Slashdot contributor Bennett Haselton writes: "A California company called Shape Security claims that their network box can disable malware attacks, by using polymorphism to rewrite webpages before they are sent to the user's browser. Most programmers will immediately spot several ways that the system can be defeated, but it may still slow attackers down or divert them towards other targets." Read on for the rest of Bennett's thoughts.

An anonymous reader writes "Researchers in China have shown that a graphene sheath can modulate light transmission through an optical fiber at 200 GHz. The graphene, even crudely draped over the optic fiber on a microscope slide, absorbed some of the light passing through the fiber. But a preceding short-wavelength light pulse could temporarily disable the effect, enabling an all-optical infrared fiber-optic switch. Recovery was fast enough to enable modulation of transmitted light at 200 GHz using conventional fiber-optic communication wavelengths and thinned commercial telecommunications fibers. The findings could have use in telecommunications industry and future high-speed on-chip optical interconnects."

tsu doh nimh writes "Authorities in Europe joined Microsoft Corp. this week in disrupting 'ZeroAccess,' a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers. KrebsOnSecurity.com writes that it remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term, but for now the PCs infected with the malware remain infected and awaiting new instructions. ZeroAccess employs a peer-to-peer architecture in which new instructions and payloads are distributed from one infected host to another. The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers, including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred. Europol has a released a statement on this action, and Microsoft has published a large number of documents related to its John Doe lawsuits intended to unmask the botnet the ZeroAccess operators and shut down the botnet."

Trailrunner7 writes "The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said it is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications. The company also said that as of January 2016 it will no longer will validate any code signing or root certificate that uses SHA-1."

Slashdot contributor Bennett Haselton writes "A recent webinar for newsletter publishers suggested that if you want your emails not to be blocked as 'spam,' you paradoxically have to engage in some practices that contribute to the erosion of users' privacy, including some tactics similar to what many spammers are doing. The consequences aren't disastrous, but besides being a loss for privacy, it's another piece of evidence that free-market forces do not necessarily lead to spam filters that are optimal for end users." Read on for the rest of Bennett's thoughts.

An anonymous reader writes "According to the Washington Post, 'Former Vice President Dick Cheney says he once feared that terrorists could use the electrical device that had been implanted near his heart to kill him and had his doctor disable its wireless function. Cheney has a history of heart trouble, suffering the first of five heart attacks at age 37. ... In an interview with CBS' 60 Minutes, Cheney says doctors replaced an implanted defibrillator near his heart in 2007. The device can detect irregular heartbeats and control them with electrical jolts. Cheney says that he and his doctor, cardiologist Jonathan Reiner, turned off the device's wireless function in case a terrorist tried to send his heart a fatal shock.' More at CBS News."

New submitter gamersunited writes with news of Blizzard Entertainment's defeat of another company that created bot software to automate World of Warcraft characters. Ceiling Fan Software faces a judgment of $7 million, and must disable any active licenses for the software. They're also forbidden from transferring or open-sourcing the bot software, and from facilitating its continued use in any way. The court order (PDF) follows more than two years of legal wrangling. Blizzard won a similar judgment a few years ago against another bot company called MDY Industries, which created the popular Glider bot.

solareagle writes "The BBC reports that an Alaskan airport says it has had to place barricades across one of its taxiways after an Apple Maps flaw resulted in iPhone users driving across a runway. The airport said it had complained to the phone-maker through the local attorney general's office. 'We asked them to disable the map for Fairbanks until they could correct it, thinking it would be better to have nothing show up than to take the chance that one more person would do this,' Melissa Osborn, chief of operations at the airport, told the Alaska Dispatch newspaper. The airport said it had been told the problem would be fixed by Wednesday. However the BBC still experienced the issue when it tested the app, asking for directions to the site from a property to the east of the airport. By contrast the Google Maps app provided a different, longer route which takes drivers to the property's car park."

Hugh Pickens DOT Com writes "Jason Healey writes at Defense One that if the Obama administration conducts military strikes against Syria, as now seems likely, it should use military cyber weapons at the earliest possible moment to show 'that cyber operations are not evil witchcraft but can be humanitarian.' Cyber capabilities could first disrupt Syrian air defenses directly or confuse military command and control, allowing air strikes to proceed unchallenged. A cyber strike might also disable dual-use Syrian critical infrastructure (such as electrical power) that aids the regime's military but with no long-term destruction as would be caused by traditional bombs. Last, it is possible the U.S. military has cyber capabilities to directly disrupt the operations of Syria's chemical troops. Healy writes that one cyberweapon that should not be used is covert cyber operations against Bashar Assad's finances. 'Both of his immediate predecessors declined such attacks and the world economy and financial sector are already in a perilous state.' Before the American-led strikes against Libya in 2011, the Obama administration debated whether to conduct a cyberoffensive to disrupt the Qaddafi government's air-defense system, but balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own. This time should be different in Healey's view. 'By sparing the lives of Syrian troops and nearby civilians, an opening cyber operation against Syria could demonstrate exactly how such capabilities can be compliant with international humanitarian law,' writes Healey. 'America should take this chance to demystify these weapons to show the world they, and the U.S. military in general, can be used on the battlefield in line with humanitarian principles.'"

itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."

An anonymous reader writes "Today's home routers include a multitude of extra functionality, such as the ability to act as a file and print server. An article from CNET shows how an attacker can use vulnerabilities in these services, such as buffer overflows, directory traversal, race conditions, command injections, and bad permissions to take over the router from the local network without knowing the administrative password. Some of the worst vulnerabilities were in undocumented, proprietary services that users cannot disable and allowed an attacker to achieve a root shell. The researchers who discovered the vulnerabilities will be demonstrating them at the Wall of Sheep and Wireless Village at DEF CON."

Bennett Haselton writes "How did a $400-billion company ship millions of units of a phone with a calendar app that displays the wrong date, a texting app that can't reply to group texts, a screen capture function that doesn't work, and a phone app that won't let me use the keypad unless the speakerphone is on? The answer, perhaps, suggests deeper questions about why market forces fix certain problems but not others, and what to do about it." Read on for the rest of Bennett's thoughts.

An anonymous reader writes "When Google first announced Google Reader would be shut down, the news kick-started a very competitive race to create the best alternative. At least one service, however, did not welcome the change, and is now planning to close up shop next month: The Old Reader. In fact, if you navigate to the service's homepage now, you'll be greeted by this sad message: "Unfortunately we had to disable user registration at The Old Reader." In two weeks, the public site will be shut down and a private one, available to a select few (accounts will be migrated automatically), will take its place." An update on the story says "We have received a number of proposals that we are discussing right now. Chances are high that public The Old Reader will live after all," so a reprieve may be possible.

wiredmikey writes with this tidbit from Security Week: "Earlier this month, researchers from Bluebox Security uncovered a serious vulnerability in Android that allowed for the modification of apps without affecting the cryptographic signature, making it possible for attackers to turn legitimate apps into Trojans. ... Now, Symantec says it has uncovered the first malicious apps making use of the exploit in the wild. Symantec discovered two mobile applications that were infected by an attacker, which are legitimate applications used to help find and make doctor appointments and distributed on Android marketplaces in China. 'An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,' Symantec explained in a blog post. ... Google has fixed the security hole in Android, but it is now in the control of handset manufacturers to produce and release the updates for mobile devices to patch the flaws."

First time accepted submitter supachupa writes "It seems the past couple of years that spearfishing is getting very convincing and it is becoming more and more likely someone (including myself) will accidentally click on a PDF attachment with malicious javascript embedded. It would be impossible to block PDFs as they are required for business. We do disable javascript on Adobe reader, but I would sleep a lot better knowing the code is removed completely. I have looked high and low but could not find a cheap out of the box solution or a 'how to' guide for automatically neutralizing PDFs by stripping out the javascript. The closest thing I could find is using PDF2PS and then reversing the process with PS2PDF. Does anyone know of a solution for this that is not too complex, works preferably at the SMTP relay, and can work with ZIPed PDFs as well, or have some common sense advice for dealing with this so that once its in place, there is no further action required by myself or by users."

mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."

savuporo writes "The National Highway Traffic Safety Administration and the Department of Transportation are considering technological solutions for people to stop using their cellphones while driving. Proximity detectors or requiring physical link with the car are the solutions under the scope. From the article: 'NHTSA wants automakers to make it impossible to enter text for messaging and internet browsing while the car is in motion, disable any kind of video functionality and prevent text-based information such as social media content or text messages from being displayed.' Obviously these regulations would need to go beyond cellphones, as laptop, tablet or any other gadget with a 3G data connection or even on a wi-fi hotspot made by your phone would be equally distracting."

New submitter Anand Radhakrishnan writes "The release candidate for the much-anticipated Linux Mint 15 'Olivia' is available for user testing. Its many new features include Cinnamon Control center, an improved login manager with HTML 5 support, a driver manager, and a lot of under-the-hood improvements. 'A new tool called MintSources, aka "Software Sources," was developed from scratch with derivative distributions in mind (primarily Linux Mint, but also LMDE, Netrunner and Snow Linux). It replaces software-properties-gtk and is perfectly adapted to managing software sources in Linux Mint. From the main screen you can easily enable or disable optional components and gain access to backports, unstable packages and source code.' This release with Cinnamon looks really tempting."

First time accepted submitter exomondo writes "Google has given Microsoft until May 22nd to pull their Windows Phone 8 YouTube app from the marketplace and disable it on customer devices. It not only includes a built-in ad blocker but also allows users to download videos and doesn't impose device-specific streaming restrictions outlined in the YouTube Terms Of Service. A Microsoft spokesperson said in part: 'YouTube is consistently one of the top apps downloaded by smartphone users on all platforms, but Google has refused to work with us to develop an app on par with other platforms. Since we updated the YouTube app to ensure our mutual customers a similar YouTube experience, ratings and feedback have been overwhelmingly positive. We'd be more than happy to include advertising but need Google to provide us access to the necessary APIs. In light of Larry Page's comments today calling for more interoperability and less negativity, we look forward to solving this matter together for our mutual customers.'"

colinneagle sends this quote from an article at NetworkWorld: "I run a very nifty desktop utility called Rainmeter on my PC that I heartily recommend to anyone who wants to keep an eye on their system. One of its main features is it has skins that can monitor your system activity. Thanks to my numerous meters, I see all CPU, disk, memory and network activity in real time. the C: drive meter. It is a circle split down the middle, with the right half lighting up to indicate a read and the left half lighting up for write activity. The C: drive was flashing a fair amount of activity considering I had nothing loaded save Outlook and Word, plus a few background apps. At the time, I didn't have a Rainmeter skin that lists the top processes by CPU and memory. So instead, I went into the Task Manager, and under Performance selected the Resource Monitor. Under the Processes tab, the culprit showed its face immediately: AppleMobileDeviceService.exe. It was consuming a ridiculous amount of threads and CPU cycles. The only way to turn it off is to go into Windows Services and turn off the service. There's just one problem. I use an iPhone. I can't disable it. But doing so for a little while dropped the CPU meters to nothing. So I now have more motivation to migrate to a new phone beyond just having one with a larger screen. This problem has been known for years. AppleMobileDeviceService.exe has been in iTunes since version 7.3. People complained on the Apple boards more than two years ago that it was consuming up to 50% of CPU cycles, and thus far it's as bad as it always has been. Mind you, Mac users aren't complaining. Just Windows users."