SoylentNews

janrinok writes with news of a report (by Michael McNally) concerning a critical defect in BIND:

https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/

As the security incident manager for this particular vulnerability notification, I'd like to say a little extra, beyond our official vulnerability disclosure about this critical defect in BIND [Wikipedia].

Many of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code.

The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind. Please take steps to patch or download a secure version immediately.

This bug is designated "Critical" and it deserves that designation.

The existence of this bug was announced 'in-house' on 28 July but is announced publicly today. Apologies for releasing my own story [submission].

Original Submission

An Anonymous Coward wrote in with a link to the launch of Windows 10:

http://www.anandtech.com/show/9471/windows-10-launches-worldwide

Windows 10 gains a personal assistant in Cortana. What originally launched on Windows Phone has been brought to the PC, and it can now work across all of your Windows devices. One of the key benefits of Windows 10 over Windows 8 is that features like Cortana are easily discoverable. Cortana now lives in a search box right beside the start button, and it can keep track of your travel plans, set up reminders, and perform searches for you. Microsoft is also adding a new browser to Windows 10, with Microsoft Edge. Although based on Internet Explorer under the hood, huge chunks of code have been taken out to improve security, and the rendering and scripting engines have been optimized to make Edge one of the fastest browsers around. It adds support for new features like being able to markup web pages and share them, and Cortana is built in to provide contextual search results right in the page. It is a big step up from Internet Explorer in standards compliance, and while it’s not quite finished yet, Microsoft has promised to update it often through the Windows Store.

...

The built in Xbox app will support Game DVR, allowing you to record game sessions, edit them, and share them, all within the Xbox app. One of the coolest features coming is game streaming from an Xbox One to any Windows 10 PC, allowing you to use any PC or tablet as the display for the Xbox, as long as it is on the LAN.

Other links:
http://www.telegraph.co.uk/technology/microsoft/windows/11767674/Windows-10-launch-Microsoft-releases-new-operating-system.html
http://arstechnica.co.uk/information-technology/2015/07/windows-10-released-heres-how-to-download-it/

Update (JR) - Stories about the bugs are now coming in: here and here.

Original Submission

iwoloschin and an Anonymous Coward write:

FS tells me that Ars Technica reports that Dice is selling the Slashdot and Sourceforge sites. The company in their second quarter earnings announcements stated they have "not successfully leveraged the Slashdot user base to further Dice's digital recruitment business", and are planning to divest this business.

The report goes on to note that in spite of what the report calls "an incredibly loyal and passionate following of tech professionals," Slashdot and SourceForge aren't core to DHI's business and that DHI has partnered with KeyBanc Capital Markets to advise DHI on the sale. There is no buyer lined up yet.

The report also says that Slashdot Media (the aggregate of Slashdot and SourceForge) made $1.7 million in revenue for the second quarter and that it's estimated Slashdot Media will pull somewhere between $15 million and $16 million in revenue for fiscal 2015.

Original Submission

takyon writes:

Josh Greenberg, 28-year-old cofounder of the shuttered music streaming service Grooveshark, has been found dead at his home in Gainesville, Florida. The Gainesville Sun reports:

Lori Greenberg, his mother, said Monday he had no health problems and she was told by police who investigated Sunday night that there was no evidence of foul play, injuries or drugs. She said her son was more relieved than depressed about the settlement that shut down Grooveshark on April 30 since it ended the lawsuit that had been hanging over his head. Several record companies had sued the online music streaming service over copyright violations. "He was excited about potential new things that he was going to start," she said.

[...] Greenberg and Sam Tarantino founded Grooveshark as 19-year-old freshmen at the University of Florida in March 2006. At its peak, the company had up to 40 million users a month and 145 employees, occupying most of the second floor of the Union Street Station in downtown Gainesville and a small office in New York City. Greenberg helped train other entrepreneurs and computer programmers to get their start in the tech industry through Grooveshark University classes, the Summer with the Sharks internship program and as a partner in the Founders Pad business incubator. He started MaidSuite with Student Maid founder Kristen Hadeed to provide an online scheduling application for cleaning companies and other service providers and recently helped start the Gainesville Dev Academy to offer computer programming training. He was a founding member of the Gainesville Area Chamber of Commerce's Gainesville Technology Council.

Previous reporting on Grooveshark:

April 27: Grooveshark Faces $736 Million in Copyright Damages
May 1: Grooveshark Shuts Down & Apologizes to the RIAA
May 10: Music Industry Kills Grooveshark, "Clone" Emerges
May 17: New Grooveshark Site Taken Down, Another One Pops Up

Original Submission

takyon writes:

The Federal Bureau of Investigation has shut down a "major computer hacking forum" called Darkode. The Darkode site now displays a banner with a message from the FBI, Department of Justice, and many foreign police agencies.

U.S. authorities working with law enforcement partners abroad have shut down the Darkode online forum used by cybercriminals around the world and charged 12 people linked to the site, the Justice Department said on Wednesday.

U.S. Attorney David Hickton announced the charges in Pittsburgh and called Darkode "a cyber hornet's nest of criminal hackers."

"Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States," he said.

The Justice Department said the FBI and U.S. attorney's office in Pittsburgh led the investigation, known as Operation Shrouded Horizon. It included authorities from Europol and 20 countries in Europe and Latin America and included Israel, Nigeria and Australia.

12 individuals have been charged:

• Johan Anders Gudmunds, aka Mafi aka Crim aka Synthet!c, 27, of Sollebrunn, Sweden.
• Morgan C. Culbertson, aka Android, 20, of Pittsburgh.
• Eric L. Crocker, aka Phastman, 39, of Binghamton, New York.
• Naveed Ahmed, aka Nav aka semaph0re, 27, of Tampa, Florida.
• Phillip R. Fleitz, aka Strife, 31, of Indianapolis.
• Dewayne Watts, aka m3t4lh34d aka metal, 28, of Hernando, Florida.
• Murtaza Saifuddin, aka rzor, 29, of Karachi, Sindh, Pakistan.
• Daniel Placek, aka Nocen aka Loki aka Juggernaut aka M1rr0r, 27, of Glendale, Wisconsin.
• Matjaz Skorjanc, aka iserdo aka serdo, 28, of Maribor, Slovenia.
• Florencio Carro Ruiz, aka NeTK aka Netkairo, 36, of Vizcaya, Spain.
• Mentor Leniqi, aka Iceman, 34, of Gurisnica, Slovenia.
• Rory Stephen Guidry, aka k@exploit.im, of Opelousas, Louisiana.

As of this morning, NASA's New Horizons spacecraft has flown by Pluto. Early images (here and here) are the best glimpses we have had of the dwarf planet. More detailed pictures are expected to be released this afternoon and over the next 16 months.

Update: New Horizons is expected to call home at 8:53 PM EDT.

Update: Contact with New Horizons re-established! Telemetry download has begun.

Update: New Horizons team unveils its first findings from the Pluto flypast – that briefing is on Wednesday at 3pm ET [sic] (8pm BST/Thursday 5am AEST) [updated at 14:59 UTC 15 July]

takyon writes:

According to the White House:

After many months [Ed: years?] of principled diplomacy, the P5+1 -- the United States, the United Kingdom, France, China, Russia and Germany -- along with the European Union, have achieved a long-term comprehensive nuclear deal with Iran that will verifiably prevent Iran from acquiring a nuclear weapon and ensure that Iran's nuclear program will be exclusively peaceful going forward.

Reported at BBC, NYT, Reuters, and everywhere else. President Obama spoke about the deal for 15 minutes this morning.

The deal has been praised by Syrian President Bashar Assad and slammed by the Israeli Prime Minister Benjamin Netanyahu.

Text of the "Joint Comprehensive Plan of Action."

Horse With Stripes writes:

The Wall Street Journal, Washington Post, Time and several other news sources are reporting that Ellen Pao is resigning as CEO of Reddit. Pao will be replaced by Steve Huffman, a Reddit co-founder and its first CEO.

Pao has had a stormy and controversial stint as interim chief executive officer of Reddit which culminated in a mass user protest in recent weeks, as previously reported on SN.

takyon writes:

Hacking Team has issued a statement confirming that its code and zero-day software vulnerabilities were leaked:

It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6. HackingTeam's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice.

Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.

Adobe has patched a security bug in flash, and Microsoft is working on a vulnerable kernel driver. Discussed at The Register and Motherboard.

The Intercept has detailed Hacking Team's demonstration to a Bangladesh "death squad," the use of Hacking Team software by the DEA to spy on all Colombian ISPs from the U.S. embassy in Bogota, and more. In one email, CEO David Vincenzetti unwittingly predicts the current fallout while warning employees not to leak the company's secrets: "Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! :-)" he wrote. "You will be demonized by our dearest friends the activists, and normal people will point their fingers at you."

Privacy International's Deputy Director Eric King has called the leaks "the equivalents of the Edward Snowden leaks for the surveillance industry." Nevertheless, Hacking Team plans to continue its operations. PhineasFisher, a hacker who penetrated Hacking Team's competitor Gamma International last year and leaked 40 GB of internal data, has claimed responsibility for this hack.

SGT CAPSLOCK writes:

Finland-based Jolla Oy, developer of the Linux-based Sailfish OS for mobile devices as well as the creator of their namesake Jolla Phone and the soon-to-be-released Jolla Tablet, have announced that it will be restructuring the company. As per their official press release [pdf], the company has placed former Chairman of Board Dr. Antti Saarnio as its new leader, while former CEO Tomi Pienimäki has been appointed to a position outside of the company.

The press release states that a new company will be created to continue their hardware business while Jolla Oy (referred to as Jolla Ltd. in the press release) will be focusing its attention solely toward developing and licensing Sailfish OS itself.

An Anonymous Coward wrote to inform us of a potential Bitcoin double-spend issue that has arisen. The incident's status page at bitcoin.org, Some Miners Generating Invalid Blocks, supplies a succinct summary:

Summary

Your bitcoins are safe if you received them in transactions confirmed before 2015-07-04 15:00 UTC.

However, there has been a problem with a planned upgrade. For bitcoins received later than the time above, confirmation scores are significantly less reliable then they usually are for users of certain software:

• Lightweight (SPV) wallet users should wait an additional 30 confirmations more than you would normally wait.
• Bitcoin Core 0.9.4 or earlier users should wait an additional 30 confirmations more than you would normally wait or upgrade to Bitcoin Core 0.10.2.
• Web wallet users should wait an additional 30 confirmations more than you would normally wait, unless you know for sure that your wallet is secured by Bitcoin Core 0.9.5 or later.
• Bitcoin Core 0.9.5 or later users are unaffected. (Note: upgrade to 0.10.2 is recommended due to denial-of-service vulnerabilities unrelated to this alert.)

[More after the break.]

They made it to Hawaii

An Anonymous Coward writes:

A plane powered by the sun's rays has landed in Hawaii after a record-breaking five-day journey across the Pacific Ocean from Japan.

http://westhawaiitoday.com/news/state-wire/solar-powered-plane-lands-hawaii-after-flight-japan

Solar Impulse Plane Lands in Hawaii

Phoenix666 writes:

Solar Impulse, the aeroplane that is powered only by the sun, has landed in Hawaii after making a historic 7,200km flight across the Pacific from Japan. Pilot Andre Borschberg brought the vehicle gently down on to the runway of Kalaeloa Airport at 05:55 local time (15:55 GMT; 16:55 BST).

The distance covered and the time spent in the air - 118 hours - are records for manned, solar-powered flight. The duration is also an absolute record for a solo, un-refuelled journey. Mr Borschberg's time betters that of the American adventurer Steve Fossett who spent 76 hours aloft in a single-seater jet in 2006.

Despite being in the cockpit for so long, the Swiss pilot told the BBC that he did not feel that tired: "Interestingly, not really. "I am also astonished. We got so much support during the flight from so many people; it gave me so much energy."

Pretty amazing feat. Not only the longest solo flight, but also without burning a drop of fuel.

DECbot writes:

To add to the other Greece Breaking News story (Greece Defaults, Still Wants Bailout)....

The Ars Writes:
Thom Feeney, a London shoe shop worker who started a campaign to raise €1.6 billion (that's US $1.78 billion). Feeney's IndieGoGo campaign, started just two days ago, has already raised an astonishing €478,575 (or $533,010) from more than 30,000 people.

"All this dithering over Greece is getting boring," Feeney wrote on his IndieGoGo page. "Why don't we the people just sort it instead?" He added that to come up with the €1.6 billion, every member of Europe would only have to give €3 each (well, technically you'd only need to collect from members of the European Union; that's not even counting any potentially generous Swiss or Norwegian people.)

The campaign has six days left to raise money. If €1.6 billion isn't raised, all the donors will get back their money.

This afternoon, the International Monetary Fund (IMF) declared that Greece was officially in arrears, but it has not yet declared that Greece is in default. Technically, the IMF could offer Greece an extension of its debt repayment obligation. On July 5, the country will hold a national referendum on whether to sign a deal demanding even stricter austerity from the nation.

But, if Europeans all chip in, maybe we can just put this silly bailout business behind us.

takyon writes:

Elon Musk's SpaceX rocket explodes:

A SpaceX Falcon 9 rocket bound for the International Space Station exploded a couple of minutes after lift off Sunday morning. It was the third cargo mission to the space station to be lost in recent months.

SpaceX tweeted: "The vehicle experienced an anomaly on ascent. Team is investigating. Updates to come."

NASA officials said it was not clear what caused the explosion. SpaceX was carrying more than 4,000 pounds of food and supplies to the space station, where American Scott Kelly is spending a year in space. The failure follows two earlier mishaps. An Orbital Antares rocket blew up in October, and then a Russian Progress 59 spun out of control after reaching orbit. Before the launch, Stephanie Schierholz, a NASA spokeswoman, said that the station had plenty of supplies on board and that the crew would be fine even if there was another failure.

@SpaceX on Twitter, The Guardian, The Register

Pre-launch article: Elon Musk's SpaceX is on a roll, but here's why the pressure is really on

FakeBeldin writes:

Security researchers of the security group at the Free University of Amsterdam found a hole in Android. The scoop in Dutch - news is 10hrs old at time of writing, I didn't find an English source yet. Heck, the university hasn't even put out a press release, even though this is currently making a splash in the Dutch news.

In short, the researchers hacked the user's (desktop) browser and then installed (via this browser) a malicious app on the phone.This gave them basically full control over the phone: turning camera on/off, replacing installed apps with malicious versions, intercepting text messages, etc. In fact, they used this to reduce a common version of two-factor authentication (know password and have phone) to only one factor: they managed to intercept verification codes (text messages) sent by a bank.

The problem is not in a specific version of Android, but in the deep integration between Google's websites and Android. Google has been made aware of the problems late 2014, but has yet to publicly reply.