Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Transportation

'Uber Is Doomed', Argues Transportation Reporter (jalopnik.com) 55

When an Uber self-driving car ran a red light last year, they blamed and suspended the car's driver, even though it was the car's software that malfunctioned, according to two former employees, ultimately causing Uber cars to run six different red lights. But technical issues may be only the beginning. An anonymous reader writes: Jalopnik points out that in 2016 Uber "burned through more than $2 billion, amid findings that rider fares only cover roughly 40% of a ride, with the remainder subsidized by venture capitalists" (covering even less than the fares of government-subsidized mass transit systems). So despite Google's lawsuit and other recent bad publicity, "even when those factors are removed, it's becoming more evident that Uber will collapse on its own."

Their long analysis argues that the problems are already becoming apparent. "Uber, which didn't respond to questions from Jalopnik about its viability, recently paid $20 million to settle claims that it grossly misled how much drivers could earn on Craigslist ads. The company's explosive growth also fundamentally required it to begin offering subprime auto loans to prospective drivers without a vehicle."

Last month transportation industry analyst Hubert Horan calculated that Uber Global's losses have been "substantially greater than any venture capital-funded startup in history."
Google

Is Google's Comment Filtering Tool 'Vanishing' Legitimate Comments? (vortex.com) 29

Slashdot reader Lauren Weinstein writes: Google has announced (with considerable fanfare) public access to their new "Perspective" comment filtering system API, which uses Google's machine learning/AI system to determine which comments on a site shouldn't be displayed due to perceived high spam/toxicity scores. It's a fascinating effort. And if you run a website that supports comments, I urge you not to put this Google service into production, at least for now.

The bottom line is that I view Google's spam detection systems as currently too prone to false positives -- thereby enabling a form of algorithm-driven "censorship" (for lack of a better word in this specific context) -- especially by "lazy" sites that might accept Google's determinations of comment scoring as gospel... as someone who deals with significant numbers of comments filtered by Google every day -- I have nearly 400K followers on Google Plus -- I can tell you with considerable confidence that the problem isn't "spam" comments that are being missed, it's completely legitimate non-spam, non-toxic comments that are inappropriately marked as spam and hidden by Google.

Lauren is also collecting noteworthy experiences for a white paper about "the perceived overall state of Google (and its parent corporation Alphabet, Inc.)" to better understand how internet companies are now impacting our lives in unanticipated ways. He's inviting people to share their recent experiences with "specific Google services (including everything from Search to Gmail to YouTube and beyond), accounts, privacy, security, interactions, legal or copyright issues -- essentially anything positive, negative, or neutral that you are free to impart to me, that you believe might be of interest."
Bug

Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE (bleepingcomputer.com) 42

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...

Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.
Security

Apache Subversion Fails SHA-1 Collision Test, Exploit Moves Into The Wild (arstechnica.com) 105

WebKit's bug-tracker now includes a comment from Friday noting "the bots all are red" on their git-svn mirror site, reporting an error message about a checksum mismatch for shattered-2.pdf. "In some cases, due to the corruption, further commits are blocked," reports the official "Shattered" web site. Slashdot reader Artem Tashkinov explains its significance: A WebKit developer who tried to upload "bad" PDF files generated from the first successful SHA-1 attack broke WebKit's SVN repository because Subversion uses SHA-1 hash to differentiate commits. The reason to upload the files was to create a test for checking cache poisoning in WebKit.

Another news story is that based on the theoretical incomplete description of the SHA-1 collision attack published by Google just two days ago, people have managed to recreate the attack in practice and now you can download a Python script which can create a new PDF file with the same SHA-1 hashsum using your input PDF. The attack is also implemented as a website which can prepare two PDF files with different JPEG images which will result in the same hash sum.

Hardware Hacking

Open Source Car-Hacking Tool Successfully Crowdfunded (kickstarter.com) 36

An anonymous reader writes: Two geeks are crowdfunding an open source car hacking tool that will allow builders to experiment with diagnostics, telematics, security, and prototyping. "Cars have become complicated and expensive to work with," they explain on a Kickstarter page. "Macchina wants to use open source hardware to help break down these barriers and get people tinkering with their cars again." After years developing a beta prototype, they announced a tiny plug-and-play device/development platform (that can also be hardwired under the hood) on an Arduino Due board with a 32-bit ARM microcontroller. They almost immediately reached their $25,000 funding goal, and with 24 days left to go they've already raised $41,672, and they're now also selling t-shirts to benefit the EFF's "Right to Repair" activism.

Challenging "the closed, unpublished nature of modern-day car computers," their M2 device ships with protocols and libraries "to work with any car that isn't older than Google." With catchy slogans like "root your ride" and "the future is open," they're hoping to build a car-hacking developer community, and they're already touting the involvement of Craig Smith, the author of the Car Hacker's Handbook from No Starch Press.

"The one thing that all car hobbyists can agree on is that playing with cars isn't cheap," argues the campaign page. "Open source hardware is the answer!"
Microsoft

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com) 150

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
The Military

The US Department Of Defense Announces An Open Source Code Repository (defense.gov) 37

"The Pentagon is the latest government entity to join the open-source movement," writes NextGov. An anonymous reader quotes their report: The Defense Department this week launched Code.mil, a public site that will eventually showcase unclassified code written by federal employees. Citizens will be able to use that code for personal and public projects... The Defense Department's Digital Service team, whose members are recruited for short-term stints from companies including Google and Netflix, will be the first to host its code on the site once the agreement is finalized... "This is a direct avenue for the department to tap into a worldwide community of developers to collectively speed up and strengthen the software development process," a DOD post announcing the initiative said. The Pentagon also aims to find software developers and "make connections in support of DOD programs that ultimately service our national security."
Interestingly, there's no copyright protections on code written by federal employees, according to U.S. (and some international) laws, according to the site. "This can make it hard to attach an open source license to our code, and our team here at Defense Digital Service wants to find a solution. You can submit a public comment by opening a GitHub issue on this repository before we finalize the agreement at the end of March."
Transportation

Did Silicon Valley Lose The Race To Build Self-Driving Cars? (autoblog.com) 106

schwit1 quotes Autoblog: Up until very recently the talk in Silicon Valley was about how the tech industry was going to broom Detroit into the dustbin of history. Companies such as Apple, Google, and Uber -- so the thinking went -- were going to out run, out gun, and out innovate the automakers. Today that talk is starting to fade. There's a dawning realization that maybe there's a good reason why the traditional car companies have been around for more than a century.

Last year Apple laid off most of the engineers it hired to design its own car. Google (now Waymo) stopped talking about making its own car. And Uber, despite its sky high market valuation, is still a long, long way from ever making any money, much less making its own autonomous cars. To paraphrase Elon Musk, Silicon Valley is learning that "Making rockets is hard, but making cars is really hard."

The article argues the big auto-makers launched "vigorous in-house autonomous programs" which became fully competitive with Silicon Valley's efforts, and that Silicon Valley may have a larger role crunching the data that's collected from self-driving cars. "Last year in the U.S. market alone Chevrolet collected 4,220 terabytes of data from customer's cars... Retailers, advertisers, marketers, product planners, financial analysts, government agencies, and so many others will eagerly pay to get access to that information."
Businesses

How Cable Monopolies Hurt ISP Customers (backchannel.com) 82

"New York subscribers have had to overpay month after month for services that Spectrum deliberately didn't provide," reports Backchannel -- noting these practices are significant because together Comcast and Charter (formerly Time Warner Cable) account for half of America's 92 million high-speed internet connections. An anonymous reader quotes Backchannel: Based on the company's own documents and statements, it appears that just about everything it has been saying since 2012 to New York State residents about their internet access and data services is untrue...because of business decisions the company deliberately made in order to keep its capital expenditures as low as possible... Its marketing department kept sending out advertising claims to the public that didn't match the reality of what consumers were experiencing or square with what company engineers were telling Spectrum executives. That gives the AG's office its legal hook: Spectrum's actions in knowingly saying one thing but doing another amount to fraudulent, unfair, and deceptive behavior under New York law...

The branding people went nuts, using adjectives like Turbo, Extreme, and Ultimate for the company's highest-speed 200 or 300 Mbps download offerings. But no one, or very few people, could actually experience those speeds...because, according to the complaint, the company deliberately required that internet data connections be shared among a gazillion people in each neighborhood... [T]he lawsuit won't by itself make much of a difference. But maybe the public nature of the attorney-general's assault -- charging Spectrum for illegal misconduct -- will lead to a call for alternatives. Maybe it will generate momentum for better, faster, wholesale fiber networks controlled by cities and localities themselves. If that happened, retail competition would bloom. We'd get honest, straightforward, inexpensive service, rather than the horrendously expensive cable bundles we're stuck with today.

The article says Spectrum charged 800,000 New Yorkers $10 a month for outdated cable boxes that "weren't even capable of transmitting and receiving wifi at the speeds the company advertised customers would be getting," then promised the FCC in 2013 that they'd replace them, and then didn't. "With no competition, it had no reason to upgrade its services. Indeed, the company's incentives went exactly in the other direction."
Open Source

GitHub Invites Contributions To 'Open Source Guides' (infoq.com) 53

An anonymous reader quotes InfoQ: GitHub has recently launched its Open Source Guides, a collection of resources addressing the most common scenarios and best practices for both contributors and maintainers of open source projects. The guides themselves are open source and GitHub is actively inviting developers to participate and share their stories... "Open source is complicated, especially for newcomers. Experienced contributors have learned many lessons about the best way to use, contribute to, and produce open source software. Everyone shouldn't have to learn those lessons the hard way."

Making a successful first contribution is not the exclusive focus of the guides, though, which also strives to make it easier to find users for a project, starting a new project, and building healthy open source communities. Other topics the guides dwell on are best practices, getting financial support, metrics, and legal matters.

GitHub's Head of Open Source says the guides create "the equivalent of a water cooler for the community."
Security

Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com) 76

An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."

And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?

Leave your own answers in the comments. How did you respond to Cloudbleed?
Transportation

FAA Warns More Drones Are Flying Near Airports (fortune.com) 47

Between February and September of 2016, there were 1,274 reports of drones near airports -- versus just 874 for the same period in 2015, according to newly-released FAA research. "The report detailed more than 1,200 incidents of airplane pilots, law enforcement, air traffic controllers, and U.S. citizens reporting drones flying in places they shouldn't," writes Fortune. An anonymous reader quotes their report: One of takeaway of the report was that while the FAA has received several reports from pilots that drones may have hit their aircraft, the administration was unable to verify any such claim. "Every investigation has found the reported collisions were either birds, impact with other items such as wires and posts, or structural failure not related to colliding with an unmanned aircraft," the FAA said in a statement... Although a drone hasn't smashed into an airplane yet, the FAA "wants to send a clear message that operating drones around airplanes and helicopters is dangerous and illegal. Unauthorized operators may be subject to stiff fines and criminal charges, including possible jail time," the FAA said.
Social Networks

Are Your Slack Conversations Really Private and Secure? (fastcompany.com) 61

An anonymous reader writes: "Chats that seem to be more ephemeral than email are still being recorded on a server somewhere," reports Fast Company, noting that Slack's Data Request Policy says the company will turn over data from customers when "it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body...or in cases of emergency to avoid death or physical harm to individuals." Slack will notify customers before disclosure "unless Slack is prohibited from doing so," or if the data is associated with "illegal conduct or risk of harm to people or property."

The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations.

Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?
Education

Arizona Bill Would Make Students In Grades 4-12 Participate Once In An Hour of Code (azpbs.org) 138

theodp writes: Christopher Silavong of Cronkite News reports: "A bill, introduced by [Arizona State] Sen. John Kavanagh [R-Fountain Hills] would mandate that public and charter schools provide one hour of coding instruction once between grades 4 to 12. Kavanagh said it's critical for students to learn the language -- even if it's only one session -- so they can better compete for jobs in today's world. However, some legislators don't believe a state mandate is the right approach. Senate Bill 1136 has passed the Senate, and it's headed to the House of Representatives. Kavanagh said he was skeptical about coding and its role in the future. But he changed his mind after learning that major technology companies were having trouble finding domestic coders and talking with his son, who works at a tech company." According to the Bill, the instruction can "be offered by either a nationally recognized nonprofit organization [an accompanying Fact Sheet mentions tech-backed Code.org] that is devoted to expanding access to computer science or by an entity with expertise in providing instruction to pupils on interactive computer instruction that is aligned to the academic standards."
Medicine

Fasting Diet 'Regenerates Diabetic Pancreas' (bbc.com) 151

According to a new study published in the journal Cell, a certain type of fasting diet can trigger the pancreas to regenerate itself. Of course, the researchers advise people not to try this without medical advice. BBC reports: In the experiments, mice were put on a modified form of the "fasting-mimicking diet." It is like the human form of the diet when people spend five days on a low calorie, low protein, low carbohydrate but high unsaturated-fat diet. It resembles a vegan diet with nuts and soups, but with around 800 to 1,100 calories a day. Then they have 25 days eating what they want -- so overall it mimics periods of feast and famine. Previous research has suggested it can slow the pace of aging. But animal experiments showed the diet regenerated a special type of cell in the pancreas called a beta cell. These are the cells that detect sugar in the blood and release the hormone insulin if it gets too high. There were benefits in both type 1 and type 2 diabetes in the mouse experiments. Type 1 is caused by the immune system destroying beta cells and type 2 is largely caused by lifestyle and the body no longer responding to insulin. Further tests on tissue samples from people with type 1 diabetes produced similar effects.
The Courts

ZeniMax Files Injunction To Stop Oculus From Selling VR Headsets (gamespot.com) 77

ZeniMax, the parent company of Fallout and Skyrim developer Bethesda, has filed for an injunction against virtual-reality company Oculus over the recent stolen technology case. The company had accused Oculus of stealing VR-related code, and was subsequently awarded $500 million by a Dallas court earlier this month. ZeniMax has now filed additional papers against Oculus, requesting that Oculus' products using the stolen code be removed from sale. GameSpot reports: Specifically, ZeniMax is seeking to block sales of its mobile and PC developer kits, as well as technology allowing the integration of Oculus Rift with development engines Unreal and Unity, reports Law360. If the injunction isn't granted, ZeniMax wants a share of "revenues derived from products incorporating its intellectual properties," suggesting a 20 percent cut for at least 10 years. ZeniMax argues the previous settlement of $500 million is "insufficient incentive for [Oculus] to cease infringing." Oculus, meanwhile, says that "ZeniMax's motion does not change the fact that the [original] verdict was legally flawed and factually unwarranted. We look forward to filing our own motion to set aside the jury's verdict and, if necessary, filing an appeal that will allow us to put this litigation behind us," the virtual reality company stated.
Displays

Slashdot Asks: Are Curved TVs Worth It? (cnet.com) 168

New submitter cherishjoo shares a report written by David Katzmaier via CNET: When the first curved TVs appeared more than three years ago I asked whether they were a gimmick. As a TV reviewer I had to give the curve a fighting chance, however, so I took a curved Samsung home to live with my family for awhile, in addition to subjecting it to a full CNET review. In the end, I answered my own question with the headline "Great picture quality, but the curved screen is a flat-out gimmick." Since then most of the video geeks I know, including just about everybody I hear from on Twitter, Facebook and article comments, pooh-poohs curved TV screens as a useless distraction. A curved TV takes the traditional flat screen and bends it along a gentle arc. The edges end up a bit closer, ostensibly providing a slight wraparound effect. Curved TV makers, citing huge curved screens like IMAX, call their sets more "immersive" than their flat counterparts, but in my experience that claim doesn't hold water at in-home (as opposed to theatrical) screen sizes and viewing distances. The only real image-quality benefit I saw to the curve was a reduction in reflections in some cases. That benefit wasn't worth the slight geometric distortions introduced by the curve, not to mention its awkwardness when hung on the wall. That said, the curve doesn't ruin an otherwise good picture. In TVs, assuming similar prices, curved vs. flat boils down to a choice of aesthetics. As Katzmaier mentioned, curved TVs have been on the market for several years now, and while manufacturers continue to produce them, the verdict on whether or not the pros outweigh the cons is still murky. Here's our question for you: Are curved televisions worth the inflated price tag? If you are in the market for a new TV, does the fact that the display is curved entice you or steer you away?
Government

FCC To Halt Rule That Protects Your Private Data From Security Breaches (arstechnica.com) 117

According to Ars Technica, "The Federal Communications Commission plans to halt implementation of a privacy rule that requires ISPs to protect the security of its customers' personal information." From the report: The data security rule is part of a broader privacy rulemaking implemented under former Chairman Tom Wheeler but opposed by the FCC's new Republican majority. The privacy order's data security obligations are scheduled to take effect on March 2, but Chairman Ajit Pai wants to prevent that from happening. The data security rule requires ISPs and phone companies to take "reasonable" steps to protect customers' information -- such as Social Security numbers, financial and health information, and Web browsing data -- from theft and data breaches. The rule would be blocked even if a majority of commissioners supported keeping them in place, because the FCC's Wireline Competition Bureau can make the decision on its own. That "full commission vote on the pending petitions" could wipe out the entire privacy rulemaking, not just the data security section, in response to petitions filed by trade groups representing ISPs. That vote has not yet been scheduled. The most well-known portion of the privacy order requires ISPs to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. The opt-in rule is supposed to take effect December 4, 2017, unless the FCC or Congress eliminates it before then. Pai has said that ISPs shouldn't face stricter rules than online providers like Google and Facebook, which are regulated separately by the Federal Trade Commission. Pai wants a "technology-neutral privacy framework for the online world" based on the FTC's standards. According to today's FCC statement, the data security rule "is not consistent with the FTC's privacy standards."
Data Storage

Toshiba Plans To Ship a 1TB Flash Chip To Manufacturers This Spring (computerworld.com) 24

Lucas123 writes: Toshiba has begun shipping samples of its third-generation 3D NAND memory product, a chip with 64 stacked flash cells that it said will enable a 1TB chip shipping later this spring. The new flash memory product has 65% greater capacity than the previous generation technology, which used 48 layers of NAND flash cells. The chip will be used in data centers and consumer SSD products. The technology announcement comes even as suitors are eyeing buying a majority share of the company's memory business. Along with a previous report about Western Digital, Foxxcon, SK Hynix and Micron Technology have now also thrown their hats in the ring to purchase a majority share in Toshiba's memory spin-off, according to a new report in the Nikkei's Asian Review.
Government

Security Lapse Exposed New York Airport's Critical Servers For a Year (zdnet.com) 44

An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.

Slashdot Top Deals