Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Software

uTorrent Quietly Installs Cryptocurrency Miner 152

Posted by Soulskill
from the your-cpu-is-our-cpu dept.
New submitter Eloking sends news that uTorrent, a popular BitTorrent client, is silently installing cryptocurrency mining software for many users. [uTorrent] brings in revenue through in-app advertising and also presents users with “offers” to try out third-party software when installed or updated. These offers are usually not placed on users’ machines without consent, but this week many users began complaining about a “rogue” offer being silently installed. The complaints mention the Epic Scale tool, a piece of software that generates revenue through cryptocurrency mining. To do so, it uses the host computer’s CPU cycles. ... The sudden increase in complaints over the past two days suggests that something went wrong with the install and update process. Several users specifically say that they were vigilant, but instead of a popup asking for permission the Epic Scale offer was added silently.
Security

Anthem Blocking Federal Auditor From Doing Vulnerability Scans 96

Posted by samzenpus
from the suspicious-behavior dept.
chicksdaddy writes Anthem Inc., the Indiana-based health insurer, has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients. According to this article, Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do. This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform.
Cloud

Red Hat Strips Down For Docker 40

Posted by timothy
from the wearing-or-not-wearing-dockers dept.
angry tapir writes Reacting to the surging popularity of the Docker virtualization technology, Red Hat has customized a version of its Linux distribution to run Docker containers. The Red Hat Enterprise Linux 7 Atomic Host strips away all the utilities residing in the stock distribution of Red Hat Enterprise Linux (RHEL) that aren't needed to run Docker containers. Removing unneeded components saves on storage space, and reduces the time needed for updating and booting up. It also provides fewer potential entry points for attackers. (Product page is here.)
Canada

CRTC Issues $1.1 Million Penalty To Compu-Finder For Spamming Canadians 54

Posted by timothy
from the buncha-loonies dept.
zentigger writes Canadians rejoice! It looks like the new anti-spam regulations might actually have some teeth! Today, the CRTC issued a $1.1 million fine to Compu-Finder for violating Canada's anti-spam legislation by sending commercial emails without consent, as well as messages in which the unsubscribe mechanisms did not function properly. Furthermore, an analysis of the complaints made to the Spam Reporting Centre of this industry sector shows that Compu-Finder accounts for 26% of all complaints submitted.
Intel

Intel Reveals Unlocked, Socketed Broadwell and Core i7 NUC With Iris Graphics 48

Posted by timothy
from the faster-all-the-time dept.
MojoKid writes Intel held an event at a location adjacent to GDC last night, where the company discussed some updates to its 5th Gen Core processor line-up, Intel graphics developments, the Intel Hardware SDK, and its various game developer tools. Chris Silva, Director of Marketing for Premium Notebook and Client Graphics teams disclosed a few details that a socketed, unlocked, 65W desktop processor based on Intel's Broadwell architecture, featuring Iris graphics, is due to arrive sometime in mid-2015. It's noteworthy because this will be Intel's first desktop CPU with Iris Pro graphics and because it is multiplier unlocked. It will be interesting to see what Iris Pro can do with some overclocking. Intel then showed off a new NUC mini PC powered by a 28W, quad-core Core i7 Broadwell processor, which also featured Iris graphics. The device has a tiny .63 liter enclosure with support for high-performance M.2 solid state drives and features an array of built-in IO options, like USB3, BT4, and 802.11ac WiFi. Bryan Langley, Principal PM for Windows Graphics also talked a bit about DirectX 12, disclosing that the company would be ready with DX12 support when Windows 10 arrives and that there are optimizations in DX12 and their drivers that would deliver performance enhancements to current and future Intel graphics platforms.
Canada

Quebecker Faces Jail For Not Giving Up Phone Password To Canadian Officials 330

Posted by timothy
from the looking-for-banned-books-and-hockey-scores dept.
wired_parrot writes Canadian customs officials have charged a 38-year old man with obstruction of justice after he refused to give up his Blackberry phone password [on arrival in Canada by plane from the Dominican Republic]. As this is a question that has not yet been litigated in Canadian courts, it may establish a legal precedent for future cases. From the article: [Law professor Rob] Currie says the issue of whether a traveller must reveal a password to an electronic device at the border hasn't been tested by a court. "This is a question that has not been litigated in Canada, whether they can actually demand you to hand over your password to allow them to unlock the device," he said. "One thing for them to inspect it, another thing for them to compel you to help them."
Chrome

Firefox 37 To Check Security Certificates Via Blocklist 29

Posted by timothy
from the making-a-list-pushing-it-multiple-times dept.
An anonymous reader writes The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser. OneCRL will permit non-live verification on EV certificates, trading off currency for speed. Chrome pushes its trawled list of CA revocations every few hours, and Firefox seems set to follow that method and frequency. Both Firefox and Chrome developers admit that OCSP stapling would be the better solution, but it is currently only supported in 9% of TLS certificates.
Government

New Zealand Spied On Nearly Two Dozen Pacific Countries 125

Posted by samzenpus
from the keep-your-eyes-on-your-own-paper dept.
An anonymous reader writes New documents from Edward Snowden indicate New Zealand undertook "full take" interception of communications from Pacific nations and forwarded the data to the NSA. The data, collected by New Zealand's Government Communications Security Bureau, was then fed into the NSA's XKeyscore search engine to allow analysts to trawl for intelligence. The New Zealand link helped flesh out the NSA's ambitions to intercept communications globally.
Businesses

Demand For Linux Skills Rising This Year 92

Posted by samzenpus
from the popular-kids dept.
Nerval's Lobster writes This year is shaping up as a really good one for Linux, at least on the jobs front. According to a new report (PDF) from The Linux Foundation and Dice, nearly all surveyed hiring managers want to recruit Linux professionals within the next six months, with 44 percent of them indicating they're more likely to hire a candidate with Linux certification over one who does not. Forty-two percent of hiring managers say that experience in OpenStack and CloudStack will have a major impact on their hiring decisions, while 23 percent report security is a sought-after area of expertise and 19 percent are looking for Linux-skilled people with Software-Defined Networking skills. Ninety-seven percent of hiring managers report they will bring on Linux talent relative to other skills areas in the next six months.
Transportation

US Air Traffic Control System Is Riddled With Vulnerabilities 59

Posted by Soulskill
from the things-you-shouldn't-read-before-your-flight-today dept.
An anonymous reader writes: A recently released report (PDF) by the U.S. Government Accountability Office has revealed that despite some improvements, the Federal Aviation Administration (FAA) still needs to quash significant security control weaknesses that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). The report found that while the "FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment [...] a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems."
Communications

The Mexican Drug Cartels' Involuntary IT Guy 125

Posted by Soulskill
from the undesirable-career-paths dept.
sarahnaomi writes: It could have been any other morning. Felipe del Jesús Peréz García got dressed, said goodbye to his wife and kids, and drove off to work. It would be a two hour commute from their home in Monterrey, in Northeastern Mexico's Nuevo León state, to Reynosa, in neighboring Tamaulipas state, where Felipe, an architect, would scout possible installation sites for cell phone towers for a telecommunications company before returning that evening. That was the last time anyone saw him.

What happened to Felipe García? One theory suggests he was abducted by a sophisticated organized crime syndicate, and then forced into a hacker brigade that builds and services the cartel's hidden, backcountry communications infrastructure. They're the Geek Squads to some of the biggest mafia-style organizations in the world.
Privacy

Schneier: Either Everyone Is Cyber-secure Or No One Is 130

Posted by Soulskill
from the nobody's-safe-except-the-amish dept.
Presto Vivace sends a new essay from Bruce Schneier called "The Democratization of Cyberattack." Quoting: When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. ... We can't choose a world where the U.S. gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.
Encryption

FREAK Attack Threatens SSL Clients 72

Posted by Soulskill
from the another-day-another-vuln dept.
msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.
Wireless Networking

Flaw In GoPro Update Mechanism Reveals Users' Wi-Fi Passwords 35

Posted by timothy
from the oopsie dept.
An anonymous reader writes A vulnerability in the update mechanism for the wireless networks operated by GoPro cameras has allowed a security researcher to easily harvest over a 1,000 login credentials (including his own). The popular rugged, wearable cameras can be controlled via an app, but in order to do so the user has to connect to the camera's Wi-Fi network. Israel-based infosec expert Ilya Chernyakov discovered the flaw when he had to access the network of a friend's camera, but the friend forgot the login credentials.
GUI

Why We Should Stop Hiding File-Name Extensions 562

Posted by timothy
from the text-rules dept.
An anonymous reader writes 14 years after the Anna Kournikova virus took advantage of users' ignorance about file-name extensions in order to wreak worldwide havoc, virus writers and hackers are still taking advantage of the tendency of popular consumer operating systems to hide file-name extensions: Windows users still need to activate extension visibility manually – even though email-transmitted viruses depend most on less savvy users who will never do this. Additionally applications on even the latest versions of Apple's OSX operating system still require the user to 'opt in' to including a file-name extension during an initial save. In looking at some of the eccentricities of the modern user experience, this article argues that it might be time to admit that users need to understand, embrace and responsibly use the only plain-text, obvious indicator of what a file actually is.
Graphics

Khronos Group Announces Vulkan To Compete Against DirectX 12 89

Posted by timothy
from the cross-platform-good dept.
Phopojijo writes The Khronos Group has announced the Vulkan API for compute and graphics. Its goal is to compete against DirectX 12. It has some interesting features, such as queuing to multiple GPUs and an LLVM-based bytecode for its shading language to remove the need for a compiler from the graphics drivers. Also, the API allows graphics card vendors to support Vulkan with drivers back to Windows XP "and beyond."
Graphics

NVIDIA Fixes Old Compiz Bug 51

Posted by timothy
from the mayan-long-count dept.
jones_supa writes NVIDIA has fixed a long-standing issue in the Ubuntu Unity desktop by patching Compiz. When opening the window of a new application, it would go black or become transparent on NVIDIA hardware. There have been bug reports dating back to Ubuntu 12.10 times. The problem was caused by Compiz, which had some leftover code from a port. An NVIDIA developer posted on Launchpad and said the NVIDIA team has been looking at this issue, and they also proposed a patch. "Our interpretation of the specification is that creating two GLX pixmaps pointing at the same drawable is not allowed, because it can lead to poorly defined behavior if the properties of both GLX drawables don't match. Our driver prevents this, but Compiz appears to try to do this," wrote NVIDIA's Arthur Huillet. The Compiz patch has been accepted upstream.
Android

Google Backs Off Default Encryption on New Android Lollilop Devices 119

Posted by Soulskill
from the give-the-people-what-the-government-wants dept.
An anonymous reader writes: Although Google announced in September 2014 that Android 5.0 Lollipop would require full-disk encryption by default in new cell phones, Ars Technica has found otherwise in recently-released 2nd-gen Moto E and Galaxy S6. It turns out, according to the latest version of the Android Compatibility Definition document (PDF), full-disk encryption is currently only "very strongly recommended" in anticipation of mandatory encryption requirements in the future. The moral of the story is: don't be lazy — check that your full-disk encryption is actually enabled.
Yahoo!

Marissa Mayer On Turning Around Yahoo 167

Posted by samzenpus
from the steering-the-ship dept.
An anonymous reader writes For the 20th anniversary of Yahoo, Marissa Mayer discusses how she's trying to reinvent the company. In a wide-ranging interview, Mayer shares her vision for fixing the company's past mistakes, including a major investment in mobile and a new ad platform. Yet she's been dogged by critics who see her as an imperious micromanager, who criticize her $1.1 billion purchase of Tumblr, and who fault her for moving too slowly. The company's executives explain that the business could only return to health after she first halted Yahoo's brain drain and went big on mobile. As one Yahoo employee summarized Mayer's thinking: "First people, then apps."
Communications

Jolla Partners With SSH To Create Sailfish Secure 30

Posted by samzenpus
from the protect-ya-neck dept.
First time accepted submitter muckracer writes Finnish mobile company Jolla will be working with Finland's SSH Communications to offer another version of its SailfishOS platform with stronger security credentials. The partnership was announced today at Jolla's press conference in Barcelona at the Mobile World Congress trade show. SSH will be providing comms encryption and key management to Sailfish Secure.