Month: November 2017

Enlarge / Obviously a Codewarz competitor. (credit: Alain Daussin/Getty Images)

If you didn't have any weekend plans yet—or maybe even if you did—and you're interested in scratching your programming itch, there's something to add to your calendar. Codewarz, a programming competition that presents participants with 24 coding challenges, is running its first live event starting at 1pm Eastern on November 18 and ending at 9pm on November 20.

This is not a hacking competition—it’s strictly coding. Participants can use their language of choice as long as it's one of the 15 supported by the event: the various flavors of C, Python, Node.js, Scala, PHP, Go, Ruby, and even BASH. (Sorry, no one has asked them to support ADA or Eiffel yet.) There's no compiling required, either. Each submitted solution is run in an interpreted sandbox on a Linux machine for evaluation and scoring. And the challenges run the gamut from beginner (things like text parsing, math and basic networking) to advanced (more advanced parsing and math, hashing, cryptography, and forensics challenges).

Scoring is straightforward. Each of the challenges has an expected output (checked through hash-matching), and matching that output equals success for whatever number of points a challenge is worth. The easiest challenges (such as a "Hello World" tutorial challenge) are worth 10 points, while the hardest are worth 250 points.

Enlarge / Get ready for lots of ads like this. (credit: Best Buy)

Brace yourself for Walmart fights and snarky tweets about capitalism, because Black Friday is nearly here. Once again, the day after Thanksgiving—and in many cases the days before that—will see retailers across the country pushing an avalanche of sales to the gift-needy public.

And once again, many of those “discounts” won’t be discounts at all. Year after year, the corporate holiday isn’t quite the deals bonanza it proclaims to be. Many of the devices on sale either won’t be priced significantly lower than they are at other points in the year or just won’t be worth buying to begin with.

After sorting through the early ad scans and retailer offers for this year’s Black Friday, we’re confident this trend will continue. That said, even if just a fraction of the several thousand sales on show are worth getting, that still leaves more than a few diamonds in the rough.

Enlarge (credit: Flickr user: Ivan T)

When a company like Microsoft needs to fix a security flaw in one of its products, the process is normally straightforward: determine where the bug lies, change the program's source code to fix the bug, and then recompile the program. But it looks like the company had to step outside this typical process for one of the flaws it patched this Tuesday. Instead of fixing the source code, it appears that the company's developers made a series of careful changes directly to the buggy program's executable file.

Bug CVE-2017-11882 is a buffer overflow in the ancient Equation Editor that comes with Office. The Equation Editor allocates a fixed-size piece of memory to hold a font name and then copies the font name from the equation file into this piece of memory. It doesn't, however, check to ensure that the font name will fit into this piece of memory. When provided with a font name that's too long, the Equation Editor overflows the buffer, corrupting its own memory, and an attacker can use this to execute arbitrary malicious code.

Curious how a buffer overflow works? Previously on Ars we did a deep-dive explanation. (video link)

Enlarge / The DC Metro, when it's not on fire. (credit: Getty | Bill Clark)

For residents of our nation’s capital, news of a fire on the city’s rapid transit system—the Washington Metro—is not surprising. It catches fire and smokes quite regularly. At some points last year, there were reports of more than four fires per week (although there’s some dispute about that rate). There’s even the handy site—IsMetroOnFire.com—to check the current blaze status.

Yet, despite the common occurrence, residents may be surprised to learn a potential contributor to the system-wide sizzling: their own hair.

According to a safety specialist with the Amalgamated Transit Union (ATU), a thick, felt-like layer of human hair, skin, and other debris has collected on the aging tracks of the city’s rails. In particular, hair has built up on insulators supporting the transit system’s electrified third rails, which run cables carrying 750 Volts of electricity to power the trains. The hair coating delivers a real threat of electrical sparks and fire.

NASA

The US Navy and NASA have joined the search for an Argentine Armada (navy) diesel-electric attack submarine—the ARA San Juan (S-42)—and its crew of 44 sailors missing in the Southern Argentine Sea. The last contact with the TR-1700 class sub, built in 1983 by the German shipbuilder Thyssen Nordseewerke, was on November 15.

NASA has dispatched a modified P-3 Orion patrol plane—previously used by the Navy for submarine hunting—to aid in the search. The P-3 is equipped with a magnetic anomaly detector (or magnetometer), a gravimeter for detecting small fluctuations in the Earth's gravity, infrared cameras, and other sensors for measuring ice thickness. With that array, the P-3 may be able to detect the submerged submarine.

Enlarge / Whatever you made in that flask, it's going to cost you. (credit: Oak Ridge National Lab)

Yesterday, the US House of Representatives passed its version of a tax bill that would drop corporate tax rates and alter various deductions. While most of the arguments about the bill have focused on which tax brackets will end up paying more, an entire class of individuals appears to have been specifically targeted with a measure that could raise their tax liability by 300 percent or more: graduate student researchers. If maintained, the changes could be crippling for research in the US.

Tuition waivers

Many graduate programs in areas like business, medicine, and law can afford to charge high tuitions. That's in part because these degrees are in high demand and in part because the students know that they'll have the potential to earn very large salaries after graduation.

PhD programs are nothing like this. Despite typically taking five to six years to complete, a PhD student is only likely to earn in the area of $44,000 after graduation if they're funded by the National Institutes of Health. Even four years of additional experience doesn't raise the salary above $50,000. As such, charging them tuition would leave them with no way to possibly pay back their student loans. Doing so would almost certainly discourage anyone but the independently wealthy from attending research-focused graduate programs.

Enlarge / A security researcher says he was trying to play fair with DJI's bug bounty program. DJI calls him a hacker who exposed customer data.

DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

"Hacker?"

DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to "operational security" concerns. There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre. But according to Finisterre, the program was clearly rushed out. The company did not, and has yet to, define the scope of the bounty program publicly. So when Finisterre discovered that DJI's SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years—he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were—a statement that would later be walked back from by DJI officials.

Enlarge / The disembodied hand of fate falls on you, tree!

Since consumer-grade virtual reality became a thing last year, there's been some criticism over the lack of lengthy, meaty VR experiences that can draw players in an epic story for dozens of hours. As if to answer that criticism, Bethesda has released Skyrim VR, a PlayStation VR exclusive version of one of the meatiest RPGs of the last decade.

Consumer virtual reality was barely even a gleam in Palmer Luckey's eye when Skyrim came out in 2011, though, and that fact comes into stark relief when trying to play the game in a brand new medium. While Skyrim's world makes some impressive first impressions in VR, a few hours with the game is enough to show some significant problems with the conversion as well.

Rough edges

To be sure, seeing and exploring Skyrim's world in VR brings some immediate and impressive improvements over playing on a monitor. From the jump, the stereoscopic 3D and head tracking of the PSVR headset makes you feel like you're actually in Skyrim like never before.