religion in hiring." The ark park has not yet sunk. It is "still pending before the authority" and a date has not yet been set for the meeting where final approval will be considered.

Share on Google+

Read more of this story at Slashdot.








We Are All Confident Idiots

slashdot - Tue, 10/28/2014 - 20:25
An anonymous reader writes: If you've ever heard of the Dunning-Kruger effect, you'll be familiar with David Dunning, professor of psychology at Cornell. He's written an article on the "psychology of human wrongness," explaining how confidence in one's answers tends to be high for people who don't know what they're talking about. He says, "What's curious is that, in many cases, incompetence does not leave people disoriented, perplexed, or cautious. Instead, the incompetent are often blessed with an inappropriate confidence, buoyed by something that feels to them like knowledge." Dunning goes on: "A whole battery of studies conducted by myself and others have confirmed that people who don't know much about a given set of cognitive, technical, or social skills tend to grossly overestimate their prowess and performance, whether it's grammar, emotional intelligence, logical reasoning, firearm care and safety, debating, or financial knowledge. College students who hand in exams that will earn them Ds and Fs tend to think their efforts will be worthy of far higher grades; low-performing chess players, bridge players, and medical students, and elderly people applying for a renewed driver's license, similarly overestimate their competence by a long shot."

Share on Google+

Read more of this story at Slashdot.








OpenBSD Drops Support For Loadable Kernel Modules

slashdot - Tue, 10/28/2014 - 19:43
jones_supa writes: The OpenBSD developers have decided to remove support for loadable kernel modules from the BSD distribution's next release. Several commits earlier this month stripped out the loadable kernel modules support. Phoronix's Michael Larabel has not yet found an official reason for the decision to drop support. He wagers that it is due to security or code quality/openness ideals.

Share on Google+

Read more of this story at Slashdot.