Software

Is Project Management Killing Good Products, Teams and Software? (techbeacon.com) 129

New submitter mikeatTB writes: "For software development, no significant developer activity is predictable or repetitive; if it were, the developers would have automated it already," writes Steven A. Lowe, Principal Consultant Developer at ThoughtWorks, via TechBeacon. "In addition, learning is essentially a nonlinear process; it involves trying things that don't work in order to discover what does work. You might see linear progress for a while, but you don't know what you don't know, so there will be apparent setbacks. It is from these setbacks that one learns the truth about the system -- what is really needed to make it work, to make it usable, and to make a difference for the users and the business. In other words, the dirty little secret of software development is that projects don't really exist. And they're killing our products, teams, and software." Lowe continues: "Projects, with respect to software development, are imaginary boxes drawn around scope and time in an attempt to 'manage' things. This tendency is understandable, given the long fascination with so-called scientific management (a.k.a. Taylorism, a.k.a. Theory X), but these imaginary boxes do not reduce underlying complexity. On the contrary, they add unnecessary complexity and friction and invite a counterproductive temptation to focus on the box instead of the problem or product. This misplaced emphasis leads to some harmful delusions: Conformance to schedule is the same thing as success; Estimation accuracy is possible and desirable enough to measure and optimize for; The plan is perfect and guarantees success; The cost of forming and dissolving teams is zero; The cost of functional silo hand-offs is zero; The bigger and more comprehensive the plan, the better; Predictability and efficiency are paramount."
Censorship

China Blocks WhatsApp (theverge.com) 91

An anonymous reader quotes a report from The Verge: China has blocked WhatsApp, security experts confirmed today to The New York Times (Warning: source may be paywalled). Over the past few months, WhatsApp has experienced brief disruptions to service, with users unable to send video chats or photos. Now, even text messages are completely blocked, according to Nadim Kobeissi, an applied cryptographer at Symbolic Software, a Paris-based research firm that also monitors digital censorship in China. Kobeissi found that China may have recently upgraded its firewall to detect and block the NoiseSocket protocol that WhatsApp uses to send texts, in addition to already blocking the HTTPS/TLS that WhatsApp uses to send photos and videos. He said, "I think it took time for the Chinese firewall to adapt to this new protocol so that it could also target text messages." His company noticed the app disruptions beginning last Wednesday.
Security

Deloitte Hit By Cyber-attack Revealing Clients' Secret Emails (theguardian.com) 46

Accounting firm Deloitte confirmed on Monday it had suffered a cyberattack. From a report: One of the world's "big four" accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal (the company has since confirmed the breach). Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. One of the largest private firms in the US, which reported a record $37bn revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments
Security

DDoS Attacks Will Now Be 'Something You Only Read About In The History Books', Says Cloudflare CEO (vice.com) 95

Louise Matsakis, writing for Motherboard: Cloudflare, a major internet security firm, is on a mission to render distributed denial-of-service (DDoS) attacks useless. The company announced Monday that every customer -- including those who only use its free services -- will receive a new feature called Unmetered Mitigation, which protects against every DDoS attack, regardless of its size. Cloudflare believes the move is set to level the internet security playing field: Now every website will be able to fight back against DDoS attacks for free. "The standard practice in the industry for some time has been to charge more if you come under attack," Matthew Prince, the CEO of Cloudflare, told me on a phone call last week. Firms often "fire you as a customer if you're not sort of paying enough and you get a large attack," he explained. "That's kind of gross."
Desktops (Apple)

Apple Releases macOS High Sierra; Ex-NSA Hacker Publishes Zero-Day 51

Apple today released the newest version of its operating system for Macs, macOS High Sierra, to the public. macOS High Sierra is a free download, and offers a range of new features and improvements including the new Apple File System, and support for High Efficiency Video Encoding (HEVC) for better compression without loss of quality, and HEIF for smaller photo sizes. Zack Whittaker, reporting for ZDNet: Patrick Wardle, a former NSA hacker who now serves as chief security researcher at -- Synack, posted a video of the hack -- a password exfiltration exploit -- in action. Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault. But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
Bug

iOS 11 Is Causing Massive Battery Drain Problems (betanews.com) 147

Mark Wilson writes: A study conducted by security research firm Wandera shows that iOS 11 is causing iPhone and iPad batteries to drain faster than ever -- much faster. The difference between iOS 10 and iOS 11 is anything but minor; batteries can drain in half the amount of time following the upgrade. Wandera's report shows how, on average, an iPhone or iPad running iOS 10 takes 240 minutes of usage to drain the battery from 100 percent to zero. With iOS 11 installed, this number plummets to just 96 minutes -- over twice as fast. Users have also complained about the issue.
Education

Chicago School Official: US IT Jobs Offshored Because 'We Weren't Making Our Own' Coders 255

theodp writes: In a slick new video, segments of which were apparently filmed looking out from Google's Chicago headquarters giving it a nice high-tech vibe, Chicago Public Schools' CS4ALL staffers not-too-surprisingly argue that creating technology is "a power that everyone needs to have."

In the video, the Director of Computer Science and IT Education for the nation's third largest school district offers a take on why U.S. IT jobs were offshored that jibes nicely with the city's new computer science high school graduation requirement. From the transcript: "People still talk about it's all offshored, it's all in India and you know, there are some things that are there but they don't even realize some of the reasons that they went there in the first place is because we weren't making our own."
Security

ARM TrustZone Hacked By Abusing Power Management (acolyer.org) 59

"This is brilliant and terrifying in equal measure," writes the Morning Paper. Long-time Slashdot reader phantomfive writes: Many CPUs these days have DVFS (Dynamic Voltage and Frequency Scaling), which allows the CPU's clockspeed and voltage to vary dynamically depending on whether the CPU is idling or not. By turning the voltage up and down with one thread, researchers were able to flip bits in another thread. By flipping bits when the second thread was verifying the TrustZone key, the researchers were granted permission. If number 'A' is a product of two large prime numbers, you can flip a few bits in 'A' to get a number that is a product of many smaller numbers, and more easily factorable.
"As the first work to show the security ramifications of energy management mechanisms," the researchers reported at Usenix, "we urge the community to re-examine these security-oblivious designs."
Security

Experian Criticized Over Credit-Freeze PIN Security and 'Dark Web' Scans (theverge.com) 65

Security researcher Brian Krebs complains that Experian's identity-protecting credit freezes are easily unfrozen online. An anonymous reader quotes the Verge: Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person's name, address, date of birth, and Social Security number...data [that] was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. After entering that data, attackers then just have to enter an email address -- any email -- and answer a few security questions.

That might not jump out as insecure; security questions exist for a reason. But the questions themselves are easy to answer, particularly if you know how to use the internet and a search bar. Krebs says sample questions include asking users to identify cities where they've previously lived and the people that resided with them. Much of that information is available through a person's own social media accounts, search engines, or Yellow Pages-like databases, including Spokeo and Zillow... In response to Krebs' report, Experian claims that it goes beyond the measures identified to authenticate users. "While we do not disclose those additional processes," said the company in a statement, "they include a broad array of checks that are not visible to the consumer."

Meanwhile, the Los Angeles Times reports that Experian is also advertising a "free scan of the dark Web" which actually binds anyone who accepts it to their 17,600-word terms of service, as well as acceptance of "advertisements or offers" from financial products companies -- plus "an arbitration clause preventing you from suing the company" which a spokesperson acknowledges could remain in effect for several years.
Programming

Do Strongly Typed Languages Reduce Bugs? (acolyer.org) 413

"Static vs dynamic typing is always one of those topics that attracts passionately held positions," writes the Morning Paper -- reporting on an "encouraging" study that attempted to empirically evaluate the efficacy of statically-typed systems on mature, real-world code bases. The study was conducted by Christian Bird at Microsoft's "Research in Software Engineering" group with two researchers from University College London. Long-time Slashdot reader phantomfive writes: This study looked at bugs found in open source Javascript code. Looking through the commit history, they enumerated the bugs that would have been caught if a more strongly typed language (like Typescript) had been used. They found that a strongly typed language would have reduced bugs by 15%.

Does this make you want to avoid Python?

Iphone

Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com) 61

AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
Google

Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs (bleepingcomputer.com) 105

An anonymous reader writes from a report via Bleeping Computer: The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari. Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues. The tests were carried out with a new fuzzing tool created by Google engineers named Domato, also open-sourced on GitHub. This is the third fuzzing tool Google creates and releases into open-source after OSS-Fuzz and syzkaller. Researchers focused on testing DOM engines for vulnerabilities because they expect them to be the next target for browser exploitation after Flash reaches end-of-life in 2020.
Security

Adobe Security Team Accidentally Posts Private PGP Key On Blog (arstechnica.com) 60

A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.
Privacy

Passwords For 540,000 Car Tracking Devices Leaked Online (thehackernews.com) 33

An anonymous reader quotes a report from The Hacker News: Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service. Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server. The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen. The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices. The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.
Security

Major Cyber-Attack Will Happen Soon, Warns UK's Security Boss (theguardian.com) 66

Alex Hern, writing for The Guardian: A "category one" cyber-attack, the most serious tier possible, will happen "sometime in the next few years", a director of the National Cybersecurity Centre has warned. According to the agency, which reports to GCHQ and has responsibly for ensuring the UK's information security, a category one cybersecurity incident requires a national government response. Speaking at an event about the next decade of information security, Levy warned that "sometime in the next few years we're going to have our first category one cyber-incident." The only way to prevent such a breach, he said, was to change the way businesses and governments think about cybersecurity. Rather than obsessing about buying the right security products, Levy argued, organisations should instead focus on managing risk: understanding the data they hold, the value it has, and how much damage it could do if it was lost, for instance.
Iphone

'Dear Apple, The iPhone X and Face ID Are Orwellian and Creepy' (hackernoon.com) 440

Trent Lapinski from Hacker Noon writes an informal letter to Apple, asking "who the hell actually asked for Face ID?" and calling the iPhone X and new face-scanning security measure "Orwellian" and "creepy": For the company that famously used 1984 in its advertising to usher in a new era of personal computing, it is pretty ironic that 30+ years later they would announce technology that has the potential to eliminate global privacy. I've been waiting 10-years since the first iPhone was announced for a full-screen device that is both smaller in my hand but has a larger display and higher capacity battery. However, I do not want these features at the cost of my privacy, and the privacy of those around me. While the ease of use and user experience of Face ID is apparent, I am not questioning that, the privacy concerns are paramount in today's world of consistent security breaches. Given what we know from Wikileaks Vault7 and the CIA / NSA capabilities to hijack any iPhone, including any sensor on the phone, the very thought of handing any government a facial ID system for them to hack into is a gift the world may never be able to return. Face ID will have lasting privacy implications from 2017 moving forward, and I'm pretty sure I am not alone in not wanting to participate.

The fact of the matter is the iPhone X does not need Face ID, Apple could have easily put a Touch ID sensor on the back of the phone for authentication (who doesn't place their finger on the back of their phone?). I mean imagine how cool it would be to put your finger on the Apple logo on the back of your iPhone for Touch ID? It would have been a highly marketable product feature that is equally as effective as Face ID without the escalating Orwellian privacy implications. [...] For Face ID to work, the iPhone X actively has to scan faces looking for its owner when locked. This means anyone within a several foot range of an iPhone X will get their face scanned by other people's phones and that's just creepy.

Encryption

Distrustful US Allies Force Spy Agency To Back Down In Encryption Fight (reuters.com) 104

schwit1 shares a report from Reuters: An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques -- those least likely to be vulnerable to hacks -- to address the concerns.
Security

Security Researchers Warn that Third-Party GO Keyboard App is Spying on Millions of Android Users (betanews.com) 65

An anonymous reader shares a report: Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as "using a prohibited technique to download dangerous executable code." Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information. Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total.
Security

SEC Discloses Hackers Penetrated EDGAR, Profited in Trading (usatoday.com) 48

Chris Woodyard, writing for USA Today: Hackers made their way into the Security and Exchange Commission's EDGAR electronic filing system last year, retrieving private data that appear to have resulted in "an illicit gain through trading," the agency said. It was only in August that the commission learned that hackers may have been able to use their illegal activities to make ill-gotten gains through market trading, said Chairman Jay Clayton in a lengthy statement posted on the SEC's website. EDGAR, which stands for Electronic Data Gathering Analysis and Retrieval, is considered critical to the SEC's operation and the ability of investors to see the electronic filings of companies and markets. The SEC says about 50 million documents are viewed through EDGAR on a typical day. It receives about 1.7 million filings a year.
Security

The CCleaner Malware Fiasco Targeted at Least 20 Specific Tech Firms (wired.com) 149

An anonymous reader shares a report: Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. But now it's becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 20 tech firms. Earlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company's security checks. It wound up installed on more than 700,000 computers. On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected. On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself. In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they'd compromised within the company's network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.

Slashdot Top Deals