Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Microsoft: Windows 7 Does Not Meet the Demands of Modern Technology; Recommends Windows 10 (neowin.net) 432

In a blog post, Microsoft says that continued usage of Windows 7 increases maintenance and operating costs for businesses. Furthermore, time is needlessly wasted on combating malware attacks that could have been avoided by upgrading to Windows 10. A report on Neowin adds: Microsoft also says that many hardware manufacturers do not provide drivers for Windows 7 any longer, and many developers and companies refrain from releasing programs on the outdated operating system. Markus Nitschke, Head of Windows at Microsoft Germany, had the following to say about Windows 7: "Today, it [Windows 7] does not meet the requirements of modern technology, nor the high security requirements of IT departments. As early as in Windows XP, we saw that companies should take early steps to avoid future risks or costs. With Windows 10, we offer our customers the highest level of security and functionality at the cutting edge.
Google

Google Reveals Its Servers All Contain Custom Security Silicon (theregister.co.uk) 108

Google has published an Infrastructure Security Design Overview that explains how it secures the cloud it uses for its own operations and for public cloud services. From a report on The Register: The document outlines six layers of security and reveals some interesting factoids about the Alphabet subsidiary's operations, none more so than the disclosure that: "We also design custom chips, including a hardware security chip that is currently being deployed on both servers and peripherals. These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level." That silicon works alongside cryptographic signatures employed "over low-level components like the BIOS, bootloader, kernel, and base operating system image." "These signatures can be validated during each boot or update," the document says, adding that "the components are all Google-controlled, built, and hardened. With each new generation of hardware we strive to continually improve security: for example, depending on the generation of server design, we root the trust of the boot chain in either a lockable firmware chip, a microcontroller running Google-written security code, or the above mentioned Google-designed security chip."
Microsoft

Microsoft's Security Bulletins Will End In February (computerworld.com) 34

Remember how Microsoft switched to cumulative updates? Now Computerworld points out that that's bringing another change. An anonymous reader quotes their report: Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches... A searchable database of support documents will replace the bulletins; that database has been available, albeit in preview, since November on the portal Microsoft dubbed the "Security Updates Guide," or SUG. The documents stored in the database are specific to a vulnerability on an edition of Windows, or a version of another Microsoft product. They can be sorted and filtered by the affected software, the patch's release date, its CVE identifier, and the numerical label of the KB, or "knowledge base" support document.
Redmond Magazine reports that Microsoft still plans to continue to issue its security advisories, and to issue "out-of-band" security update releases as necessary.
Privacy

Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com) 139

Long-time Slashdot reader t0qer writes: I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.

"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
Security

Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com) 174

An anonymous reader quotes Motherboard: A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.

Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.

The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.
Privacy

Tor Onion Browser's Creator Explains Free Version For iOS (mike.tig.as) 26

The free iOS version of the Tor browser "sparked a tidal wave of interest" after its release in December, according to Silicon.co. Mickeycaskill writes: The cost has been scrapped due to developer Mike Tigas' worries that the price was limiting access to anonymous browsing for those who need it most. "Given recent events, many believe it's more important than ever to exercise and support freedom of speech, privacy rights, and digital security," Tigas wrote in a blog post. "I think now is as good a time as ever to make Onion Browser more accessible to everyone."
"I'm still a little terrified that I've made this change," Tigas adds. For four years the Tor Onion browser was available on the Apple App Store for $0.99, the lowest non-free price allowed by Apple, providing a "reliable" income to Tigas which helped him move to New York for a new job while allowing him "the economic freedom to continue working on side projects that have a positive impact in the world." Tigas also writes that "there's now a Patreon page and other ways to support the project."

Last month the Tor Project also released the first alpha version of the sandboxed Tor Browser.
Security

Hamas 'Honey Trap' Dupes Israeli Soldiers (securityweek.com) 97

wiredmikey quotes Security Week: The smartphones of dozens of Israeli soldiers were hacked by Hamas militants pretending to be attractive young women online, an Israeli military official said Wednesday. Using fake profiles on Facebook with alluring photos, Hamas members contacted the soldiers via groups on the social network, luring them into long chats, the official told journalists on condition of anonymity.

Dozens of the predominantly lower-ranked soldiers were convinced enough by the honey trap to download fake applications which enabled Hamas to take control of their phones, according to the official.

Government

Petition With Over 1 Million Signatures Urges President Obama To Pardon Snowden (cnet.com) 268

An anonymous reader quotes a report from CNET: More than 1 million people signed onto a petition asking President Barack Obama to pardon Edward Snowden, proponents of the pardon said Friday. The campaign began in September, when Snowden, his attorney Ben Wizner from the ACLU, and other privacy activists announced they would formally petition Obama for a pardon. Snowden leaked classified NSA documents detailing surveillance programs run by the U.S. and its allies to journalists in 2013, kicking off a heated debate on whether Americans should be willing to sacrifice internet privacy to help the government protect the country from terrorist attacks. Obama and White House representatives have said repeatedly that Snowden must face the charges against him and that he'll be afforded a fair trial. In the U.S., a pardon is "an expression of the president's forgiveness and ordinarily is granted in recognition of the applicant's acceptance of responsibility for the crime and established good conduct for a significant period of time after conviction or completion of sentence," according to the Office of the Pardon Attorney. It does not signify innocence. Also on Friday, David Kaye urged Obama to consider a pardon for Snowden. Kaye, the special rapporteur to the United Nations Human Rights Council on the freedom of expression, said U.S. law doesn't allow Snowden to argue that his disclosures were made for the benefit of the public. The jury would merely be asked to decide whether Snowden stole government secrets and distributed them -- something Snowden himself concedes he did. In response to the petition, Edward Snowden tweeted: "Whether or not this President ends the war on whistleblowers, you've sent a message to history: I feared no one would care. I was wrong."
Cellphones

Faulty Phone Battery May Have Caused Fire That Brought Down EgyptAir Flight MS80 (ibtimes.co.uk) 138

New submitter drunkdrone writes: "French authorities investigating the EgyptAir crash that killed 66 people last year believe that the plane may have been brought down by an overheating phone battery," reports International Business Times. Investigators say the fire that broke out on the Airbus A320 in May 2016 started in the spot where the co-pilot had stowed his iPad and iPhone 6S, which he placed on top of the instrument panel in the plane's cockpit. From the report: "EgyptAir flight MS804 was traveling from Paris to Cairo when it disappeared from radar on 19 May 2016. Egyptian investigators have speculated that the crash, which killed all 56 passengers, seven crew members and three security personnel on board, was caused by an act of terrorism due to traces of explosives reported to be found on some the victims. Investigators in France have disputed these claims, saying that data recorded from the aircraft around the time it disappeared points to an accidental fire on the right-hand side of the flight deck, next to the co-pilot. According to The Times, CCTV pulled from cameras at Paris' Charles de Gualle airport show that the co-pilot stored a number of personal items above the dashboard, where the first signs of trouble were detected. This included an automated alert indicating a series of malfunctions on the right-hand flight deck window, followed by smoke alerts going off in a toilet and in the avionics area below the cockpit, minutes before the plane vanished."
Republicans

Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website (theregister.co.uk) 273

mask.of.sanity writes from a report via The Register: U.S. president-elect Donald Trump's freshly minted cyber tsar Rudy Giuliani runs a website so insecure that its content management system is five years out of date, unpatched and is utterly hackable. Giulianisecurity.com, the website for Giuliani's eponymous infosec consultancy firm, runs Joomla! version 3.0, released in 2012, and since found to carry 15 separate vulnerabilities. More bugs and poor secure controls abound. The Register report adds: "Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open -- from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD. 'You can probably break into Giuliani's server,' said Robert Graham of Errata Security. 'I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses. 'But that doesn't matter. There's nothing on Giuliani's server worth hacking.'"
Security

Security Experts Rebut The Guardian's Report That Claimed WhatsApp Has a Backdoor (gizmodo.com) 111

William Turton, writing for Gizmodo: This morning, the Guardian published a story with an alarming headline: "WhatsApp backdoor allows snooping on encrypted messages." If true, this would have massive implications for the security and privacy of WhatsApp's one-billion-plus users. Fortunately, there's no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian's story is a "major league fuckwittage." [...] Fredric Jacobs, who was the iOS developer at Open Whisper Systems, the collective that designed and maintains the Signal encryption protocol, and who most recently worked at Apple, said, "Nothing new. Of course, if you don't verify keys Signal/WhatsApp/... can man-in-the-middle your communications." "I characterize the threat posed by such reportage as being fear and uncertainty and doubt on an 'anti-vaccination' scale," Muffett, who previously worked on Facebook's engineering security infrastructure team, told Gizmodo. "It is not a bug, it is working as designed and someone is saying it's a 'flaw' and pretending it is earth shattering when in fact it is ignorable." The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do. "There's a feature in WhatsApp that -- when you swap phones, get a new phone, factory reset, whatever -- when you install WhatsApp freshly on the new phone and continue a conversation, the encryption keys get re-negotiated to accommodate the new phone," Muffett told Gizmodo. Other security experts and journalists have also criticized The Guardian's story.
Operating Systems

Consumer Reports Now Recommends MacBook Pros (macrumors.com) 164

Consumer Reports has updated their report on the 2016 MacBook Pros, and is now recommending Apple's latest notebooks. MacRumors reports: In the new test, conducted running a beta version of macOS that fixes the Safari-related bug that caused erratic battery life in the original test, all three MacBook Pro models "performed well." The 13-inch model without a Touch Bar had an average battery life of 18.75 hours, the 13-inch model with a Touch Bar lasted for 15.25 hours on average, and the 15-inch MacBook Pro with Touch Bar had an average battery life of 17.25 hours. "Now that we've factored in the new battery-life measurements, the laptops' overall scores have risen, and all three machines now fall well within the recommended range in Consumer Reports ratings," reports Consumer Reports. Consumer Reports originally denied the 2016 MacBook Pro a purchase recommendation in late December due to extreme battery life variance that didn't match up with Apple's 10 hour battery life claim. Apple worked with Consumer Reports to figure out why the magazine encountered battery life issues, which led to the discovery of an obscure Safari caching bug. Consumer Reports used a developer setting to turn off Safari caching, triggering an "obscure and intermittent bug reloading icons" that drained excessive battery. The bug, fixed by Apple in macOS Sierra 10.12.3 beta 3, is not one the average user will encounter as most people don't turn off the Safari caching option, but it's something done in all Consumer Reports tests to ensure uniform testing conditions. A fix for the issue will be available to the general public when macOS Sierra 10.12.3 is released, but users can get it now by signing up for Apple's beta testing program.
Privacy

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC (bleepingcomputer.com) 88

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.
EU

Europe Calls For Mandatory 'Kill Switches' On Robots (cnn.com) 172

To combat the robot revolution, the European Parliament's legal affairs committee has proposed that robots be equipped with emergency "kill switches" to prevent them from causing excessive damage. Legislators have also suggested that robots be insured and even be made to pay taxes. "A growing number of areas of our daily lives are increasingly affected by robotics," said Mady Delvaux, the parliamentarian who authored the proposal. "To ensure that robots are and will remain in the service of humans, we urgently need to create a robust European legal framework." CNNMoney reports: The proposal calls for a new charter on robotics that would give engineers guidance on how to design ethical and safe machines. For example, designers should include "kill switches" so that robots can be turned off in emergencies. They must also make sure that robots can be reprogrammed if their software doesn't work as designed. The proposal states that designers, producers and operators of robots should generally be governed by the "laws of robotics" described by science fiction writer Isaac Asimov. The proposal also says that robots should always be identifiable as mechanical creations. That will help prevent humans from developing emotional attachments. "You always have to tell people that robot is not a human and a robot will never be a human," said Delvaux. "You must never think that a robot is a human and that he loves you." The report cites the example of care robots, saying that people who are physically dependent on them could develop emotional attachments. The proposal calls for a compulsory insurance scheme -- similar to car insurance -- that would require producers and owners to take out insurance to cover the damage caused by their robots. The proposal explores whether sophisticated autonomous robots should be given the status of "electronic persons." This designation would apply in situations where robots make autonomous decisions or interact with humans independently. It would also saddle robots with certain rights and obligations -- for example, robots would be responsible for any damage they cause. If advanced robots start replacing human workers in large numbers, the report recommends the European Commission force their owners to pay taxes or contribute to social security.
Government

Obama Changed Rules Regarding Raw Intelligence, Allowing NSA To Share Raw Data With US's Other 16 Intelligence Agencies (schneier.com) 203

An anonymous reader quotes a report from Schneier on Security: President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the U.S.'s other 16 intelligence agencies. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches. The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people. Here are the new procedures. This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes.

Slashdot Top Deals