chicksdaddy writes in with a warning about a popular Wordpress plugin. "A security researcher is warning WordPress users that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search. The researcher, Jason A. Donenfeld, who uses the handle 'zx2c4' posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress blogs that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and the knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote. W3 Total Cache is described as a 'performance framework' that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site."
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's now on IFTTT. Check it out! Check out the new SourceForge HTML5 Internet speed test! ×
sneakyimp writes "We've seen increasingly creative ways for bad guys to compromise your system like infected pen drives, computers preloaded with malware, mobile phone apps with malware, and a $300 app that can sniff out your encryption keys. On top of these obvious risks, there are lingering questions about the integrity of common operating systems and cloud computing services. Do Windows, OSX, and Linux have security holes? Does Windows supply a backdoor for the U.S. or other governments? Should you really trust your Linux multiverse repository? Do Google and Apple data mine your private mobile phone data for private information? Does Ubuntu's sharing of my data with Amazon compromise my privacy? Can the U.S. Government seize your cloud data without a warrant? Can McAfee or Kaspersky really be trusted? Naturally, the question arises of how to establish and maintain an ironclad workstation or laptop for the purpose of handling sensitive information or doing security research. DARPA has approached the problem by awarding a $21.4M contract to Invincea to create a secure version of Android. What should we do if we don't have $21.4M USD? Is it safe to buy a PC from any manufacturer? Is it even safe to buy individual computer components and assemble one's own machine? Or might the motherboard firmware be compromised? What steps can one take to ensure a truly secure computing environment? Is this even possible? Can anyone recommend a through checklist or suggest best practices?"
cstacy writes "Tatu Yionen, inventor of SSH, says he feels 'a moral responsibility' to come out of retirement and warn that a 'little-noticed problem' could jeopardize the security of much of the world's confidential data. He is referring to the management (or lack thereof) of SSH keys (i.e. 'authorized_keys') files. He suggests that most organizations simply allow the SSH key files to be created, copied, accumulated, and abandoned, all over their network, making easy pickings for intruders to gain access. Do you think this is a widespread problem? How does your company manage SSH keys?" cstacy's summary here is accurate, but as charlesTheLurker notes, the article is a bit over the top: "The Washington Times claims that there's a huge vulnerability in ssh. It turns out that some reporter there has discovered that you can do passwordless login with the software, and has spun this into a story of a dangerous vulnerability. Sigh."
wiredmikey writes "Iranian officials on Tuesday said a 'Stuxnet-like' cyberattack hit some industrial units in a southern province. 'A virus had penetrated some manufacturing industries in Hormuzgan province, but its progress was halted,' Ali Akbar Akhavan said, quoted by the ISNA news agency. Akhavan said the malware was 'Stuxnet-like' but did not elaborate, and that the attack had occurred over the 'past few months.' One of the targets of the latest attack was the Bandar Abbas Tavanir Co, which oversees electricity production and distribution in Hormuzgan and adjacent provinces. He also accused 'enemies' of constantly seeking to disrupt operations at Iran's industrial units through cyberattacks, without specifying how much damage had been caused. Iran has blamed the U.S. and Israel for cyberattacks in the past. In April, it said a voracious malware attack had hit computers running key parts of its oil sector and succeeded in wiping data off official servers."
badger.foo writes "When you're hit with a DDOS, what do you do? In his most recent column, Peter Hansteen narrates a recent incident that involved a DNS based DDOS against his infrastructure and that of some old friends of his. He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)? How about scans that may or may not be preparations for DDOSes to come?"
hypnosec writes "BLAKE2 has been recently announced as a new alternative to the existing cryptographic hash algorithms MD5 and SHA-2/3. With applicability in cloud storage, software distribution, host-based intrusion detection, digital forensics and revision control tools, BLAKE2 performs a lot faster than the MD5 algorithm on Intel 32- and 64-bit systems. The developers of BLAKE2 insist that even though the algorithm is faster, there are no loose ends when it comes to security. BLAKE2 is an optimized version of the then SHA-3 finalist BLAKE."
jones_supa writes "Steam users worldwide are getting more than they expected this Christmas, courtesy of Valve. Increasingly annoyed reports are piling up on a Steam Community thread about an ominous 'No Connection' error. Depending on your luck, this means you can either start the client in offline mode and play only single-player games with anything related to the Steamworks cloud features disabled, or you cannot start Steam at all and consequently access anything in your library. However, store related functionality seems unaffected, in case this blunder made you feel like purchasing some more games you may or may not be able to play these holidays." Update: 12/25 17:45 GMT by T : The connection problems were fixed; did you hit the loading errors before they were resolved?
An anonymous reader writes "In fifth grade, I amazed my fellow classmates when I demonstrated what 132 words per minute looked like. Recently, an acquaintance of mine saw me typing out a word document for graduate school and was impressed by my typing abilities. He suggested that I seriously contemplate attempting a Guinness World Record with such abilities. At the moment, I can manage an average of about 155-160 words per minute, with bursts around 180-185 words per minute (in the typing world, five characters defines a word, in case you were wondering). That aside, I have a few questions to pose to Slashdot readers (whom I am sure have been typing much longer than I have): What are some tips to fully maximize one's ability to type at the fastest possible rate? Do you have any specific keyboard recommendations that will improve my speed? Has anybody here ever competed in a typing event or thought about going for the world record? Is it worth learning Dvorak for the sole purpose of attempting such a record? How difficult would it be to improve my typing abilities from where they are now to where they need to be to acquire such a record?"
An anonymous reader writes "Google on Friday announced that it is changing its stance for silently installing extensions in its browser. As of Chrome 25, external extension deployment options on Windows will be disabled by default and all extensions previously installed using them will be automatically disabled."
An anonymous reader writes "Last month, Mozilla Engineering Manager Benjamin Smedberg quietly announced that the 64-bit version of Firefox for Windows would never see the light of day. After what he referred to as 'significant negative feedback,' Smedberg has announced he has reviewed that feedback, consulted with his release engineering team, and has decided on a modification to the original plan: Firefox 64-bit for Windows may still never be released, but nightly builds will live another day."
coondoggie writes "What if your wireless communications just absolutely, positively have to be heard above the din of other users or in the face of massive interference? That is the question at the heart of a new $150,000 challenge that will be thrown down in January by the scientists at DARPA as the agency detailed its Spectrum Challenge — a competition that aims to find developers who can create software-defined radio protocols that best use communication channels in the presence of other users and interfering signals."
Hugh Pickens writes "Michael Wilson writes in the NY Times that top intelligence officials in the New York Police Department are looking for ways to target 'apolitical or deranged killers before they become active shooters' using techniques similar to those being used to spot terrorists' chatter online. The techniques would include 'cyber-searches of language that mass-casualty shooters have used in e-mails and Internet postings,' says Police Commissioner Raymond W. Kelly. 'The goal would be to identify the shooter in cyberspace, engage him there and intervene, possibly using an undercover to get close, and take him into custody or otherwise disrupt his plans.' There are also plans to send officers to Newtown and to scenes of other mass shootings to collect information says the department's chief spokesman Paul. J. Browne adding that potential tactics include creating an algorithm that would search online 'for terms used by active shooters in the past that may be an indicator of future intentions.' The NYPD's counter-terrorism division released a report last year, 'Active Shooter (PDF),' after studying 202 mass shooting incidents. 'So, we think this is another logical step,' says Kelly."
The Enlightenment front page bears this small announcement: "E17 release HAS HAPPENED!" The release announcement is remarkably spartan — it's mostly a tribute to the dozens of contributors who have worked on the software itself and on translating it into many languages besides system-default English. On the other hand, if you've been waiting since December 2000 for E17 (also known as Enlightenment 0.17), you probably have some idea that Enlightenment is a window manager (or possibly a desktop environment: the developers try to defuse any dispute on that front, but suffice it to say that you can think of it either way), and that the coders are more interested in putting out the software that they consider sufficiently done than in incrementing release numbers. That means they've made some side trips along the way, Knuth-like, to do things like create an entire set of underlying portable libraries. The release candidate changelog of a few days ago gives an idea of the very latest changes, but this overview shows and tells what to expect in E17. If you're among those disappointed in the way some desktop environments have tended toward simplicity at the expense of flexibility, you can be sure that Enlightenment runs the other way: "We don't go quietly into the night and remove options when no one is looking. None of those new big version releases with fanfare and "Hey look! Now with half the options you used to have!". We sneak in when you least expect it and plant a whole forest of new option seeds, watching them spring to life. We nail new options to walls on a regular basis. We bake options-cakes and hand them out at parties. Options are good. Options are awesome. We have lots of them. Spend some quality time getting to know your new garden of options in E17. It may just finally give you the control you have been pining for."
First time accepted submitter Funksaw writes "Back in 2007, I wrote three articles on Ubuntu 6, Mac OS X 10.4, and Windows Vista, which were all featured on Slashdot. Now, with the release of Windows 8, I took a different tactic and produced an animated video. Those expecting me to bust out the performance tests and in-depth use of the OS are going to be disappointed. While that was my intention coming into the project, I couldn't even use Windows 8 long enough to get to the in-depth technical tests. In my opinion, Windows 8 is so horribly broken that it should be recalled."
An anonymous reader writes "Russian firm ElcomSoft on Thursday announced the release of Elcomsoft Forensic Disk Decryptor (EFDD), a new forensic tool that can reportedly access information stored in disks and volumes encrypted with desktop and portable versions of BitLocker, PGP, and TrueCrypt. EFDD runs on all 32-bit and 64-bit editions of Windows XP, Windows Vista, and Windows 7, as well as Windows 2003 and Windows Server 2008." All that for $300.