DonationCoder.com
Best Of Blog
view older items

Wednesday October 15, 2014

Drupal Fixes Highly Critical SQL Injection Flaw

Quote
Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."

http://it-beta.slashdot.o...itical-sql-injection-flaw

posted by Stephen66515 donate to Stephen66515 - October 15, 2014, 09:58:00 PM
social bookmark this story (permalink)
(leave a comment)


SSL broken, again, in POODLE attack

Quote
From the researchers that brought you BEAST and CRIME comes another attack against Secure Sockets Layer (SSL), one of the protocols that's used to secure Internet traffic from eavesdroppers both government and criminal.

Calling the new attack POODLE—that's "Padding Oracle On Downgraded Legacy Encryption"—the attack allows a man-in-the-middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. This in turn could let that attacker do things such as access online banking or e-mail systems. The flaw was documented by Bodo Möller, Thai Duong, and Krzysztof Kotowicz, all of whom work at Google. Thai Duong, working with Juliano Rizzo, described the similar BEAST attack in 2011 and the CRIME attack in 2012.

The attack depends on the fact that most Web servers and Web browsers allow the use of the ancient SSL version 3 protocol to secure their communications. Although SSL has been superseded by Transport Layer Security, it's still widely supported on both servers and clients alike and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte and time of the encrypted data, and in so doing, extract the plain text of the message byte by byte.

As with previous attacks of this kind against SSL, the most vulnerable application is HTTP. An example attack scenario would work something like this. An adversary (typically in cryptography literature known as Mallory) sets up a malicious Wi-Fi hotspot. That Wi-Fi hotspot does two things. On non-secure HTTP connections, it injects a piece of JavaScript. And on secure HTTP connections, it intercepts the outgoing messages and reorganizes them.

http://arstechnica.com/se...en-again-in-poodle-attack

posted by app103 donate to app103 - October 15, 2014, 08:56:00 PM
social bookmark this story (permalink)
(read 18 comments)


Wednesday October 08, 2014

NANY 2015 - NEW APPS FOR THE NEW YEAR 2015 - START YOUR ENGINES!

Since 2007 we have held an annual event that we call NANY (New Apps for the New Year), where we ask the coders who hang out on DonationCoder to create some new piece of free software and share it with the world on January 1st of the new year (browse previous year entries here).

There are no winners or losers, it's simply a celebration of programming and creating new software and sharing it with the world.  You can target any operating system (desktop or mobile) or even make a web-based tool.  It can be a game, utility, large application, whatever.

blogimage
Best of all, everyone who participates gets a free commemorative coffee mug.

NANY is really the funnest thing we do on this site, and it's one of the few times we can all play together.  If you're a coder, PLEASE participate! If you're not a coder, please cheer on the coders and help encourage them and give them ideas and cheer them on. Let the coding begin!


posted by mouser donate to mouser - October 08, 2014, 04:55:00 AM
social bookmark this story (permalink)
(read 11 comments)


Tuesday October 07, 2014

Your favorite cartoons of yesterday and today?

A DC member turned me on to one of my favorite new cartoons, Rick and Morty:
blogimage

I'd say it's an adult cartoon, vs a kids cartoon. Full episodes can be legally watched online here: http://www.adultswim.com/videos/rick-and-morty/

Hilarious and surprisingly faithful to the science behind some of the absurdity.



I was just reading about how the era of Saturday Morning Cartoons for kids has ended.. That's pretty sad.  I have very fond memories of waking up early on saturday mornings and planning out what cartoons to watch.  There were some wonderful cartoons back then.





What are your favorites?

posted by mouser donate to mouser - October 07, 2014, 10:37:00 AM
social bookmark this story (permalink)
(read 25 comments)


Friday September 26, 2014

Kevin Mitnick Is Now Selling Zero-Day Exploits

Kevin Mitnick Is Now Selling Zero-Day Exploits

Quote
As a young man, Kevin Mitnick became the world’s most notorious black hat hacker, breaking into the networks of companies like IBM, Nokia, Motorola, and other targets. After a stint in prison, he reinvented himself as a white hat hacker, selling his skills as a penetration tester and security consultant.

With his latest business venture, Mitnick has switched hats again: This time to an ambiguous shade of gray.

Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.

And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”

Mitnick declined to name any of his customers, and wouldn’t say how many, if any, exploits his exchange has brokered so far. But the website he launched to reveal the project last week offers to use his company’s “unique positioning among security researchers and the hacker community” to connect exploit developers with “discerning government and corporate buyers.”

http://www.wired.com/2014...selling-zero-day-exploits


posted by app103 donate to app103 - September 26, 2014, 08:45:00 AM
discovered on http://www.sitepoint.com/versioning
social bookmark this story (permalink)
(read 11 comments)


Thursday September 25, 2014

Linux bash exploit discovered

"Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.

There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details."

http://www.csoonline.com/...n-bash-cve-2014-6271.html

posted by mouser donate to mouser - September 25, 2014, 09:14:00 AM
social bookmark this story (permalink)
(read 33 comments)


Tuesday September 23, 2014

Huge awards for developing open source educational self-teaching software

This is a really intriguing project to award large monetary prizes for developing open source educational self-teaching software:

Quote
The United Nations estimates 58 million children from ages 6 to 11 don’t attend school, a number that has remained stubbornly stagnant since the middle of the last decade.

One nonprofit believes it has the solution: Create software so exciting to use that kids will want to teach themselves.

X-Prize is challenging entrepreneurs to develop open-source software that children can use to acquire basic literacy and arithmetic skills on their own.
This is a really intriguing project to award large monetary prizes for developing open source educational self-teaching software:

Quote
The United Nations estimates 58 million children from ages 6 to 11 don’t attend school, a number that has remained stubbornly stagnant since the middle of the last decade.

One nonprofit believes it has the solution: Create software so exciting to use that kids will want to teach themselves.

X-Prize is challenging entrepreneurs to develop open-source software that children can use to acquire basic literacy and arithmetic skills on their own.

"It’s based on the supposition, still unproven, that kids can teach themselves how to read and write," says Matt Keller, director of the Global Learning X-Prize.

The five best submissions will receive $1-million each to test their software in 100 villages in an English-speaking part of sub-Saharan Africa. The best of those five will receive a $10-million prize so long as the software improves learning....

"My guess is the team that wins is going to be the team that develops something so sticky, so dynamic, so engaging that kids are enthralled by it," says Mr. Keller. "They’re going to learn in spite of themselves."

http://philanthropy.com/a...Taps-the-Crowd-to/148949/

"It’s based on the supposition, still unproven, that kids can teach themselves how to read and write," says Matt Keller, director of the Global Learning X-Prize.

The five best submissions will receive $1-million each to test their software in 100 villages in an English-speaking part of sub-Saharan Africa. The best of those five will receive a $10-million prize so long as the software improves learning.

http://philanthropy.com/a...Taps-the-Crowd-to/148949/


posted by mouser donate to mouser - September 23, 2014, 07:24:00 PM
social bookmark this story (permalink)
(leave a comment)


Sunday September 21, 2014

MakeUseOf: Understanding How Open Source Software Developers Make Money

Nothing groundbreaking but may be informative to some:
Understanding How Open Source Software Developers Make Money
http://www.makeuseof.com/...re-developers-make-money/

"There are many myths about open source software (OSS) and perhaps the most common is this: open source and profit are mutually exclusive...The truth is: many OSS developers and projects do generate revenue. Some earn just enough money to survive while others produce so much money that they put proprietary alternatives to shame. How’s that for irony?"

posted by mouser donate to mouser - September 21, 2014, 06:24:00 AM
social bookmark this story (permalink)
(leave a comment)


Wednesday September 17, 2014

Android: Beware Old Android Browser (CVE-2014-6041)

This looks pretty serious for folks that still use the old Android Browser (or apps that might use some of the contained code):

Quote
...a flaw that enables malicious sites to inject JavaScript into other sites. Those malicious JavaScripts can in turn read cookies and password fields, submit forms, grab keyboard input, or do practically anything else.

via:

  http://arstechnica.com/se...or-half-of-android-users/

More at:

  https://community.rapid7....cy-disaster-cve-2014-6041

posted by ewemoa donate to ewemoa - September 17, 2014, 08:56:00 AM
social bookmark this story (permalink)
(leave a comment)


Sunday September 14, 2014

Stephens Weekly Tech/Science News Roundup

As usual, here is a bit of a roundup of this weeks Tech and Science news.  I decided not to do what most news agencies have done, and shove the Apple iPhone 6 down your throats ^_^



SanDisk SD memory card 'largest ever'

Memory specialist SanDisk has created an SD card with 512 gigabytes (GB) of storage space - the highest capacity ever released.

The card, which is the size of a postage stamp, will go on sale for $800 (£490).

The launch comes a decade after the firm released a 512-megabyte (MB) SD card with one-thousandth of the space.

Read more at: http://www.bbc.co.uk/news/technology-29175093

Facebook experiments with vanishing posts

Facebook is following in the footsteps of messaging app Snapchat by testing a feature that allows users to schedule the automatic deletion of their posts.

The social network said the option, which offers expiration settings ranging from one hour to seven days, was "a small pilot" for its iOS app.

Facebook often tests new capabilities.

It faced criticism in June for one experiment that "manipulated" the content of nearly 700,000 users' news feeds, to gauge emotional responses.

Read more at: http://www.bbc.co.uk/news/technology-29156436

Google buys firm behind spoon for Parkinson's patients

Google has bought a biotech company that has developed a spoon designed to make life easier for people with diseases such as Parkinson's.

It is part of its ambitious foray into health technology, spurred in part by the personal interest of co-founder Sergey Brin.

Last year, Google became the main investor in Calico, a firm dedicated to developing medicines to extend life.

Latest acquisition Lift Labs will join Google's research division Google X.

The spoon developed by Lift Labs is equipped with sensors that detect tremors and cancels them out by as much as 70%, according to the firm.

The technology it uses is similar to image stabilisation features in cameras that compensate for shaky hands when taking a photo.

Read more at: http://www.bbc.co.uk/news/technology-29155888

In this Chinese city, phone addicts get their own sidewalk lane

Some places have lanes for bicycles, others for motorcycles, but there's a place in mainland China that boasts a different type of lane altogether: one for phone addicts glued to their screens. According to a Chinese publication, the cellphone lane above was spotted along a place called Foreigner Street in Chongqing city, one of the five major cities in the country. The sidewalk was most likely painted on for everyone's safety, because, hey, if there's distracted driving, there's also distracted walking, as perfectly demonstrated by the woman in this video. If the idea sounds familiar, it's because the National Geographic did something similar back in July as an experiment. The society stenciled "NO CELLPHONES" on one-half of a DC sidewalk and "CELLPHONES: WALK IN THIS LANE AT YOUR OWN RISK" on the other half. The result? Well, among other things, they found that the people actually glued to their phones didn't even notice the markings at all. Typical.

Read more at: http://www.engadget.com/2...alk-lane-china/#continued

The Big Picture: NASA gets ready to build the 'next great rocket'

See the gargantuan structure above that dwarfs that line of puny humans at the bottom (bet you didn't even notice them at first glance, huh)? It's a welding tool -- the biggest one built for spacecraft, in fact, that's slated to help Boeing build the core stage of NASA's Space Launch System at the agency's Michoud Assembly Facility in New Orleans. The structure's officially called the Vertical Assembly Center, and it stands 170 feet tall with a width that measures 78 feet: not exactly surprising, considering the SLS is a 200-foot-tall behemoth. It's but one of the many tools Boeing intends to use to build the core stage of NASA's "most powerful rocket ever" after the two organizations finalized their $2.8 billion deal in July. The core stage will house cryogenic liquid hydrogen and liquid oxygen used to power the rocket's four engines, and building it brings the SLS much closer to the launch pad for deep space exploration.

Read more at: http://www.engadget.com/2...rocket-welding/#continued

eBay DROPS DEAD AGAIN - tat bazaar says sorry, scrambles to resurrect site

eBay went titsup earlier today, and the company is now attempting to bring its site back to life.

The online tat bazaar coughed to an unexplained technical blunder preventing an unknown number of its subscribers from accessing the site, which many buyers and sellers of used goods enjoy using in their spare time on the weekends.

eBay posted this miserable statement on its service page about 90 minutes ago:

Quote
We are aware that some users may experience problems when using the eBay Site. We are actively working on restoring the issue and apologize for any inconvenience caused.

But plenty of folk were still complaining that they were unable to access the site, at time of writing.

    Click here to read the full edition now..

posted by Stephen66515 donate to Stephen66515 - September 14, 2014, 06:34:00 PM
social bookmark this story (permalink)
(read 2 comments)


Friday September 12, 2014

Software patents are crumbling thanks to the Supreme Court

Tim Lee has written a nice write up for recent legal progress in rolling back the software patent madness of recent years.  It's good news for those of us who spend our time coding and don't want to get wrapped up in frivolous lawsuits designed to extort money.

Quote
Now a series of decisions from lower courts is starting to bring the ruling's practical consequences into focus. And the results have been ugly for fans of software patents. By my count there have been 11 court rulings on the patentability of software since the Supreme Court's decision — including six that were decided this month.  Every single one of them has led to the patent being invalidated.

http://www.vox.com/2014/9...anks-to-the-supreme-court

posted by mouser donate to mouser - September 12, 2014, 07:09:00 PM
discovered on Techdirt
social bookmark this story (permalink)
(leave a comment)


Thursday September 11, 2014

One Chance: A game you can only play once

Here's an interesting looking game called One Chance which only allows you to play it once.

One Chance is a game quite unlike any you have ever played online. It is about a scientist who created a pathogen that is inadvertantly wiping out all mankind on Earth. You then have six in-game days to decided how you will spend the rest of your life. Will you stay at the office and do all you can to find a cure? Will you finally step away from the office and spend some time with the family you have been neglecting? Or will the madness and impending doom jusr cause you to lose your mind?

What really sets One Chance apart is that you really only have One Chance to play it. The game picks up on your I.P and unless you have multiple computers with multiple I.P's, you really only do get one chance in One Chance, which is part of what makes it so spectacular.

(It actually just stores a cookie, so you can play it again if you clear your cookies or use Incognito/Private browsing mode.)

http://www.newgrounds.com/portal/view/555181

posted by Deozaan donate to Deozaan - September 11, 2014, 02:26:00 PM
discovered on Neatorama
social bookmark this story (permalink)
(read 1 comment)


SigCheckGui: A Tool that scans and lists digitally signed files from a folder/disk

DC Member skwire, in responding to a request on our Coding Snacks request section, has written a beautiful GUI front end to the excellent SigCheck commandline utility by Mark Russinovich from Sysinternals.

The tool will recursively scan folders (or active processes) and produce a nice grid (sortable of course) of results, showing the digitial secure signatures of applications and DLLs.

In addition to being a useful security tool, it's a neat way to find out more information about the applications installed on your pc.

Website | Download

blogimage

    Click here to read and participate in the discussion thread about this program..

posted by mouser donate to mouser - September 11, 2014, 11:00:00 AM
social bookmark this story (permalink)
(read 47 comments)


view older items

Where are the ads? DonationCoder.com is funded by donations from readers like you. If you find this site useful, please consider becoming a supporting member by making a small one-time donation, in the amount of your choice.

DonationCoder.com | About Us