Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Submission + - Unstoppable JavaScript Attack Helps Ad Fraud, Tech Support Scams, 0-Day Attacks (bleepingcomputer.com)

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains.

In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports.

For IE11 users, a demo page is available here.

Submission + - Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker (bleepingcomputer.com)

An anonymous reader writes: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds.

The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months.

Submission + - It Will Soon Be Illegal To Punish Customers Who Criticize Businesses Online (arstechnica.com)

An anonymous reader writes: Congress has passed a law protecting the right of U.S. consumers to post negative online reviews without fear of retaliation from companies. The bipartisan Consumer Review Fairness Act was passed by unanimous consent in the US Senate yesterday, a Senate Commerce Committee announcement said. The bill, introduced in 2014, was already approved by the House of Representatives and now awaits President Obama's signature. The Consumer Review Fairness Act—full text available here—voids any provision in a form contract that prohibits or restricts customers from posting reviews about the goods, services, or conduct of the company providing the product or service. It also voids provisions that impose penalties or fees on customers for posting online reviews as well as those that require customers to give up the intellectual property rights related to such reviews. The legislation empowers the Federal Trade Commission to enforce the new law and impose penalties when necessary. The bill also protects reviews that aren't available via the Internet.

Submission + - What's the best Linux Laptop?

sconeu writes: This came up in the "Which laptop could replace a Macbook Pro?" story. It was rightfully marked off-topic there, but I thought it might make an interesting discussion.

I'm currently looking into replacing my 10 year old Toshiba Satellite with a newer laptop. I'm looking to run some flavor of Linux (probably KDE based UI, but not mandatory) while using a VM to run Win 7 (for stuff needed for work).

For me, personally, battery life and weight are more important than raw power. I'm not going to be running games on this.

I've been considering an XPS 13 Developer Edition, or something from System76, ZaReason or Emperor Linux.

What laptop do you use? Do you have any suggestions?

Submission + - China passes law requiring full access to customer data (deepdotweb.com) 1

AnonymousCube writes: As if there wasn't enough reason to want tech companies to stay out of China, the Chinese government has passed a new cybersecurity law requiring companies to give them full access to customer information.

Companies are also required to give government investigators complete access to their data if there is suspected wrong-doing, and Internet operators must cooperate in any national security or crime-related investigation.

Note that China has an extremely flexible definition of "national security".
Additionally computer equipment will need to undergo mandatory certification, that could involve giving up source code, encryption keys, or even proprietary intellectual data, as Microsoft has been doing for some time.

Submission + - Germany's Justice Minister Says Facebook Should Be Treated As a Media Company (reuters.com)

An anonymous reader writes: Germany's Justice Minister says he believes Facebook should be treated like a media company rather than a technology platform, suggesting he favors moves to make social media groups criminally liable for failing to remove hate speech. Under a program that runs until March, German authorities are monitoring how many racist posts reported by Facebook users are deleted within 24 hours. Justice Minister Heiko Maas has pledged to take legislative measures if the results are still unsatisfactory by then. Maas has said the European Union needs to decide whether platform companies should be treated like radio or television stations, which can be held accountable for the content they publish. Under current EU guidelines Facebook and other social media networks are not liable for any criminal content or hate posts hosted on their platform. Instead, in May Facebook, Google's YouTube and Twitter signed the EU hate speech code, vowing to fight racism and xenophobia by reviewing the majority of hate speech notifications within 24 hours. But the code is voluntary not legally binding. The state justice ministers meeting in Berlin called on the government to take swift action against hate speech on the Internet. The ministers called for more transparency and said social media companies should be obliged to regularly publish figures on how many hate posts have been deleted. They also wanted more public information on how notifications are processed and the criteria behind the decision making. Facebook says it is a technology company, not a media company, that builds the tools to supply users with news and information but does not produce content.

Submission + - According to Snopes, Fake News Is Not the Problem (backchannel.com)

mirandakatz writes: In the wake of last week's election, everyone's panicking about the plague of fake news on Facebook—but the chief myth busters over at Snopes are less worried about blatantly fake news than they are about a failing media. At Backchannel, Snopes managing editor Brooke Binkowski sums it up as such: “When you’re on your fifth story of the day and there’s no editor because the editor’s been fired and there’s no fact checker so you have to Google it yourself and you don’t have access to any academic journals or anything like that, you will screw stories up." Welcome to the post-fact media.

Submission + - Google To Untrust WoSign and StartCom Certificates (csoonline.com)

itwbennett writes: Following similar decisions by Mozilla and Apple, Google plans to reject new digital certificates issued by certificate authorities WoSign and StartCom because they violated industry rules and best practices. The ban will go into effect in Chrome version 56, which is currently in the dev release channel, and will apply to all certificates issued by the two authorities after October 21.

Submission + - Firefox purging functionality citing privacy concerns (theguardian.com)

xogg writes: Battery Status API allows web sites to read the battery level of user's system. The API was found to bring privacy risks and abuse potential and a number of implementation bugs. Now with apparent no legitimate use cases, Mozilla is taking the unprecedented decision to vaporize a browser API due to privacy concerns. And apparently, WebKit, powering Apple's Safari follows. Is that the first time a browser reduces functionality following research reports warning of privacy risks?

Submission + - Microsoft Stops Selling Windows 7 And Windows 8.1 To Computer Makers

An anonymous reader writes: Out with the old, and in with the new. Microsoft yesterday stopped providing Windows 7 Professional and Windows 8.1 licenses to original equipment manufacturers (OEMs), including its PC partners and systems builders. This means that, as of today, the only way you can buy a computer running Windows 7 or Windows 8.1 is if you can still find one in stock.

Submission + - Every LTE call, text, can be intercepted, blacked out, hacker finds (theregister.co.uk)

mask.of.sanity writes: A hacker has blown holes in 4G LTE networks.by detailing how to intercept and make calls, send text messages and force phones offline.

It exploits LTE fall-back mechanisms designed to ensure continuity of phone services in the event of emergency situations that trigger base station overloads.

Comment Re:Ping pongged (Score 1) 16

CorrectTheRecord.org probably has tens of thousands of shill accounts on all social media outlets. Probably explains the 24K+ down votes.

To those that do not know, CorrectTheRecord.org is a company that's paid 7 figures to patrol social media to promote Slithery and drown out anything negative about her. They were very active in the primary and now.

Submission + - Apple refused to join Open Compute Project, so the entire networking team quit (businessinsider.com)

mattydread23 writes: Great story about the Open Compute Project from Business Insider's Julie Bort here, including this fun tidbit: "[Apple's networking] team was responsible for building a network at Apple that was so reliable, it never goes down. Not rarely. Never....Building a 100% reliable network to meet Apple's exacting standards was no easy task. So, instead of going it alone under Apple's secrecy, the Apple networking team wanted to participate in the revolution, contributing and receiving help. But when the Apple team asked to join OCP, Apple said 'no.' 'The whole team quit the same week,' this person told us."

Slashdot Top Deals

Show me a man who is a good loser and I'll show you a man who is playing golf with his boss.

Working...