When the latest release of MariaDB was announced in April by MontyProgram AB founder and MySQL creator Michael “Monty” Widenius, it came with a warning from Widenius that a severe security bug had been discovered in previous versions of both MariaDB and MySQL. Oracle subsequently released a patch for MySQL. Now the details of the flaw, and the extent of the vulnerability, have been revealed: it could allow anyone who knows a valid user account on the database to connect using any password with a brute-force attack.

The affected versions of both databases have a flaw in their authentication system caused by a variation in how the memcmp() function—which compares two values stored in memory to see if they are equal—is implemented in some Linux compilers. When a user connects to the database and submits a password, the authentication system of the databases creates a token from the submitted password using a Secure Hash Algorithm and a randomly generated string of text as the key. The resulting token is compared to a hash made from the stored password in the system using the memcmp function, which returns a value of zero if they’re the same; if they’re not, the function is supposed to return a positive or negative integer. A return of “0” would mean the password is correct.

But in the affected versions of MariaDB and MySQL, as MontyProgram’s Sergei Golubchik wrote in a list posting on June 9, the database can be fooled into accepting a password even if it doesn’t match. “Because of incorrect [type] casting [in the code],” he wrote, “it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case, MySQL/MariaDB would think that the password is correct even while it is not.”

Read more | Comments

See original article:
Security flaw in MySQL, MariaDB allows access with any password—just keep submitting it

As an American, I have this fear that it doesn’t matter what we do and that U.S. manufacturing is going the way of the dodo. I have this fear that every success story we read about someone manufacturing in America and making a profit is just a drop in the bucket, and that creating hundreds of manufacturing jobs won’t help because we need millions of manufacturing jobs. But until someone shows me that statistic, I’ll hold out a little hope.

Two people who not only share that hope but are passionate about it are Eric Brian Smith and Mary Tayloe Yang, the creatives and founders behind Palo Alto’s XY3D animation firm. In their spare time they’ve put together a website, US Groove, that presents U.S.-made goods in a blog format. Divided by category, the site lists furniture, electronics, tools, automotive products, bags, clothing, jewelry and more.

“It’s a myth that outsourcing is the only way to make a profit,” says Smith. “The only things that tend to make financial sense importing are products with billions of interconnected parts.”

“Once you know what the U.S. is good at making competitively,” adds Yang, “it becomes easier to shop American and help pull the U.S. economy back together and put it back into the groove.”

So it can be put back in the groove… right?

(more…)

Read the original post:
What Does the U.S. Even Make, Anymore? This Website Shows You

Ars Technica’s Nate Anderson writes about the FTC’s lawsuit against Streaming Flix and its billing partner, Billing Services Group. The companies are accused of putting random charges on peoples’ phone bills through trickery (fine-print in seemingly unrelated signups) or outright fraud (simply adding charges to random phone bills, like a local public library’s storyline, which plays recordings of stories to callers). The companies have taken millions out of phone-line owners’ pockets in a fairly brazen ripoff, and the carriers are unwilling to take any real action against them because — naturally — they get a cut.

As the middleman, BSG makes similar claims about being duped, but the new FTC complaint tries to show that the company had ample reason to know it was aiding a fraudulent enterprise. (These claims are detailed, extremely detailed, in a 45-page appendix to the original FTC complaint). For instance, the FTC says that BSG saw the “astronomical refund rates” requested by Landeen’s “consumers,” including a 60 percent refund rate on the voicemail products alone. BSG was also notified that major carriers like Verizon and AT&T were cutting off various Landeen products at different times due to the complaint rates that the telcos themselves were seeing.

What about BSG’s “strict protocol” and “100-point review process”? According to the FTC, the company did evaluate Landeen’s businesses. At one point, BSG performed its own “scrub” of the list of AT&T numbers billed by 800 Vmailbox and Digital Vmail—and found that 5,430 of the 8,413 phone numbers being billed didn’t match the name and address provided by the voicemail company. But after the scrub, the FTC says BSG opened no broader investigation into this staggering rate of error. BSG did not proactively offer refunds, and did not notify law enforcement. In fact, it “doubled down on its relationships with the crammers, approving two new Landeen services for billing in the fall of 2010.” BSG even agreed to bill for Landeen’s services, says the FTC, after Landeen’s company admitted that only 20 percent of those billed were even expected to use them.

$422,000 to stream a movie? The continued “success” of phone cramming

Read More:
FTC sets sights on scammy “crammers” who bill your phone a fortune for services you don’t need, want, or use

Having trouble tuning out the hum of your PC fans? Maybe it’s time you took another look at Noctua’s NF-F12 integrated noise cancellation fan. According to the firm, the Computex prototype kept things about 20dB quieter by utilizing a patented RotoSub ANC technology to emit anti-noise directly from the fan’s own blades. Noctura hopes to dampen the cooler’s 2,500 RPM hum to the overall noise level of a slower 1,500 RPM fan. Builders looking to piece together a quieter machine can look for the noise reducing cooler an the latter half of 2013. Your old fan? Well, you could always use as a makeshift turntable. Hit the break for a peek at a more silent tomorrow.

Continue reading Noctua’s noise-canceling PC fan gets tested, drops twenty decibels

Noctua’s noise-canceling PC fan gets tested, drops twenty decibels originally appeared on Engadget on Mon, 11 Jun 2012 05:09:00 EDT. Please see our terms for use of feeds.

Permalink Engadget Spanish | Noctua | Email this | Comments

Continue reading here:
Noctua’s noise-canceling PC fan gets tested, drops twenty decibels

Microsoft has resuscitated Visual Studio Express for Windows Desktop, a few weeks after deciding to bump it off. The company had wanted to push developers onto the $400 professional edition of the software, but a volley of complaints forced the climbdown. When it arrives in the fall, it’ll let hobbyists, beginners and open-source coders create desktop and command-line applications… for free!

Microsoft revives free Windows desktop development tools, didn’t mean to make you cry originally appeared on Engadget on Mon, 11 Jun 2012 05:49:00 EDT. Please see our terms for use of feeds.

Permalink Ars Technica | Microsoft | Email this | Comments

Follow this link:
Microsoft revives free Windows desktop development tools, didn’t mean to make you cry

Mattygfunk1 writes “Facebook is following the leader and launching its own app store. The move is intended to encourage longer browsing sessions from users and attract attention from software developers, in addition to allowing more personalized advertising. ‘Each app will generally allow the user to install it as a Facebook application. However, a “send to mobile” will also appear if the app has a mobile app from either the Apple iOS App Store or else the Google Play store. In either case, the app can be sent to a user’s phone and can be installed there.’ It’s currently only available in the U.S., with more countries to follow in the coming weeks.”

Read more of this story at Slashdot.

More:
Facebook Launches App Center With Over 600 Apps

Giltronix

Several changes that Adobe made in Flash 11.3 aim to boost the browser plugin’s security and reduce its susceptibility to attacks. The most significant of those changes is the introduction of sandboxing on the Windows platform.

Due to the frequent discovery of Flash vulnerabilities and the relative ubiquity of the plugin, Flash is one of the most heavily-exploited pieces of software. Adobe and browser vendors have been working to make it harder to exploit by isolating the plugin and working to ensure that users have easier access to the latest version.

Most browsers already implement process isolation for plugins in order to prevent Flash crashes from taking down the whole application. In some browsers, such as Chrome, the plugin is sandboxed on Windows to prevent it from accessing sensitive platform functionality. Adobe has worked with Mozilla to bring that feature to Firefox on Windows.

Read more | Comments

Read more here:
Flash player 11.3 will support sandboxing in Firefox on Windows

She said P

Image from San Jose State

Future U

• Future U: Read all about it! College newspaper heralds future of journalism!
• Future U: Library 3.0 has more resources, greater challenges
• Future U: The stubborn persistence of textbooks
• Future U: Classroom tech doesn’t mean handing out tablets

“What I would have had to do to access original sources 15 years ago!” Prof. Jeff McClurken McClurken, Associate Professor and Head of History and American Studies at the University of Mary Washington, told Ars. “Now I can get the entire text of Lewis and Clark’s journals online, or most books from the 19^th century or an archive of tweets related to the Arab Spring.”

“Education is in the the process of changing,” agreed Jonathan Rees, Professor of History at Colorado State University at Pueblo. “Technology has given us opportunities the people who taught me didn’t have.”

Technology has made the job of the professor, both teaching and research, easier and more exciting. At the same time, it has introduced stresses and worries that were not present before.

Read more | Comments

Read the original:
Future U: Fear and Loathing in Academia

ananyo writes “Scientists have reported the first tabletop source of ultra-short, laser-like pulses of low energy, or ‘soft,’ X-rays. The light, capable of probing the structure and dynamics of molecules (abstract), was previously available only at large, billion-dollar national facilities such as synchrotrons or free-electron lasers, where competition for use of the equipment is fierce. The new device, by husband-and-wife team Margaret Murnane and Henry Kapteyn based at JILA in Boulder, Colorado, might soon lie within the grasp of a university laboratory budget — perhaps allowing them to one day be as common in labs as electron microscopes are.”

Read more of this story at Slashdot.

Continue reading here:
X-ray Generator Fits In the Palm of Your Hand