DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Chrome

Google Reducing Trust In Symantec Certificates Following Numerous Slip-Ups (bleepingcomputer.com) 29

An anonymous Slashdot reader writes from a report via BleepingComputer: Google Chrome engineers announced plans to gradually remove trust in old Symantec SSL certificates and intent to reduce the accepted validity period of newly issued Symantec certificates, following repeated slip-ups on the part of Symantec. Google's decision comes after the conclusion of an investigation that started on January 19, which unearthed several problems with Symantec's certificate issuance process, such as 30,000 misused certificates. In September 2015, Google also discovered that Symantec issued SSL certificates for Google.com without authorization. Symantec blamed the incident on three rogue employees, whom it later fired. This move from Google will force all owners of older Symantec certificates to request a new one. Google hopes that by that point, Symantec would have revamped its infrastructure and will be following the rules agreed upon by all the other CAs and browser makers.
Advertising

YouTube Loses Major Advertisers Over Offensive Videos (rollingstone.com) 121

An anonymous reader quotes a report from Rolling Stone: Verizon, AT&T, Johnson & Johnson and other major companies have pulled advertisements from YouTube after learning they were paired with videos promoting extremism, terrorism and other offensive topics, The New York Times reports. Among the other companies involved are pharmaceutical giant GSK, HSBC, the Royal Bank of Scotland and L'Oreal, amounting to a potential loss of hundreds of millions of dollars to the Google-owned company. The boycott began last week after a Times of London investigation spurred many major European companies to pull their ads from YouTube. American companies swiftly followed, even after Google promised Tuesday to work harder to block ads on "hateful, offensive and derogatory" videos. Like AT&T, most companies are only pulling their ads from YouTube and will continue to place ads on Google's search platforms, which remain the biggest source of revenue for Google's parent company, Alphabet. Still, the tech giant offered up a slew of promises to assuage marketers and ensure them that they were fixing the problems on YouTube. Due to the massive number of videos on YouTube -- about 400 hours of video is posted each minute -- the site primarily uses an automated system to place ads. While there are some failsafes in place to keep advertisements from appearing alongside offensive content, Google's Chief Business Officer Philipp Schindler wrote in a blog post that the company would hire "significant numbers" of employees to review YouTube videos and mark them as inappropriate for ads. He also said Google's latest advancements in artificial intelligence and machine learning will help the company review and flag large swaths of videos.
The Internet

SixXS IPv6 Tunnel Provider Is Shutting Down (sixxs.net) 32

yakatz writes: SixXS started providing IPv6 tunnels in 1999 to try to break the "chicken-and-egg" problem of IPv6 adoption. After 18 years, the service is shutting down. The cited reasons are:

1) growth has been stagnant
2) many ISPs offer IPv6
3) some ISPs have told customers that they don't need to provide IPv6 connectivity because the customer can just use a tunnel from SixXS

This last reason in particular made the SixXS team think they are doing more harm than good in the fight for native IPv6, so they will be shutting down on June 6.

Microsoft

Microsoft's OneDrive Web App Crippled With Performance Issues On Linux and Chrome OS (theregister.co.uk) 89

Iain Thomson, reporting for The Register: Plenty of Linux users are up in arms about the performance of the OneDrive web app. They say that when accessing Microsoft's cloudy storage system in a browser on a non-Windows system -- such as on Linux or ChromeOS -- the service grinds to a barely usable crawl. But when they use a Windows machine on the same internet connection, speedy access resumes. Crucially, when they change their browser's user-agent string -- a snippet of text the browser sends to websites describing itself -- to Internet Explorer or Edge, magically their OneDrive access speeds up to normal on their non-Windows PCs. In other words, Microsoft's OneDrive web app slows down seemingly deliberately when it appears you're using Linux or some other Windows rival. This has been going on for months, and complaints flared up again this week after netizens decided enough is enough. When gripes about this suspicious slowdown have cropped up previously, Microsoft has coldly reminded people that OneDrive for Business is not supported on Linux, thus the crap performance is to be expected. But when you change the user-agent string of your browser on Linux to match IE or Edge, suddenly OneDrive's web code runs fine. The original headline of the story is, "Microsoft loves Linux so much, its OneDrive web app runs like a dog on Windows OS rivals".
Businesses

Intel Creates AI Group, Aims For More Focus (zdnet.com) 10

Intel's artificial intelligence efforts have been scattered over many different units but are now being united into a single operating group. The Artificial Intelligence Products Group will focus on the development of chips and software products tied to machine learning, algorithms, and deep learning. From a report: The company has been repositioning via acquisitions to focus on Internet of Things to autonomous vehicles. The upshot is that Intel is trying to build a data center to IoT stack powered by its processors. In a blog post, Rao outlined how the Artificial Intelligence Products Group will work across multiple units. Part of the group's remit will be to bring AI costs down and forge standards. Rao said the group will combine engineering, labs, software, and hardware from its portfolio.
Communications

Senate Votes To Kill FCC's Broadband Privacy Rules (pcworld.com) 342

The Senate voted 50-48 along party lines Thursday to repeal an Obama-era law that requires internet service providers to obtain permission before tracking what customers look at online and selling that information to other companies. PCWorld adds: The Senate's 50-48 vote Thursday on a resolution of disapproval would roll back Federal Communications Commission rules requiring broadband providers to receive opt-in customer permission to share sensitive personal information, including web-browsing history, geolocation, and financial details with third parties. The FCC approved the regulations just five months ago. Thursday's vote was largely along party lines, with Republicans voting to kill the FCC's privacy rules and Democrats voting to keep them. The Senate's resolution, which now heads to the House of Representatives for consideration, would allow broadband providers to collect and sell a "gold mine of data" about customers, said Senator Bill Nelson, a Florida Democrat. Kate Tummarello, writing for EFF: [This] would be a crushing loss for online privacy. ISPs act as gatekeepers to the Internet, giving them incredible access to records of what you do online. They shouldn't be able to profit off of the information about what you search for, read about, purchase, and more without your consent. We can still kill this in the House: call your lawmakers today and tell them to protect your privacy from your ISP.
Businesses

A Lithuanian Phisher Tricked Two Big US Tech Companies Into Wiring Him $100 Million (theverge.com) 123

According to a recent indictment from the U.S. Department of Justice, a 48-year-old Lithuanian scammer named Evaldas Rimasauskas managed to trick two American technology companies into wiring him $100 million. He was able to perform this feat "by masquerading as a prominent Asian hardware manufacturer," reports The Verge, citing court documents, "and tricking employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries." From the report: What makes this remarkable is not Rimasauskas' particular phishing scam, which sounds rather standard in the grand scheme of wire fraud and cybersecurity exploits. Rather, it's the amount of money he managed to score and the industry from which he stole it. The indictment specifically describes the companies in vague terms. The first company is "multinational technology company, specializing in internet-related services and products, with headquarters in the United States," the documents read. The second company is a "multinational corporation providing online social media and networking services." Both apparently worked with the same "Asia-based manufacturer of computer hardware," a supplier that the documents indicate was founded some time in the late '80s. What's more important is that representatives at both companies with the power to wire vast sums of money were still tricked by fraudulent email accounts. Rimasauskas even went so far as to create fake contracts on forged company letterhead, fake bank invoices, and various other official-looking documents to convince employees of the two companies to send him money. Rimasauskas has been charged with one count of wire fraud, three counts of money laundering, and aggravated identity theft. In other words, he faces serious prison time of convicted -- each charge of wire fraud and laundering carries a max sentence of 20 years. The court documents don't reveal the names of the two companies. Though, one could surely think of a few candidates that would fit the descriptions provided in the court documents.
Bug

LastPass Bugs Allow Malicious Websites To Steal Passwords (bleepingcomputer.com) 123

Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.
DRM

W3C Erects DRM As Web Standard (theregister.co.uk) 212

The World Wide Web Consortium (W3C) has formally put forward highly controversial digital rights management as a new web standard. "Dubbed Encrypted Media Extensions (EME), this anti-piracy mechanism was crafted by engineers from Google, Microsoft, and Netflix, and has been in development for some time," reports The Register. "The DRM is supposed to thwart copyright infringement by stopping people from ripping video and other content from encrypted high-quality streams." From the report: The latest draft was published last week and formally put forward as a proposed standard soon after. Under W3C rules, a decision over whether to officially adopt EME will depend on a poll of its members. That survey was sent out yesterday and member organizations, who pay an annual fee that varies from $2,250 for the smallest non-profits to $77,000 for larger corporations, will have until April 19 to register their opinions. If EME gets the consortium's rubber stamp of approval, it will lock down the standard for web browsers and video streamers to implement and roll out. The proposed standard is expected to succeed, especially after web founder and W3C director Sir Tim Berners-Lee personally endorsed the measure, arguing that the standard simply reflects modern realities and would allow for greater interoperability and improve online privacy. But EME still faces considerable opposition. One of its most persistent vocal opponents, Cory Doctorow of the Electronic Frontier Foundation, argues that EME "would give corporations the new right to sue people who engaged in legal activity." He is referring to the most recent controversy where the W3C has tried to strike a balance between legitimate security researchers investigating vulnerabilities in digital rights management software, and hackers trying to circumvent content protection. The W3C notes that the EME specification includes sections on security and privacy, but concedes "the lack of consensus to protect security researchers remains an issue." Its proposed solution remains "establishing best practices for responsible vulnerability disclosure." It also notes that issues of accessibility were ruled to be outside the scope of the EME, although there is an entire webpage dedicated to those issues and finding solutions to them.
The Internet

'Dig Once' Bill Could Bring Fiber Internet To Much of the US (arstechnica.com) 168

An anonymous reader quotes a report from Ars Technica: If the U.S. adopts a "dig once" policy, construction workers would install conduits just about any time they build new roads and sidewalks or upgrade existing ones. These conduits are plastic pipes that can house fiber cables. The conduits might be empty when installed, but their presence makes it a lot cheaper and easier to install fiber later, after the road construction is finished. The idea is an old one. U.S. Rep. Anna Eshoo (D-Calif.) has been proposing dig once legislation since 2009, and it has widespread support from broadband-focused consumer advocacy groups. It has never made it all the way through Congress, but it has bipartisan backing from lawmakers who often disagree on the most controversial broadband policy questions, such as net neutrality and municipal broadband. It even got a boost from Rep. Marsha Blackburn (R-Tenn.), who has frequently clashed with Democrats and consumer advocacy groups over broadband -- her "Internet Freedom Act" would wipe out the Federal Communications Commission's net neutrality rules, and she supports state laws that restrict growth of municipal broadband. Blackburn, chair of the House Communications and Technology Subcommittee, put Eshoo's dig once legislation on the agenda for a hearing she held yesterday on broadband deployment and infrastructure. Blackburn's opening statement (PDF) said that dig once is among the policies she's considering to "facilitate the deployment of communications infrastructure." But her statement did not specifically endorse Eshoo's dig once proposal, which was presented only as a discussion draft with no vote scheduled. The subcommittee also considered a discussion draft that would "creat[e] an inventory of federal assets that can be used to attach or install broadband infrastructure." Dig once legislation received specific support from Commerce Committee Chairman Greg Walden (R-Ore.), who said that he is "glad to see Ms. Eshoo's 'Dig Once' bill has made a return this Congress. I think that this is smart policy and will help spur broadband deployment across the country."
Television

Cord-Cutting Isn't Nearly as Significant as Cable Providers Make It Out To Be (cnbc.com) 140

From a report on CNBC: Despite legacy media's anxieties about cord-cutting, data suggest that the phenomenon isn't nearly as significant as cable providers make it out to be. In its 11th annual "Digital Democracy Survey," Deloitte found that the percentage of American households that subscribe to paid television services has remained relatively stable since 2012, even as adoption of streaming services has accelerated. In its survey of 2,131 consumers, Deloitte said two-thirds of respondents reported they have kept their TV subscriptions because they're bundled with their internet plan. Kevin Westcott, vice chairman and U.S. media and entertainment leader at Deloitte, told CNBC that bundling seems to be a huge deterrent for cord cutting.
Chrome

Google Contemplating Removing Chrome 'Close Other Tabs' and 'Close Tabs to the Right' Options (bleepingcomputer.com) 253

An anonymous reader shares a report: Chrome engineers are planning to remove two options from Chrome that allow users to quickly close a large number of tabs with just a few clicks. The options, named "Close other tabs" and "Close tabs to the right" reside in the menu that appears when a user right-clicks on a Chrome tab. According to an issue on the Chromium project spotted yesterday by a Reddit user, Google engineers planned to remove to menu options for many years even before opening the Chromium issue, dated itself to July 31, 2015. After several years of inactivity and no decision, things started to move again in September 2016, when usage statistics confirmed that Chrome users rarely used the two options they initially wanted to remove. Seeing no new discussions past this point, Chromium engineers assigned the issue in February, meaning engineers are getting ready to remove the two menu options it in future Chromium builds.
Social Networks

Reddit To Transform Into a Social Network With New Profile Pages (digitaljournal.com) 130

An anonymous reader quotes a report from Digital Journal: Reddit has announced it has begun trialling a radical new profile page design that's reminiscent of Facebook and Twitter. It will evolve the discussion board site towards being a social network by enabling users to post directly to their new profile page. At present, posts on Reddit have to be directed into a specific sub-Reddit community. You can't simply write a post and have it appear across the network which can make it difficult to get your voice heard. Unless you've got some reputation in a relevant sub-Reddit, your posts may end up going unnoticed. That could soon change. Last night, Reddit announced it's working on a drastic revision of its user profile page experience. The site has commenced testing of an early version of the design. According to a report from Reuters, just three "high-profile" users currently have access to the feature. When the new pages are eventually opened up to all, they'll showcase the user's profile picture and description. Below the header, posts from the user will be publicly displayed. The user will be able to add new posts to their page, without submitting to a sub-Reddit. Users will be able to follow each other to stay informed of new posts, effectively creating a social network atmosphere above the discussion boards.
Software

Why American Farmers Are Hacking Their Tractors With Ukrainian Firmware (vice.com) 489

Tractor owners across the country are reportedly hacking their John Deere tractors using firmware that's cracked in Easter Europe and traded on invite-only, paid online forums. The reason is because John Deere and other manufacturers have "made it impossible to perform 'unauthorized' repair on farm equipment," which has obviously upset many farmers who see it "as an attack on their sovereignty and quite possibly an existential threat to their livelihood if their tractor breaks at an inopportune time," reports Jason Koebler via Motherboard. As is the case with most modern-day engineering vehicles, the mechanical problems experienced with the newer farming tractors are often remedied via software. From the report: The nightmare scenario, and a fear I heard expressed over and over again in talking with farmers, is that John Deere could remotely shut down a tractor and there wouldn't be anything a farmer could do about it. A license agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for "crop loss, lost profits, loss of goodwill, loss of use of equipment [...] arising from the performance or non-performance of any aspect of the software." The agreement applies to anyone who turns the key or otherwise uses a John Deere tractor with embedded software. It means that only John Deere dealerships and "authorized" repair shops can work on newer tractors. "If a farmer bought the tractor, he should be able to do whatever he wants with it," Kevin Kenney, a farmer and right-to-repair advocate in Nebraska, told me. "You want to replace a transmission and you take it to an independent mechanic -- he can put in the new transmission but the tractor can't drive out of the shop. Deere charges $230, plus $130 an hour for a technician to drive out and plug a connector into their USB port to authorize the part." "What you've got is technicians running around here with cracked Ukrainian John Deere software that they bought off the black market," he added.
Microsoft

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com) 144

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
Microsoft

Microsoft Outlook, Skype, OneDrive Hit By Another Authentication Issue (zdnet.com) 48

Two weeks after a widespread authentication issue hit Outlook, Skype, OneDrive, Xbox and other Microsoft services, it's happening again. From a report: On March 21, users across the world began reporting via Twitter that they couldn't sign into Outlook.com, OneDrive and Skype, (and possibly more). I, myself, am unable to sign into Outlook.com, OneDrive or Skype at 2:30 pm ET today, but my Office 365 Mail account is working fine. (Knock wood.) I believe the issue started about an hour ago, or 1:30 p.m. ET or so. MSA is Microsoft's single sign-on service which authenticates users so they can log into their various Microsoft services. As happened two weeks ago, Skype Heartbeat site, has posted a message noting that users may be experiencing problems sending messages and signing in.
Google

Google To Revamp Policies, Hire Staff After UK Ad Scandal (reuters.com) 68

Google vowed on Tuesday to police its websites better by ramping up staff numbers and overhauling its policies after several companies deserted the internet giant for failing to keep their adverts off hate-filled videos. From a report on Reuters: Google has found itself at the center of a British storm in recent days after major companies from supermarkets to banks and consumer groups pulled their adverts from its YouTube site after they appeared alongside videos carrying homophobic and anti-Semitic messages. Alphabet's Google launched a review of the problem on Friday, apologized on Monday and said on Tuesday it had revamped its policies to give advertisers more control.
Google

After Years Waiting For Google Fiber, KC Residents Get Cancellation Emails (arstechnica.com) 64

An anonymous reader quotes a report from Ars Technica: Some Kansas City residents who have been waiting years for Google Fiber to install service at their homes recently received e-mails canceling their installations, with no word on whether they'll ever get Internet service from the company. KSHB 41 Action News in Kansas City, Missouri, "spoke to several people, living in different parts of the metro, all who have recently received cancellation e-mails," the station reported last week. "The e-mails do not provide a specific reason for the cancellations. Instead they say the company was 'unable to build our network to connect your home or business at this time.'" While Google Fiber refuses to say how many installations have been canceled, KSHB said, "there is speculation the number of cancellations in the metro is as high as 2,700." "The company says it has slowed down in some areas to experiment with new techniques," such as wireless technology, the report also said. Google Fiber is still hooking up fiber for some new customers in parts of the Kansas City area. One resident who had his installation canceled is Larry Meurer, who was seeing multiple Google Fiber trucks in his neighborhood nearly two years ago, in the spring of 2015. "I'm left wondering what's going on," he told KSHB after getting the cancellation e-mail. Meurer lives in Olathe, Kansas, one of the largest cities in the Kansas City metro area. Residents only five houses away and around the corner have Google Fiber service, the report said. But Meurer said he and several neighbors who never got service were "terminated."
Patents

Maryland Legislator Wants To Keep State University Patents Away From Trolls (eff.org) 52

The EFF's "Reclaim Invention" campaign provided the template for a patent troll-fighting bill recently introduced in the Maryland legislature to guide public universities. An anonymous reader writes: The bill would "void any agreement by the university to license or transfer a patent to a patent assertion entity (or patent troll)," according to the EFF, requiring universities to manage their patent portfolios in the public interest. James Love, the director of the nonprofit Knowledge Ecology International, argues this would prevent assigning patents to "organizations who are just suing people for infringement," which is especially important for publicly-funded colleges. "You don't want public sector patents to be used in a way that's a weapon against the public." Yarden Katz, a fellow at Harvard's Berkman Klein Center for Internet amd Society, says the Maryland legislation would "set an example for other states by adopting a framework for academic research that puts public interests front and center."
The EFF has created a web page where you can encourage your own legislators to pass similar bills, and to urge universities to pledge "not to knowingly license or sell the rights of inventions, research, or innovation...to patent assertion entities, or patent trolls."
Government

NY Bill Would Require Removal of Inaccurate, Irrelevant Or Excessive Statements (washingtonpost.com) 155

schwit1 writes: In a bill aimed at securing a "right to be forgotten," introduced by Assemblyman David I. Weprin and (as Senate Bill 4561 by state Sen. Tony Avella), New York politicians would require people to remove "inaccurate," "irrelevant," "inadequate" or "excessive" statements about others... Failure to comply would make the search engines or speakers liable for, at least, statutory damages of $250/day plus attorney fees.
The Washington Post reports the bill's provisions would be as follows: Within 30 days of a "request from an individual, all search engines [and online speakers] shall remove...content about such individual, and links or indexes to any of the same, that is 'inaccurate', 'irrelevant', 'inadequate' or 'excessive,' and without replacing such removed...content with any disclaimer [or] takedown notice.... [I]naccurate', 'irrelevant', 'inadequate', or 'excessive' shall mean content, which after a significant lapse in time from its first publication, is no longer material to current public debate or discourse, especially when considered in light of the financial, reputational and/or demonstrable other harm that the information...is causing to the requester's professional, financial, reputational or other interest, with the exception of content related to convicted felonies, legal matters relating to violence, or a matter that is of significant current public interest, and as to which the requester's role with regard to the matter is central and substantial."

Slashdot Top Deals