Slashdot
Slashdot |
- Apple Pay With Visa Hacked To Make Payments Via Unlocked iPhones
- Chip Shortage Leads Carmaker Opel To Shut German Plant Until 2022
- Fairphone's Latest Sustainable Smartphone Comes With a Five-Year Warranty
- Developers Are Quitting To Escape From Your Bad Code
- Zoom and Five9 Abandon $14.7 Billion Acquisition
- TikTok Launches First Creator-Led NFT Collection
- Telegram Bots Are Trying To Steal Your One-time Passwords
- Blue Origin Has a Toxic Culture, Former and Current Employees Say
- New USB-C Logos Make Picking USB Cables, Chargers Less Confusing
- Cloudflare To Enter Infrastructure Services Market With New R2 Storage Product
- Oracle Loses Appeal Against $3 Billion Payment To HPE Over Withdrawal of Itanium Support
- Chinese Espionage Group Deploys New Rootkit Compatible With Windows 10 Systems
- Anonymous: We've Leaked Disk Images Stolen From Web Host Epik
- Natural-gas Prices Are Spiking Around the World
- Rick Scott Probes LinkedIn, Microsoft on Censoring US Journalists in China
| Apple Pay With Visa Hacked To Make Payments Via Unlocked iPhones Posted: 30 Sep 2021 07:02 PM PDT Researchers have demonstrated that someone could use a stolen, unlocked iPhone to pay for thousands of dollars of goods or services, no authentication needed. Threatpost reports: An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.'s National Cyber Security Centre (NCSC). But Visa, for its part, said that Apple Pay payments are secure and that any real-world attacks would be difficult to carry out. The team explained that fraudulent tap-and-go payments at card readers can be made using any iPhone that has a Visa card set up in "Express Transit" mode. Express Transit allows commuters around the world, including those riding the New York City subway, the Chicago El and the London Underground, to tap their phones on a reader to pay their fares without unlocking their devices. "An attacker only needs a stolen, powered-on iPhone," according to a writeup (PDF) published this week. "The transactions could also be relayed from an iPhone inside someone's bag, without their knowledge. The attacker needs no assistance from the merchant." This attack is made possible by a combination of flaws in both Apple Pay and Visa's systems, the academic team noted. "The details of this vulnerability have been disclosed to Apple (Oct 2020) and to Visa (May 2021)," according to the writeup. "Both parties acknowledge the seriousness of the vulnerability, but have not come to an agreement on which party should implement a fix." "Variations of contactless-fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world," Visa said in a statement to the BBC, adding that its fraud-detection systems would flag any suspicious transactions. Apple meanwhile shifted the responsibility to Visa and told the outlet, "We take any threat to users' security very seriously. This is a concern with a Visa system, but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero-liability policy." The researchers say users can protect themselves by not using Visa as a transport card in Apple Pay, and if they do, by remotely wiping the device if lost or stolen. The bug does not affect other types of payment cards or payment systems.   Read more of this story at Slashdot.  |
| Chip Shortage Leads Carmaker Opel To Shut German Plant Until 2022 Posted: 30 Sep 2021 06:25 PM PDT Carmaker Opel, which is part of the Stellantis group, said on Thursday it will close one of its plants in Germany until at least the end of the year due to chip shortages. Reuters reports: Production at the Eisenach plant, which makes internal combustion engine and hybrid electric cars, should start again in 2022, although an Opel spokesperson could not specify a date. Some 1,300 workers employed at the plant will be temporarily laid off, Opel said, with a separate plant in France picking up some of the production. Stellantis has halted production at other plants, including in Europe and Canada, forecasting that it would make 1.4 million fewer vehicles this year due to the chip shortage. Read more of this story at Slashdot.  |
| Fairphone's Latest Sustainable Smartphone Comes With a Five-Year Warranty Posted: 30 Sep 2021 05:45 PM PDT New submitter thegreatnick writes: The next generation of Fairphone -- an attempt to make an ethical smartphone -- has been announced with the Fairphone 4. The base specs include a Qualcomm Snapdragon 750G SoC, 6GB of RAM, and 128GB of storage (upgradeable to 8GB and 256GB). On the front, you'll get a 6.3-inch, 2340x1080 LCD display with slimmer bezels (compared to the Fairphone 3 design) and a teardrop notch for the 25-megapixel front camera. The 3,905mAh battery is Qualcomm Quick Charge 4.1 compatible, so if you have a compatible USB-C charger (not included in the box to reduce waste) you can take the battery from 0-50% in 30 minutes. The phone ships with Android 11 and has a side-mounted fingerprint reader in the power button, a MicroSD slot, and the option for dual-SIM usage via one physical nanoSIM and an eSIM. Continuing Fairphone's progress in making a "fair" supply chain -- both ethically-clean raw materials and paying workers a fair wage -- it also describes the 4 as "e-waste neutral." This is a neat way of summing up the idea that the company will recycle one device for every Fairphone 4 it sells. In addition, Fairphone can boast that it now uses 70% "fair" materials inside the handset, including FairTrade Gold and Silver, aluminum from ASI-certified vendors, and a backplate made from 100% post-consumer recycled polycarbonate. In an upgrade to previous models, the Fairphone 4 has dual cameras, though it loses the headphone jack. The company says this was to achieve an IP54 waterproof rating (light splashes) -- a first for the Fairphone brand. It's also been announced that it will come with an industry-leading 5-year warranty and aims to get 6 years of software updates for the phone. Read more of this story at Slashdot.  |
| Developers Are Quitting To Escape From Your Bad Code Posted: 30 Sep 2021 05:02 PM PDT An anonymous reader shares an excerpt from a ZDNet article, written by Liam Tung: [A] survey has come up with another reason why your engineers might want to quit -- their fellow developers' terrible code. Software engineers have long struggled with 'technical debt' created by past coding practices that might have been clever but also were undocumented and exotic. At a high level, technical debt is the price paid by supporting legacy systems rather than overhauling them or implementing a better, new system. The term can span everything from a major IT implementation, such as a core banking system that requires a decade of bug fixes, to the choice of programming language to build backend systems. In the latter case, subsequent language updates can require today's developers to rewrite old code written by long-gone developers who wrote under different conditions and who might not have documented what they did and why they did it. That's a big problem for companies that have millions of lines of code written in a language. Stepsize, a firm that focuses on technical debt by tracking development issues in major code editors such as VS Code, conducted a fairly small survey of 200 software engineers to find out why they leave their jobs. The company said that 51% of engineers in its survey have considered leaving or left a job because of technical debt. Of that group who feel irked by technical debt issues, some 20% said that type of debt is the main reason they left a company. The results should be taken in context: the company's key selling point is trying to solve technical debt challenges that organizations face, but at the same time, technical debt could be one area worthy of attention considering how hard it is to hire and retain software engineers. Technical debt, or 'code quality and codebase health', was the fourth most important issue cited by respondents. Salary still trumped it, with 82% citing it as one of the "most important factors" when interviewing for a new role. The survey allowed respondents to choose several primary factors. "Technical challenges and growth opportunities" was the second priority, with 75% choosing it as the one of the most important factors. Some 68% of respondents said remote work was the most important actor, while 62% put said 'code quality and codebase health' was one of those prime factors. Slashdot reader ellithligraw first shared the report, adding: "Yet another reason developers are quitting... to escape the technical debt, or schlock code, or code rot. COBOL anyone?" Read more of this story at Slashdot.  |
| Zoom and Five9 Abandon $14.7 Billion Acquisition Posted: 30 Sep 2021 04:12 PM PDT Cloud contact center software company Five9 and video calling software maker Zoom said Thursday they will not go forward with Zoom's plan to acquire Five9 for $14.7 billion. From a report: Five9 shares fell 2% in extended trading following the statement from the companies, which said the acquisition didn't receive enough votes from Five9 shareholders. A branch of the U.S. Department of Justice was reviewing the deal out of concern of potential foreign participation, according to a letter dated Aug. 27, that was sent to the Federal Communications Commission. But Zoom said last week, when news of the review was reported, that it still expected the deal to close in the first half of 2022. Read more of this story at Slashdot.  |
| TikTok Launches First Creator-Led NFT Collection Posted: 30 Sep 2021 03:40 PM PDT TikTok, the world's most downloaded app with over 1 billion monthly active users, has lined up its own NFT drop. The company's first-ever NFT collection "leverages content from some of its top creators, including Lil Nas X, Grimes, Bella Poarch, Rudy Willingham and Gary Vaynerchuk," reports TechCrunch. From the report: The release of one-of-one and limited edition NFTs seems to be focused on generating buzz among the existing NFT community rather than exposing users inside the app to non-fungible tokens. The company is side-stepping blockchain energy concerns by placing their NFTs on a dedicated site powered by Immutable X, a Layer-2 scaling solution for Ethereum which says that NFTs traded using it are "100% carbon neutral." The drop starts October 6 with a collection from Lil Nas X and will continue on through the end of the month. Why is TikTok getting into the world of NFTs to begin with? TikTok has a fairly precise answer for that on its drop site: "Inspired by the creativity and innovation of the TikTok creator community, TikTok is exploring the world of NFTs as a new creator empowerment tool. NFTs are a new way for creators to be recognized and rewarded for their content and for fans to own culturally-significant moments on TikTok. The creation that happens on TikTok helps drive culture and start trends that impact society. TikTok will bring something unique and groundbreaking to the NFT landscape by curating some of these cultural milestones and pairing them with prominent NFT artists." Read more of this story at Slashdot.  |
| Telegram Bots Are Trying To Steal Your One-time Passwords Posted: 30 Sep 2021 03:02 PM PDT Telegram-powered bots are being utilized to steal the one-time passwords required in two-factor authentication (2FA) security. From a report: The ransomware threat is growing: What needs to happen to stop attacks getting worse? On Wednesday, researchers from Intel 471 said that they have seen an "uptick" in the number of these services provided in the web's underground, and over the past few months, it appears the variety of 2FA circumvention solutions is expanding -- with bots becoming a firm favorite. [...] While 2FA can improve upon the use of passwords alone to protect our accounts, threat actors were quick to develop methods to intercept OTP, such as through malware or social engineering. According to Intel 471, since June, a number of 2FA-circumventing services are abusing the Telegram messaging service. Telegram is either being used to create and manage bots or as a 'customer support' channel host for cybercriminals running these types of operations. "In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts," the researchers say. Read more of this story at Slashdot.  |
| Blue Origin Has a Toxic Culture, Former and Current Employees Say Posted: 30 Sep 2021 02:25 PM PDT An anonymous reader quotes a report from Ars Technica: A former communications executive at Blue Origin and 20 other current and former employees have written a blistering essay about the company's culture, citing safety concerns, sexist attitudes, and a lack of commitment to the planet's future. "In our experience, Blue Origin's culture sits on a foundation that ignores the plight of our planet, turns a blind eye to sexism, is not sufficiently attuned to safety concerns, and silences those who seek to correct wrongs," the essay authors write. "That's not the world we should be creating here on Earth, and certainly not as our springboard to a better one." Published Thursday on the Lioness website, the essay is signed publicly by only Alexandra Abrams, who led employee communications for the company until she was terminated in 2019. The other signatories, a majority of whom were engineers, declined to publicly disclose their names because they did not want to jeopardize employment at Blue Origin or harm their prospects in the aerospace industry for other jobs. At times, the essay is shocking in its candor. Many of the essay's authors said they would not feel safe flying on a Blue Origin vehicle. And the anecdotes of sexism and an unhealthy work culture are vivid. "Former and current employees have had experiences they could only describe as dehumanizing, and are terrified of the potential consequences for speaking out against the wealthiest man on the planet," the authors write. "Others have experienced periods of suicidal thoughts after having their passion for space manipulated in such a toxic environment. One senior program leader with decades in the aerospace and defense industry said working at Blue Origin was the worst experience of her life." After publication of the essay, Ars spoke with several current and former employees who have provided reliable information in the past about the company. Although it is clear the essay was a product of disgruntled workers, these sources agreed that there were elements of truth in the essay. For these sources, the withering criticism of Blue Origin founder Jeff Bezos, and his hand-picked chief executive, Bob Smith, rang especially true. The essay authors write, "Professional dissent at Blue Origin is actively stifled. Smith personally told one of us to not make it easy for employees to ask questions at company town halls -- one of the only available forums for live, open discussion." These town halls are typically moderated so that employees cannot directly ask questions of Smith. In one infamous exchange, there were apparently so few substantive questions Smith was willing to answer that the moderator resorted to asking Smith what his favorite ice cream was. "Sorbet," Smith answered. Another example of unwelcome management tactics cited in the essay was Bezos' decision, after the Supreme Court ruling in the Epic Systems arbitration case, to force employees to sign away their right to resolve employment disputes in court. Sources confirmed to Ars that they were indeed faced with the choice of signing such an onerous contract or realizing they would eventually have to leave Blue Origin. It seemed grossly unfair. In response, Blue Origin said in a statement: "Ms. Abrams was dismissed for cause two years ago after repeated warnings for issues involving federal export control regulations. Blue Origin has no tolerance for discrimination or harassment of any kind. We provide numerous avenues for employees, including a 24/7 anonymous hotline, and will promptly investigate any new claims of misconduct." Abrams disputes those claims, saying that she never received any warnings, verbal or written, from management issues involving federal export control regulations. Read more of this story at Slashdot.  |
| New USB-C Logos Make Picking USB Cables, Chargers Less Confusing Posted: 30 Sep 2021 01:42 PM PDT Choosing the correct USB-C charger and cable for you laptop is about as fun as visiting the dentist, but new logos released today should go a long way toward making easier. PCWorld: The USB Implementers Forum group that oversees the USB standard has released logos that easily indicate whether a cable or charger can hit the new 240 watt rating. Previous USB-C chargers and cables were rated to hit 65 watts or 100 watts but a new version of USB Power Delivery released this May has pushed the limit to an impressive 240 watts. Obviously, that means if you're looking for a 240 watt aftermarket charger for a new gaming laptop that supports it, you want one. With the new USB-C logos, all you have to do is look for a Certified USB Charger 240W logo with a lightning bolt like the one from the chart above. The other component you may need is a 240 watt USB-C cable, so consumers need only look for Certified USB Charger 240W with a cable in its logo. Both logos also can also be paired with USB 40Gbps bits to indicate if the cable is certified to support USB4's 40Gbps speed. The higher output 240 watt power range is a welcome addition to USB-C as it should allow laptop makers to bringing universal USB-C charging to far more powerful laptops, including gaming laptops with discrete graphics chips -- something that was out of reach of the previous USB-C chargers, cables, and ports. In fact, we found that we probably wouldn't want to use a small USB-C charger in a gaming laptop with today's technology. With 240 watt USB-C charger, we'd probably change our mind. The problem, of course, is that the USB-IF is an organization that certifies cables, chargers, and USB-C brick a brats, but it's not mandatory. This has lead to small brand and no-name manufacturers getting the spec wrong in the past. The good news is the cables from companies that actually obtain certifications correctly should work correctly. Read more of this story at Slashdot.  |
| Cloudflare To Enter Infrastructure Services Market With New R2 Storage Product Posted: 30 Sep 2021 01:01 PM PDT Cloudflare, which has a network of data centers in 250 locations around the world, announced its first dalliance with infrastructure services today, an upcoming cloud storage offering called R2. From a report: Company co-founder and CEO Matthew Prince says that the idea for moving into storage as a service came from the same place as other ideas the company has turned into products. It was something they needed in-house and that led to them building it for themselves, before offering it to customers too. "When we build products, the reason that we end up building them is usually because we need them ourselves," Prince told me. He said that the storage component grew out of the need to store object components like images on the company's network. Once they built it, and they looked around at the cloud storage landscape, they decided that it would make sense to offer it as a product to customers too. [...] The R2 name is a little swipe at Amazon's S3 storage product and obviously a play on the name. The difference, according to Prince, is that they have found a way to reduce storage costs by up to 10% by eliminating egress fees. Cloudflare plans to price storage at $0.015 per GB of data stored per month. That compares with S3 pricing that starts at $0.023 per GB for the first 50 TB per month. Ben Thompson, writing at Stratechery: The reason that Cloudflare can pull this off is the same reason why S3's margins are so extraordinary: bandwidth is a fixed cost, not a marginal one. To take the most simplified example possible, if I were to have two computers connected by a cable, the cost of bandwidth is however much I paid for the cable; once connected I can transmit as much data I would like for free -- in either direction. That's not quite right, of course: I am constrained by the capacity of the cable; to support more data transfer I would have to install a higher capacity cable, or more of them. What, though, if I already had built a worldwide network of cables for my initial core business of protecting websites from distributed denial-of-service attacks and offering a content delivery network, the value of which was such that ISPs everywhere gave me space in their facilities to place my servers? Well, then I would have massive amounts of bandwidth already in place, the use of which has zero marginal costs, and oh-by-the-way locations close to end users to stick a whole bunch of hard drives. In other words, I would be Cloudflare: I would charge marginal rates for my actual marginal costs (storage, and some as-yet-undetermined-but-promised-to-be-lower-than-S3 rate for operations), and give away my zero marginal cost product for free. S3's margin is R2's opportunity. Read more of this story at Slashdot.  |
| Oracle Loses Appeal Against $3 Billion Payment To HPE Over Withdrawal of Itanium Support Posted: 30 Sep 2021 12:25 PM PDT The Supreme Court of California has thrown out Oracle's appeal against a decision to award $3 billion damages to HPE in a case which dates back a decade and relates to Big Red's commitment to develop on Itanium hardware. From a report:On Wednesday, the court denied a review of Oracle's appeal against a summary judgement, apparently without comment or any written dissents. The decision follows a ruling made in the California Court of Appeal that affirmed HPE's $3.14bn win for alleged contract violation, stating that an agreement between the firms had created a legal obligation for Oracle to support software on HPE's Itanium server. The case hinged on the companies' statements that they had a "longstanding strategic relationship" and a "mutual desire to continue to support their mutual customers." The agreement stated that Oracle, for its part, "will continue to offer its product suite on HP platforms" while HPE "will continue to support Oracle products (including Oracle Enterprise Linux and Oracle VM) on its hardware." The ruling reads: "We conclude that the second sentence, moreover, does more than declare an aspiration or intent to continue working together, as Oracle claims. It commits the parties to continue the actions specified (Oracle offering its product suite and HP supporting the products)," as it had done previously. Read more of this story at Slashdot.  |
| Chinese Espionage Group Deploys New Rootkit Compatible With Windows 10 Systems Posted: 30 Sep 2021 11:47 AM PDT At the SAS 2021 security conference today, analysts from security firm Kaspersky Lab published details about a new Chinese cyber-espionage group that has been targeting high-profile entities across South East Asia since at least July 2020. From a report: Named GhostEmperor, Kaspersky said the group uses highly sophisticated tools and is often focused on gaining and keeping long-term access to its victims through the use of a powerful rootkit that can even work on the latest versions of Windows 10 operating systems. "We observed that the underlying actor managed to remain under the radar for months," Kaspersky researchers explained today. The entry point for GhostEmperor's hacks were public-facing servers. Kaspersky believes the group used exploits for Apache, Oracle, and Microsoft Exchange servers to breach a target's perimeter network and then pivoted to more sensitive systems inside the victim's network. Read more of this story at Slashdot.  |
| Anonymous: We've Leaked Disk Images Stolen From Web Host Epik Posted: 30 Sep 2021 11:00 AM PDT slack_justyb writes: As previously reported the web host Epik was hacked by a group identifying themselves with the group Anonymous. However, in the most recent leaks from this group the scale of data that was stolen is becoming apparent, and signs point to a wholesale theft of data with no stone left unturned. We're told the dump is a 70GB archive of files and "several bootable disk images of assorted systems" that represent Epik's server infrastructure. Journalist Steve Monacelli, who broke the news of the first data release, said the latest leak expands to 300GB. "This leak appears to be fully bootable disk images of Epik servers, including a wide range of passwords and API tokens," he added.WhiskeyNeon, a Texas-based hacker and cybersecurity expert who reviewed the file structure of the leak, told the Daily Dot how the disk images represented Epik's entire server infrastructure. "Files are one thing, but a virtual machine disk image allows you to boot up the company's entire server on your own," he said. "We usually see breaches with database dumps, documents, configuration files, etc. In this case, we are talking about the entire server image, with all the programs and files required to host the application it is serving." Daily Dot brings some word on Epik CEO Rob Monster response to the latest news:Epik CEO Rob Monster, who did not respond to requests for comment from the Daily Dot, would go on to hold a more than four hour long live video conference online to address the initial hack. The meeting would see Monster break out into prayer numerous times, make attempts to vanquish demons, and warn viewers that their hard drives could burst into flames due to "curses" placed on the hacked data. Read more of this story at Slashdot.  |
| Natural-gas Prices Are Spiking Around the World Posted: 30 Sep 2021 10:30 AM PDT Across the world, a natural-gas shortage is starting to bite. Prices of power in Germany and France have soared by around 40% in the past two weeks. In many countries, including Britain and Spain, governments are rushing through emergency measures to protect consumers. Economist: Factories are being temporarily switched off, from aluminium smelters in Mexico to fertiliser plants in Britain. Markets are frantic. One trader says it is like the global financial crisis for commodities. Even in America, the world's biggest natural-gas producer, lobby groups are calling on the government to limit exports of liquefied natural gas (LNG), the price of which has climbed to $25 per million British thermal units (mBTU), up by two-thirds in the past month. In one sense the crisis has fiendishly complex causes, with a mosaic of factors from geopolitics to precautionary hoarding in Asia sending prices higher. Viewed from a different perspective, however, its causes are simple: an energy market with only thin safety buffers has become acutely sensitive to disruptions. And subdued investment in fossil fuels may mean higher volatility is here to stay. The shortfall has taken almost everyone by surprise. In 2019 there was plenty of gas on the international market, thanks to new LNG plants coming online in America (see chart). When the covid pandemic struck and lockdown constrained demand, much of the excess gas went into storage in Europe. That came in handy last winter, which was particularly cold in northern Asia and Europe. The freeze pushed up demand for heating. In Asia gas prices quadrupled in three months. Buyers, such as national gas companies, looked to the LNG market to fill out supply. Many Europe-destined cargoes were diverted to Asia. Europe, by contrast, drew down on its reserves. Prices there only inched up. This year odd weather has featured again. A hot summer has added to booming gas demand in Asia. The region accounts for almost three-quarters of global LNG imports, according to AllianceBernstein, a financial firm. Read more of this story at Slashdot.  |
| Rick Scott Probes LinkedIn, Microsoft on Censoring US Journalists in China Posted: 30 Sep 2021 09:51 AM PDT Sen. Rick Scott (R-Fla.) sent a letter to Microsoft and LinkedIn leadership on Thursday questioning why LinkedIn censored the profiles of U.S. journalists from the company's China-based platform this week, according to a letter obtained by Axios. From a report: LinkedIn -- which is owned by Microsoft -- notified several U.S. journalists this week, including Axios' Bethany Allen-Ebrahimian, that their accounts will no longer be viewable in China due to "prohibited content" on their profile. In addition to Allen-Ebrahimian, affected journalists include VICE News' Melissa Chan and freelance reporter Greg Bruno. All three have reported on human rights abuses in China. "I am deeply concerned that an American company is actively censoring American journalists on behalf of the Chinese Communist Party," Scott said in the letter addressed to Microsoft CEO Satya Nadella and LinkedIn CEO Ryan Roslansky. "Members of the media report information that is critical to helping Americans, including members of Congress, understand the scope of Communist China's abuses, especially its abuses against and surveillance of Uyghurs in Xinjiang," the senator continued. "The censorship of these journalists raises serious questions about Microsoft's intentions and its commitment to standing up against Communist China's horrific human rights abuses and repeated attacks against democracy." Read more of this story at Slashdot.  |
| You are subscribed to email updates from Slashdot. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
Comments
Post a Comment