Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Federal Court Invalidates 11-Year-old FBI gag order on NSL recipient

vivaoporto writes: The Calyx Institute reports that a federal district court has ordered the FBI to lift an eleven-year-old gag order imposed on Nicholas Merrill forbidding him from speaking about a National Security Letter ("NSL") that the FBI served on him in 2004. The ruling marks the first time that an NSL gag order has been lifted in full since the PATRIOT Act vastly expanded the scope of the FBI’s NSL authority in 2001.

For more than a decade, the government has refused to allow Mr. Merrill and other NSL recipients to tell the public just how broadly the FBI has interpreted its authority to surveil individuals’ digital lives in secret using NSLs. Tens of thousands of NSLs are issued by FBI officers every year without a warrant or judicial oversight of any kind.

U.S. District Judge Victor Marrero’s decision invalidated the gag order in full, finding no "good reason" to prevent Merrill from speaking about any aspect of the NSL, particularly an attachment to the NSL that lists the specific types of "electronic communication transactional records" (“ECTR”) that the FBI believed it was authorized to demand.

It is worth noting that this is the same judge that struck down a portion of the revised USA PATRIOT Act in 2007 forcing investigators to go through the courts to obtain approval before ordering ISPs to give up information on customers, instead of just sending them a National Security Letter.

Submission + - Life with the Dash button: good design for Amazon, bad for everyone else

vivaoporto writes: A scathing review published on Fast Company describes Amazon's Dash Button, the "Buy Now" button brought into the physical world as "the latest symptom of Amazon's slowly spreading disease", "an unabashed attempt to disconnect customers from the amount of money we're spending"

The author criticism focus on Amazon's lack of focus on customer experience, a core UI that doesn't make sense, limited and expensive product selection and a "store UX is no longer designed for your convenient shopping", "designed for their profitable selling".

Submission + - Ad-blocker Crystal massively reduces bandwidth usage and page load times in iOS (betanews.com)

Mark Wilson writes: There's a lot to look forward to in iOS 9. We already know that the new version of Safari will include the option to block ads, but the browser is not going to be alone in clearing out unwanted ads. Crystal is an ad blocker for iOS 9 created "with the goal of making web browsing with the iPhone and iPad a great experience again".

It started life as a tool for testing iOS 9's own content blocker, but grew into a stand-alone project. Crystal is currently in closed public beta but its developer, Dean Murphy, has released some figures that show how effective it is. The results show that Crystal can speed up page load times by nearly four times and reduce bandwidth consumption by 53 percent. Impressive stuff, and the stats make for extremely interesting reading — particularly for those waiting for the launch of a new iPhone.

Submission + - Amazon Work-Life Balance Defender: Prior Employer Nearly Killed Me and My Team

theodp writes: New York Times Public Editor Margaret Sullivan questions whether her paper's portrayal of Amazon's brutal workplace was on target, citing a long, passionate response in disagreement from Nick Ciubotariu, a head of infrastructure development at Amazon. Interestingly, Ciubotariu — whose take on Amazon's work-life balance ("I’ve never worked a single weekend when I didn’t want to") was used as Exhibit A by CEO Jeff Bezos to refute the NYT's report — wrote last December of regretting his role as an enabler of his team's "Death March" at a former employer (perhaps Microsoft, judging by Ciubotariu's LinkedIn profile and his essay's HiPo and Vegas references). "I asked if there were any questions," wrote Ciubotariu of a team meeting. "Nadia, one of my Engineers, had one: 'Nick, when will this finally end?' As I looked around the room, I saw 9 completely broken human beings. We had been working over 100 hours a week for the past 2 months. Two of my Engineers had tears on their faces. I did my best to keep from completely breaking down myself. With my voice choking, I looked at everyone, and said: 'This ends right now'." Ciubotariu added, "I hope they can forgive me for being an enabler of their death march, however unwilling, and that I ultimately didn’t do enough to stop it. As a 'reward' for all this, I calibrated #1 overall in my organization, and received yet another HiPo nomination and induction, at the cost of a shattered family life, my health, and a broken team. I don’t think I ever felt worse in my entire career. If I could give it all back, I would, in an instant, no questions asked. Physically and mentally, I took about a year to heal."

Submission + - Google ordered to remove links to stories about Google removing links to stories (arstechnica.co.uk)

vivaoporto writes: Ars Technica UK reports that the UK's Information Commissioner's Office (ICO) has ordered Google to remove links from its search results that point to news stories reporting on earlier removals of links from its search results. The nine further results that must be removed point to Web pages with details about the links relating to a criminal offence that were removed by Google following a request from the individual concerned.

The Web pages involved in the latest ICO order repeated details of the original criminal offence, which were then included in the results displayed when searching for the complainant’s name on Google. Toe company has 35 days to comply with the enforcement notice. If it does not, it faces financial sanctions, which can be significant.

Submission + - Multiple Vulnerabilities in Pocket

vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox.

The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access.

All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.

Submission + - Microsoft can now remotely disable pirated games, if you're running them on Wind (firstpost.com)

totalcaos writes: Privacy concerns as Windows 10 EULA gives Microsoft the ability to remotely disable or un-install counterfeit software and games. How Microsoft will go about detecting this is still unknown, but raises real concerns as according to this Microsoft will be able to tell whats installed on you computer!

Submission + - Registered clinical trials make positive findings vanish

schwit1 writes: The requirement that medical researchers register in detail the methods they intend to use in their clinical trials, both to record their data as well as document their outcomes, caused a significant drop in trials producing positive results.

A 1997 US law mandated the registry's creation, requiring researchers from 2000 to record their trial methods and outcome measures before collecting data. The study found that in a sample of 55 large trials testing heart-disease treatments, 57% of those published before 2000 reported positive effects from the treatments. But that figure plunged to just 8% in studies that were conducted after 2000. Study author Veronica Irvin, a health scientist at Oregon State University in Corvallis, says this suggests that registering clinical studies is leading to more rigorous research. Writing on his NeuroLogica Blog, neurologist Steven Novella of Yale University in New Haven, Connecticut, called the study "encouraging" but also "a bit frightening" because it casts doubt on previous positive results.

In other words, before they were required to document their methods, research into new drugs or treatments would prove the success of those drugs or treatment more than half the time. Once they had to document their research methods, however, the drugs or treatments being tested almost never worked.

The article also reveals a failure of the medical research community to confirm their earlier positive results:

Following up on these positive-result studies would be interesting, says Brian Nosek, a psychologist at the University of Virginia in Charlottesville and the executive director of the Center for Open Science, who shared the study results on Twitter in a post that has been retweeted nearly 600 times. He said in an interview: "Have they all held up in subsequent research, or are they showing signs of low reproducibility?"

It appears the medical research field has forgotten this basic tenet of science: A result has to be proven by a second independent study before you can take it seriously. Instead, they would do one study, get the results they wanted, and then declare success.

The lack of success once others could see their methods suggests strongly that much of the earlier research was simply junk, not to be taken seriously.

Comment Re:Settle (Score 5, Interesting) 222

This is not one run-of-the-mill "personal use copyright infringement" suit. Some important things make this case special:

1. The plaintiff is an intelectual property lawyer
2. The use of the video was for profit
3. As the article says many other news outlets sought permission or licensed the clip but these two, despite knowing the clip was copyrighted, choose to use them anyway.

If Thomas-Rasset was ordered to pay $1,920,000 for making 22 mp3 available for download (not for profit) how much should these media be liable in this lawsuit? How many other videos they use without proper licensing and/or attribution?

This could be the first of many similar cases considering the media worldwide assume that if a video is available on Youtube they are free to reproduce them in their TV news and shows.

Submission + - CNN and CBC Sued For Pirating YouTube Video (torrentfreak.com)

vivaoporto writes: CNN and Canada's CBC are being sued after the companies allegedly ripped the "Buffalo Lake Effect" from YouTube and used it in their broadcasts without a license. In addition to claims of copyright infringement, the media giants face allegations that they breached the anti-circumvention measures of the DMCA.

New York resident Alfonzo Cutaia (an intelectual property attorney) sensed last year that he had a hit video on his hands and used the YouTube's account monetization program to generate some revenue.

The attorney uploaded his footage to the video site and selected "Standard YouTube License" that grants Youtube (and Youtube only) "a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the Content in connection with the Service and YouTube's (and its successors' and affiliates') business". All other rights are reserved to the copyright owner and standard copyright laws and exceptions apply.

According to a lawsuit filed this week by Cutaia in a New York court, around November 18 Canada’s CBC aired the video online without permission, with a CBC logo as an overlay.

After complaining to CBC about continued unauthorized use, last month Cutaia was told by CBC that the company had obtained the video from CNN on a 10-day license. However, Cutaia claims that the video was used by CBC and its partners for many months, having been supplied to them by CNN who also did not have a license. CBC and CNN are also accused of distributing the video despite knowing that the copyright management information had been removed.

Submission + - Russian Government Threatening To Block Reddit Over Cannabis

An anonymous reader writes: The Russian Government is threatening to block the social linking site Reddit across its country if they do not comply with removing a thread dedicated to growing cannabis. According to a post on VK.com, a site similar to Facebook in Russia, they have asked Reddit administrator to read their emails and their social media posts stating that they want /r/trees brought down which had posted an article about growing narcotic plants. Recently, Reddit changed its rules to allow illegal discussions on its site but they say that they would continue to block things such as copyrighted material.

Comment Re:Meh. Fuck em (Score 3, Interesting) 519

Yes. Here is the angle this article is trying to spin:

Apple is trying to pull iPhone and iPad users off the web. It wants you to read, watch, search, and listen in its Apple-certified walled gardens known as apps. It makes apps, it approves apps, and it profits from apps. But, for its plan to work, the company will need those entertainers and publishers to funnel their content to where Apple wants it to be. As the company makes strategic moves to devalue the web in favor of apps, those content creators dependent on ads to stay afloat may be forced to play along with Apple.

That's one way to look at it. Here is another perspective:

The absence didn't last long. In two previous Monday Notes (News Sites Are Fatter and Slower Than Ever and 20 Home Pages, 500 Trackers Loaded: Media Succumbs to Monitoring Frenzy), my compadre Frederic Filloux cast a harsh light on bloated, prying pages. Web publishers insert gratuitous chunks of code that let advertisers vend their wares and track our every move, code that causes pages to stutter, juggle, and reload for no discernible reason. Even after the page has settled into seeming quiescence, it may keep loading unseen content in the background for minutes on end.

Submission + - Banned article about Megamos Crypto chip finally gets released (www.ru.nl)

An anonymous reader writes: In 2012, three computer security researchers at Radboud University discovered weaknesses in the Megamos chip, which is widely used in immobilisers for various brands of cars. Based on responsible disclosure guidelines, the scientists informed the manufacturer immediately, and they wrote a scientific article on the topic that was accepted for publication at a prestigious digital security symposium (USENIX 2013). However, the publication never took place because in June 2013 an English court, acting at the request of Volkswagen, ruled that the article had to be withdrawn. Now, in August 2015, the controversial article that was 'banned' in 2013 is being published after all.

What went before

In 2008, Radboud scientists discovered weaknesses in the MIFARE CLASSIC chip that was used for instance in the public transport chip card for the Netherlands, the ‘OV-chipkaart’, and in London's Oyster card. At that time, the Dutch court refused to ban publication, partly because Radboud University scrupulously complies with responsible disclosure rules.
Because of this, Volkswagen took the ‘Megamos case’ to an English court in 2013. This was possible because one of the researchers had transferred to the University of Birmingham in the meantime. In June 2013, the English court issued an injuction.


Radboud University, together with the University of Birmingham, immediately challenged this English publication ban: the data about the chip that the researchers used in their study was acquired in a lawful manner. The manufacturer was also informed more than 9 months prior to the proposed publication. According to the responsible disclosure guidelines of the Dutch government, pre-publication notice of 6 months is sufficient.
The controversial article contains a scientific analysis of the level of security of the Megamos chip and is certainly not a manual for hackers. Radboud University is a strong defender of academic freedom and believes that car owners have the right to know the strengths and weaknesses of the security of their car.

Negotiation and solution

Negotiations through lawyers were unproductive for a long time. However, direct informal consultation in the autumn of 2014 in London was successful. Volkswagen finally agreed to publication, after accepting the authors' proposal to remove one sentence from the original manuscript. This single sentence contains an explicit description of a component of the calculations on the chip. The removal of this sentence makes it more difficult to reconstruct the entire algorithm for improper use, but does not affect the scientific content.

Professor Bart Jacobs, head of the Digital Security Group in Nijmegen was closely involved in the whole process. He can live with the text change, he says. “We academics have to stand up for our rights; we continue to believe that solving security problems is best served by responsibly identifying weaknesses, not by keeping them under wraps. But it is frustrating that so much time, money and effort has been wasted. This is not an incentive to report defects only to the manufacturer concerned.”

Presentation in Washington

The researchers will present their article on Wednesday 12 August at the same conference that was scheduled two years ago: the USENIX Security Symposium in Washington. The presentation concerns the following manuscript: Roel Verdult, Flavio D. Garcia and Baris Ege, Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer.

Usenix Security 2015 program

Special Paper Presentation foreword:

Submission + - Firefox exploit found in the wild, served via advertisement on a news site

vivaoporto writes: A post in the Mozilla Security Blog reports that a Firefox exploit was found in the wild and that all " Firefox users are urged to update to Firefox 39.0.3".

According to Daniel Veditz, Mozilla's security lead, they were informed by a Firefox user that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine.

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

He warns that the exploit "leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used."

I took a fish head to the movies and I didn't have to pay. -- Fish Heads, Saturday Night Live, 1977.