Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Crime

Man Gets 30 Days In Jail For Drone Crash That Knocked Woman Unconscious (arstechnica.com) 59

An anonymous reader quotes a report from Ars Technica: The operator of a drone that knocked a woman unconscious was sentenced Friday to 30 days in jail, Seattle prosecutors said. The woman was attending a local parade when the drone crashed and struck her. Paul Skinner, a 38-year-old man from Washington state, was charged with reckless endangerment in connection to the 2015 incident, in which an 18-inch-by-18-inch drone collided into a building before falling into a crowd. The authorities said the 2-pound drone struck the 25-year-old in the head and gave her a concussion. Her boyfriend caught her before she fell to the ground. Another man suffered a minor bruise. The accident took place during during the city's Pride Parade. Skinner, who had turned himself in, plans to appeal the sentence. His attorney, Jeffrey Kradel, said the punishment was "too severe." His client remains free pending the appeal's outcome. A misdemeanor reckless endangerment charge -- one that poses "substantial risk of death or serious bodily injury to another person" -- carries a penalty of up to a year in jail.
Canada

Canada's Top Mountie Issues Blistering Memo On IT Failures (www.cbc.ca) 108

Reader Freshly Exhumed writes: RCMP Commissioner Bob Paulson has levelled a blistering memo obtained by the CBC on how critical IT failures have increased by 129 per cent since Shared Services Canada took over tech support for the entire government five years ago. Not only that, the memo says, the duration of each outage has increased by 98 per cent. "Its 'one size fits all' IT shared services model has negatively impacted police operations, public and officer safety and the integrity of the criminal justice system," reads the memo. A list of specific incidents includes an 11-hour network computer outage on Jan. 18 that downed every Mountie's BlackBerry, affected dispatching, and prevented the RCMP and 240 other police forces from accessing the Canadian Police Information Centre database.
Google

Is Google's Comment Filtering Tool 'Vanishing' Legitimate Comments? (vortex.com) 97

Slashdot reader Lauren Weinstein writes: Google has announced (with considerable fanfare) public access to their new "Perspective" comment filtering system API, which uses Google's machine learning/AI system to determine which comments on a site shouldn't be displayed due to perceived high spam/toxicity scores. It's a fascinating effort. And if you run a website that supports comments, I urge you not to put this Google service into production, at least for now.

The bottom line is that I view Google's spam detection systems as currently too prone to false positives -- thereby enabling a form of algorithm-driven "censorship" (for lack of a better word in this specific context) -- especially by "lazy" sites that might accept Google's determinations of comment scoring as gospel... as someone who deals with significant numbers of comments filtered by Google every day -- I have nearly 400K followers on Google Plus -- I can tell you with considerable confidence that the problem isn't "spam" comments that are being missed, it's completely legitimate non-spam, non-toxic comments that are inappropriately marked as spam and hidden by Google.

Lauren is also collecting noteworthy experiences for a white paper about "the perceived overall state of Google (and its parent corporation Alphabet, Inc.)" to better understand how internet companies are now impacting our lives in unanticipated ways. He's inviting people to share their recent experiences with "specific Google services (including everything from Search to Gmail to YouTube and beyond), accounts, privacy, security, interactions, legal or copyright issues -- essentially anything positive, negative, or neutral that you are free to impart to me, that you believe might be of interest."
Bug

Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE (bleepingcomputer.com) 71

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...

Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.
Security

Apache Subversion Fails SHA-1 Collision Test, Exploit Moves Into The Wild (arstechnica.com) 159

WebKit's bug-tracker now includes a comment from Friday noting "the bots all are red" on their git-svn mirror site, reporting an error message about a checksum mismatch for shattered-2.pdf. "In some cases, due to the corruption, further commits are blocked," reports the official "Shattered" web site. Slashdot reader Artem Tashkinov explains its significance: A WebKit developer who tried to upload "bad" PDF files generated from the first successful SHA-1 attack broke WebKit's SVN repository because Subversion uses SHA-1 hash to differentiate commits. The reason to upload the files was to create a test for checking cache poisoning in WebKit.

Another news story is that based on the theoretical incomplete description of the SHA-1 collision attack published by Google just two days ago, people have managed to recreate the attack in practice and now you can download a Python script which can create a new PDF file with the same SHA-1 hashsum using your input PDF. The attack is also implemented as a website which can prepare two PDF files with different JPEG images which will result in the same hash sum.

Microsoft

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com) 228

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
Botnet

UK Police Arrest Suspect Behind Mirai Malware Attacks On Deutsche Telekom (bleepingcomputer.com) 26

An anonymous reader writes: "German police announced Thursday that fellow UK police officers have arrested a suspect behind a serious cyber-attack that crippled German ISP Deutsche Telekom at the end of November 2016," according to BleepingComputer. "The attack in question caused over 900,000 routers of various makes and models to go offline after a mysterious attacker attempted to hijack the devices through a series of vulnerabilities..." The attacks were later linked to a cybercrime groups operating a botnet powered by the Mirai malware, known as Botnet #14, which was also available for hire online for on-demand DDoS attacks.

"According to a statement obtained by Bleeping Computer from Bundeskriminalamt (the German Federal Criminal Police Office), officers from UK's National Crime Agency (NCA) arrested a 29-year-old suspect at a London airport... German authorities are now in the process of requesting the unnamed suspect's extradition, so he can stand trial in Germany. Bestbuy, the name of the hacker that took credit for the attacks, has been unreachable for days."

Security

Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com) 81

An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."

And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?

Leave your own answers in the comments. How did you respond to Cloudbleed?
Open Source

Linus Torvalds On Git's Use Of SHA-1: 'The Sky Isn't Falling' (zdnet.com) 197

Google's researchers specifically cited Git when they announced a new SHA-1 attack vector, according to ZDNet. "The researchers highlight that Linus Torvald's code version-control system Git 'strongly relies on SHA-1' for checking the integrity of file objects and commits. It is essentially possible to create two Git repositories with the same head commit hash and different contents, say, a benign source code and a backdoored one,' they note." Saturday morning, Linus responded: First off - the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git. Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation. And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world - or even old git repositories...

The reason for using a cryptographic hash in a project like git is because it pretty much guarantees that there is no accidental clashes, and it's also a really really good error detection thing. Think of it like "parity on steroids": it's not able to correct for errors, but it's really really good at detecting corrupt data... if you use git for source control like in the kernel, the stuff you really care about is source code, which is very much a transparent medium. If somebody inserts random odd generated crud in the middle of your source code, you will absolutely notice... It's not silently switching your data under from you... And finally, the "yes, git will eventually transition away from SHA1". There's a plan, it doesn't look all that nasty, and you don't even have to convert your repository. There's a lot of details to this, and it will take time, but because of the issues above, it's not like this is a critical "it has to happen now thing".

In addition, ZDNet reports, "Torvalds said on a mailing list yesterday that he's not concerned since 'Git doesn't actually just hash the data, it does prepend a type/length field to it', making it harder to attack than a PDF... Do we want to migrate to another hash? Yes. Is it game over for SHA-1 like people want to say? Probably not."
Bug

Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks (bleepingcomputer.com) 90

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

Social Networks

Are Your Slack Conversations Really Private and Secure? (fastcompany.com) 66

An anonymous reader writes: "Chats that seem to be more ephemeral than email are still being recorded on a server somewhere," reports Fast Company, noting that Slack's Data Request Policy says the company will turn over data from customers when "it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body...or in cases of emergency to avoid death or physical harm to individuals." Slack will notify customers before disclosure "unless Slack is prohibited from doing so," or if the data is associated with "illegal conduct or risk of harm to people or property."

The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations.

Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?
Security

Java and Python FTP Attacks Can Punch Holes Through Firewalls (csoonline.com) 18

"The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks," reports CSO Online. itwbennett writes: Last weekend security researcher Alexander Klink disclosed an interesting attack where exploiting an XML External Entity vulnerability in a Java application can be used to send emails. At the same time, he showed that this type of vulnerability can be used to trick the Java runtime to initiate FTP connections to remote servers. After seeing Klink's exploit, Timothy Morgan, a researcher with Blindspot Security, decided to disclose a similar attack that works against both Java's and Python's FTP implementations. "But his attack is more serious because it can be used to punch holes through firewalls," writes Lucian Constantin in CSO Online.
"The Java and Python developers have been notified of this problem, but until they fix their FTP client implementations, the researcher advises firewall vendors to disable classic mode FTP translation by default..." reports CSO Online. "It turns out that the built-in implementation of the FTP client in Java doesn't filter out special carriage return and line feed characters from URLs and actually interprets them. By inserting such characters in the user or password portions of an FTP URL, the Java FTP client can be tricked to execute rogue commands..."
Botnet

World's Largest Spam Botnet Adds DDoS Feature (bleepingcomputer.com) 26

An anonymous reader writes from a report via BleepingComputer: Necurs, the world's largest spam botnet with nearly five million infected bots, of which one million are active each day, has added a new module that can be used for launching DDoS attacks. The sheer size of the Necurs botnet, even in its worst days, dwarfs all of today's IoT botnets. The largest IoT botnet ever observed was Mirai Botnet #14 that managed to rack up around 400,000 bots towards the end of 2016 (albeit the owner of that botnet has now been arrested). If this new feature were to ever be used, a Necurs DDoS attack would easily break every DDoS record there is. Fortunately, no such attack has been seen until now. Until now, the Necurs botnet has been seen spreading the Dridex banking trojan and the Locky ransomware. According to industry experts, there's a low chance we'd see the Necurs botnet engage in DDoS attacks because the criminal group behind the botnet is already making too much money to risk exposing their full infrastructure in DDoS attacks.
Government

FCC To Halt Rule That Protects Your Private Data From Security Breaches (arstechnica.com) 119

According to Ars Technica, "The Federal Communications Commission plans to halt implementation of a privacy rule that requires ISPs to protect the security of its customers' personal information." From the report: The data security rule is part of a broader privacy rulemaking implemented under former Chairman Tom Wheeler but opposed by the FCC's new Republican majority. The privacy order's data security obligations are scheduled to take effect on March 2, but Chairman Ajit Pai wants to prevent that from happening. The data security rule requires ISPs and phone companies to take "reasonable" steps to protect customers' information -- such as Social Security numbers, financial and health information, and Web browsing data -- from theft and data breaches. The rule would be blocked even if a majority of commissioners supported keeping them in place, because the FCC's Wireline Competition Bureau can make the decision on its own. That "full commission vote on the pending petitions" could wipe out the entire privacy rulemaking, not just the data security section, in response to petitions filed by trade groups representing ISPs. That vote has not yet been scheduled. The most well-known portion of the privacy order requires ISPs to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. The opt-in rule is supposed to take effect December 4, 2017, unless the FCC or Congress eliminates it before then. Pai has said that ISPs shouldn't face stricter rules than online providers like Google and Facebook, which are regulated separately by the Federal Trade Commission. Pai wants a "technology-neutral privacy framework for the online world" based on the FTC's standards. According to today's FCC statement, the data security rule "is not consistent with the FTC's privacy standards."
Government

Security Lapse Exposed New York Airport's Critical Servers For a Year (zdnet.com) 45

An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.

Slashdot Top Deals