An anonymous reader quotes a report from Ars Technica : In 2008, researcher Dan Kaminsky revealed one of the more severe Internet security threats ever: a weakness in the domain name system that made it possible for attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industrywide coordination, thousands of DNS providers around the world installed a fix that averted this doomsday scenario. Now, Kaminsky's DNS cache poisoning attack is back. Researchers on Wednesday presented a new technique that can once again cause DNS resolvers to return maliciously spoofed IP addresses instead of the site that rightfully corresponds to a domain name. On Wednesday, researchers from Tsinghua University and the University of California, Riverside presented a technique that, once again, makes cache poisoning feasible. Their method exploits a side channel that identifies the port number used in a lookup request. Once the attackers know the number, they once again stand a high chance of successfully guessing the transaction ID. The side channel in this case is the rate limit for ICMP, the abbreviation for the Internet Control Message Protocol. To conserve bandwidth and computing resources, servers will respond to only a set number of requests from other servers. After that, servers will provide no response at all. Until recently, Linux always set this limit to 1,000 per second. To exploit this side channel, the new spoofing technique floods a DNS resolver with a high number of responses that are spoofed so they appear to come from the name server of the domain they want to impersonate. Each response is sent over a different port. When an attacker sends a response over the wrong port, the server will send a response that the port is unreachable, which drains the global rate limit by one. When the attacker sends a request over the right port, the server will give no response at all, which doesn't change the rate limit counter. If the attacker probes 1,000 different ports with spoofed responses in one second and all of them are closed, the entire rate limit will be drained completely. If, on the other hand, one out of the 1,000 ports is open, then the limit will be drained to 999. Subsequently, the attacker can use its own non-spoofed IP address to measure the remaining rate limit. And if the server responds with one ICMP message, the attacker knows one of the previously probed 1,000 ports must be open and can further narrow down to the exact port number. Linux kernel developers responded by introducing a change that causes the rate limit to randomly fluctuate between 500 and 2,000 per second, preventing the new technique from working. Cloudflare also introduced a fix where its DNS service will fall back to TCP, "which is much more difficult to spoof," reports Ars. The researchers' press release is available here.

Read more of this story at Slashdot.

I have plenty of ways to get exercise in the summer, but winter has been a challenge. I don't like riding a stationary bike, I tried mounting my street bike on a Zwift device, and yuk, I didn't like the simulated racing, I don't ride competitively. And the street scenes were primitive. Unlike my regular real-world rides I always was impatient for the exercise to be over. When I'm riding outdoors, I feel very differently.

A friend suggested getting a rowing machine, and somehow that seemed better. But when I looked into the devices I started feeling it might be the same.

We just had five unusual warm November days, I rode all of them, outdoors, and was thinking that the difference may be the feel of the ride. Real bike rides you almost never are straight up and down. You lean one way then another, and shift your weight to different sides. Maybe that's the diff. Then I saw an ad for this Bowflex bike that leans! It looks in the video like it may be more fun to ride.

I posted a bit about this on Twitter. Megan McCarthy sent a pointer to a review of the category and a specific bike I asked about. I might get a Peloton, but it seems I might not have it until January. I'd like to start riding daily asap. But I'm concerned I'm going to spend a lot more money and still not have something I want to use.

The difference in quality between the two groups of Georgia senate candidates, Dem and Repub are like night and day. The Dems will use the power of the US government to be sure the Georgians get through the winter of the pandemic in as good shape as possible. The Repubs will not. It's really simple. And when they save the lives of thousands of Georgians, they will also be saving the lives of many thousands of people in every other state of the union. That's power! Thanks in advance to Georgia for helping us out. We won't forget.

Trump is firing the people who protect the country. I wonder if that's because some other country is going to attack us.

The Commerce Department said Thursday that it won't enforce its order that would have effectively forced the Chinese-owned TikTok video-sharing app to shut down, citing a federal court ruling in Philadelphia. From a report: The department's action delays implementation of a regulation, set to take effect Thursday, that would have barred U.S. companies such as Apple from offering TikTok as a mobile app, and companies including Amazon.com and Alphabet from offering web-hosting service for TikTok -- moves that would effectively make it inoperable. In making its decision, the Commerce Department cited a preliminary injunction against the shutdown last month by U.S. District Judge Wendy Beetlestone in Philadelphia in a suit brought by three TikTok stars: comedian Douglas Marland, fashion guru Cosette Rinab and musician Alex Chambers. The Commerce Department statement said that the shutdown order won't go into effect "pending further legal developments." In the Philadelphia case, Judge Beetlestone said the government action "presents a threat to the 'robust exchange of informational materials'" and therefore likely exceeds the government's authority under the International Emergency Economic Powers Act, the law the Trump administration has relied on to take action against TikTok. Two other court cases are pending. TikTok has filed its own request for an injunction for the shutdown in a case before U.S. District Judge Carl Nichols in Washington.

Read more of this story at Slashdot.

Samsung LSI today announced the new Exynos 1080 SoC, a successor to last year's Exynos 980. This year's 1080 is seemingly positioned a little above the 980 in terms of performance as we're seeing some quite notable gains in features compared to the 980. From a report: It's to be remembered that this is a "premium" SoC, meaning it's not a flagship SoC, but it's also not quite a mid-range SoC, fitting itself in-between those two categories, a niche which has become quite popular over the last 1-2 years. The new SoC is defined by having a new 1+3+4 CPU configuration, as reasonably large GPU, and full 5G connectivity integrated, and is the first publicly announced SoC to be manufactured on Samsung's new 5LPE process node. On the CPU side of things, this is the first time we've seen Samsung adopt a 1+3+4 CPU configuration, now adopting the Cortex-A78 architecture on the part of the performance cores. One core is clocked at 2.8GHz while the three others are running at 2.6GHz. Qualcomm had first introduced such a setup and it seems it's become quite popular as it gives the benefit of both performance and power efficiency. The four big cores are accompanied by four Cortex-A55 cores at 2.0GHz.

Read more of this story at Slashdot.

But the roads are much busier than during the first lockdown, new government figures show.

The Swiss intelligence service has known since at least 1993 that Switzerland-based encryption device maker Crypto AG was actually a front for the CIA and its German counterpart, according to a new report released by the Swiss Parliament, but Swiss leaders were in the dark until last year. From a report: Switzerland's intra-governmental information gap is unlikely to be welcome news in Europe, which already looks warily upon the U.S.' expansive surveillance practices. Still, Crypto AG provided information of incalculable value to U.S. policymakers over many decades. Crypto AG was controlled from 1970 on by the CIA and the West German BND intelligence agency. It sold encryption devices -- often employed in diplomatic communications -- that were used by over 120 countries through the 2000s.

Read more of this story at Slashdot.

Chinese President Xi Jinping personally made the decision to halt the initial public offering of Ant Group, which would have been the world's biggest, after controlling shareholder Jack Ma infuriated government leaders, WSJ reported Thursday, citing Chinese officials with knowledge of the matter. From the report: The rebuke was the culmination of years of tense relations between China's most celebrated entrepreneur and a government uneasy about his influence and the rapid growth of the digital-payments behemoth he controlled. Mr. Xi, for his part, has displayed a diminishing tolerance for big private businesses that have amassed capital and influence -- and are perceived to have challenged both his rule and the stability craved by factions in the country's newly assertive Communist Party. In a speech on Oct. 24, days before the financial-technology giant was set to go public, Mr. Ma cited Mr. Xi's words in what top government officials saw as an effort to burnish his own image and tarnish that of regulators, these people said. At the event in Shanghai, Mr. Ma, the country's richest man, quoted Mr. Xi saying, "Success does not have to come from me." As a result, the tech executive said, he wanted to help solve China's financial problems through innovation. Mr. Ma bluntly criticized the government's increasingly tight financial regulation for holding back technology development, part of a long-running battle between Ant and its overseers.

Read more of this story at Slashdot.

Apple on Thursday released the latest version of macOS: macOS Big Sur (also known as macOS 11.0), which is available to download now -- assuming you have a compatible Mac. From a report: Big Sur is one of the biggest updates to Apple's laptop and desktop software in years, featuring a top-to-bottom redesign of the interface, icons, and menu bar, a new control center UI borrowed from iOS, widgets (also borrowed from iOS), and a variety of other improvements (see here for the full list). It's such a big change that Apple is actually moving on from the OS X / OS 10 branding that it's been using for Macs for almost 20 years. Apple's also adding some new privacy-focused features, including better tracking information in Safari and new privacy data in the Mac App Store for any apps you download. ArsTechnica has published a comprehensive review of the new operating system. An excerpt from their conclusion: The Good The bright, fresh visual style mostly looks pretty good. The Control Center (and other changes to the upper-right section of the Menu Bar) are genuinely useful additions. The Messages app finally catches up to its iOS/iPadOS counterpart, thanks to Catalyst. The APFS version of Time Machine seems like an improvement, though we'll need to wait to see what its long-term reliability is like. Aside from the old AFP file-sharing protocol and the Network Utility, Big Sur doesn't remove too many things or add many new security settings that will break apps. There may be some visual issues, but my experience has actually been that Apple breaks a lot fewer apps moving from Catalina to Big Sur than it did moving from Mojave to Catalina. The Bad A general reduction in contrast makes it harder to discern the difference between many buttons and controls at a glance. If you want to fix any of these contrast issues in the Accessibility settings, it should be possible to increase contrast or reduce transparency in certain places without making it an all-or-nothing setting. Some of the new buttons and icons are nice. Some of them are less nice. Big Sur on Apple Silicon Macs will give up the ability to run Windows in a virtual machine or on a separate partition, though Intel Macs can still do both things. The Ugly As usual, Apple is just a year or two more aggressive about dropping support for old Macs than I think they really need to be.

Read more of this story at Slashdot.

Guido van Rossum, the creator of the Python programming language, today announced that he has unretired and joined Microsoft's Developer Division. From a report: Van Rossum, who was last employed by Dropbox, retired last October after six and a half years at the company. Clearly, that retirement wasn't meant to last. At Microsoft, van Rossum says, he'll work to "make using Python better for sure (and not just on Windows)." A Microsoft spokesperson told us that the company also doesn't have any additional details to share but confirmed that van Rossum has indeed joined Microsoft. "We're excited to have him as part of the Developer Division. Microsoft is committed to contributing to and growing with the Python community, and Guido's on-boarding is a reflection of that commitment," the spokesperson said.

Read more of this story at Slashdot.

A few days ago a user asked that LO2 support "includes." I did a little investigating, and found that it already supports them. So I thought it might be a good idea to explain what they are and how they work, maybe other people will find it interesting and/or useful.

The idea comes from the C programming language. It had the ability to include one file in another. When you included a file, it was as if its text was present in the file doing the including. The C compiler couldn't tell the difference.

This is what a C include statement looks like.

• #include "mycode.c"

In an outliner it works similarly. A node is an include if it has a type attribute with the value include, and a url attribute that points to an OPML file with the outline to be included.

When you expand an include in LO2, the text from the included outline is expanded below the node. You can edit the text, but none of the edits will be saved to the included file. You should think of it as read-only, even though LO2 doesn't enforce that.

Here's an outline that opens in LO2 that illustrates.

Singapore is rolling out the red carpet for top talent, launching a program to initially attract 500 individuals with a proven track record of contributing to the global technology ecosystem. From a report: Under the so-called Tech.Pass program, qualified individuals will be able to secure a new type of visa allowing them to start and operate more than one company and become an investor, consultant or mentor for local startups, according to the Economic Development Board. This offers more flexibility than current government regulations, which require companies to sponsor an employment pass for talent they want to bring in. The two-year visa isn't designed for mid-tier tech workers who might compete with locals for jobs, a political issue that has prompted the government to tighten its framework for issuing employment passes to foreigners this year. It's targeted at highly accomplished entrepreneurs and technical experts who can bring in capital, networks and knowhow, as Singapore aims to become the region's technology and innovation hub.

Read more of this story at Slashdot.

A few days ago a user asked that LO2 support "includes." I did a little investigating, and found that it already supports them. So I thought it might be a good idea to explain what they are and how they work.

The idea comes from the C programming language that I used for many years. It had the ability to include one file in another. When you included a file, it was as if its text was present in the file doing the including. The C compiler couldn't tell the difference.

This is what a C include statement looks like.

• #include "mycode.c"

In an outliner it works similarly. A node is an include if it has a type attribute with the value include, and a url attribute that points to an OPML file with the outline to be included.

When you expand an include in LO2, the text from the included outline is expanded below the include node. You can edit the text, but none of the edits will be saved to the included file. You should think of it as read-only, even though LO2 doesn't enforce that.

Here's an outline that opens in LO2 that illustrates.

Mark Di Stefano, reporting for The Information (paywalled): A few years back, two Brussels-based lobbyists from midsize tech companies were out for drinks, and in the course of the conversation they realized they had a common problem. Google, Amazon, Apple and Facebook were sucking all of the oxygen out of European debates about regulating the internet, leaving out the voices of smaller companies -- despite the fact that those policies can have a very different impact on them. The European lobbyists and policy officers from other companies -- a motley array that included Mozilla, Stripe, Transferwise, Etsy, Dropbox and Spotify -- began meeting regularly in Brussels, often in bars and restaurants, to share their experiences, according to two people familiar with the matter. Some of them jokingly referred to the outings, which haven't been previously reported, as "whine and dines." The companies, which have continued to gather during the pandemic over video calls, even have a name for their informal network, the two people said: the challenger group. "It was really soothing to meet up with other companies doing the same thing," Raegan MacDonald, policy chief of Mozilla, said during an interview with The Information. "We finally said, let's do stuff together.... The work together has been helpful and fruitful, not just cathartic." While members of the group won't say much about what that "stuff" is exactly, one of their priorities is having a voice in the upcoming overhaul of internet regulations in Europe, the biggest since the early 2000s. The European Commission -- the executive branch of the European Union, responsible for its legislation and policies -- plans to release the first drafts of this overhaul in the coming weeks, which will introduce sweeping new powers for competition regulators to intervene in tech markets.

Read more of this story at Slashdot.