Mark Wilson quotes a report from BetaNews: The New York Times has announced that it is launching a Tor Onion Service version of its website. The new, more secure way to access the site will open it up to people around the world whose internet connections are blocked or monitored. It also caters to a growing breed of people who are concerned about what their web browsing habit might reveal and who have turned to Tor to protect their privacy. The new service is described as "experimental and under development," and some features of the website -- such as the ability to comment -- do not work. The NYT warns that fine-tuning of performance and features may mean there are periods of downtime, but the long-term aim is to completely replicate the main website as an Onion Service.

An anonymous reader quotes a report from Ars Technica: Since 2014, a group of volunteers going by the name Revive Network have been working to keep online game servers running for Battlefield 2, Battlefield 2142, and Battlefield Heroes. As of this week, the team is shutting down that effort thanks to a legal request from publisher Electronic Arts. "We will get right to the point: Electronic Arts Inc.' legal team has contacted us and nicely asked us to stop distributing and using their intellectual property," the Revive Network team writes in a note on their site. "As diehard fans of the franchise, we will respect these stipulations."

EA's older Battlefield titles were a victim of the 2014 GameSpy shutdown, which disabled the online infrastructure for plenty of classic PC and console games. To get around that, Revive was distributing modified versions of the older Battlefield titles along with a launcher that allowed access to its own, rewritten server infrastructure. The process started with Battlefield 2 in 2014 and expanded to Battlefield 2142 last year, and Battlefield Heroes a few month ago. It's the distribution of modified copies of these now-defunct games that seems to have drawn the ire of EA's legal department. Revive claimed over 900,000 registered accounts across its games, including nearly 175,000 players for the recently revived Battlefield Heroes.

An anonymous reader quotes a report from Ars Technica: On Wednesday, [Reddit] announced a new policy clarifying its rules against content that incites violence. "We will take action against any content that encourages, glorifies, incites, or calls for violence or physical harm against an individual or a group of people," Reddit administrator landoflobsters wrote. Promoting harm to animals is also against the rules. Within minutes, moderators started to ban a long list of controversial subreddits, including /r/Nazi, /r/DylannRoofInnocent, /r/SexWithDogs, /r/WhitesAreCriminals, and /r/PicsOfDeadKids. The bounds of propriety remain fairly wide at Reddit, however. Commenters pointed out that /r/WatchPeopleDie -- which is exactly what it sounds like -- is still around. Landoflobsters said that site administrators have "no plans to remove it for now." The self-explanatory -- and horrifying -- /r/CuteFemaleCorpses is also still active. Evidently, merely depicting violence is fine as long as people in a subreddit don't glorify violence. In practice, of course, the line between these things is pretty thin. A subreddit devoted to merely discussing violent acts is naturally going to attract people who like to promote violent acts -- especially after bans of related subreddits where those people previously hung out. Reddit's new policy seems like the basis for an endless game of Whac-A-Mole as the Internet's creeps search for new places to exchange disturbing content.

An anonymous reader quotes a report from BBC: Demand for Stephen Hawking's PhD thesis intermittently crashed part of Cambridge University's website as physics fans flocked to read his work. Prof Hawking's 1966 thesis "Properties of expanding universes" was made freely available for the first time on the publications section of university's website at 00:01 BST. More than 60,000 have so far accessed his work as a 24-year-old postgraduate. Prof Hawking said by making it available he hoped to "inspire people." He added: "Anyone, anywhere in the world should have free, unhindered access to not just my research, but to the research of every great and enquiring mind across the spectrum of human understanding. It's wonderful to hear how many people have already shown an interest in downloading my thesis -- hopefully they won't be disappointed now that they finally have access to it!" The 75-year-old's doctoral thesis is the most requested item in Cambridge University's library. Since May 2016, 199 requests were made for the PhD -- most of which are believed to be from the general public rather than academics. The next most requested publication was asked for just 13 times. The Cambridge Library made several PDF files of the thesis available for download -- a high-resolution "72 Mb" file, digitized version that's less than half the size, and a "reduced" version that was even smaller -- but intense interest overwhelmed the servers. Here's the first paragraph of Hawking's introduction: "The idea that the universe is expanding is of recent origin. All the early cosmologies were essentially stationary and even Einstein whose theory of relativity is the basis for almost all modern developments in cosmology, found it natural to suggest a static model of the universe. However there is a very grave difficulty associated with a static model such as Einstein's which is supposed to have existed for an infinite time. For, if the stars had been radiating energy at their present rates for an infinite time, they would have needed an infinite supply of energy. Further, the flux of radiation now would be infinite. Alternatively, if they had only a limited supply of energy, the whole universe would by now have reached thermal equilibrium which is certainly not the case. This difficulty was noticed by Olders who however was not able to suggest any solution. The discovery of the recession of the nebulae by Hubble led to the abandonment of static models in favour of ones which were expanding."

"Could it turn out users actually prefer to trade a little CPU time to website owners in favor of them not showing ads?" writes phonewebcam, a long-time Slashdot reader. Slashdot covered the downside [of in-browser cryptocurrency mining] recently, with even [Portuguese professional sportsballer] Cristiano Ronaldo's official site falling victim, but that may not be the full story. This could be an ideal win-win situation, except for one huge downside -- the current gang of online advertisers.
By "current gang of online advertisers," he means Google, according to a longer essay at LinkedIn: Naturally, the world's largest ad broker, which runs the world most popular browser (desktop and mobile) is keen to see how this plays out, and is also uniquely placed to be able to heavily influence it, too... As it happens, Chrome users can already do something about it via extensions, for example AntiMiner... If cryptocurrencies have a future - and that's a big if (look at China's Bitcoin ban) - it could well turn out that their role just took an unexpected turn.

An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."

An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.

Slashdot turned 20 this month, which is ancient in internet years. How far have we come?

Also, we've set up a page to coordinate user meet-ups around the world to celebrate. Read on for the full 20-year history of Slashdot.

Catalin Cimpanu, reporting for BleepingComputer: Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis. While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior. In other words, most are behaving like malware, intruding on users' computers and using resources without permission. [...] Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users. On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.

An anonymous reader quotes Ars Technica: Equifax isn't the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said transunioncentroamerica.com, a TransUnion site serving people in Central America, [was] also sending visitors to the fraudulent updates and other types of malicious pages... Malwarebytes security researcher Jerome Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins... "This is not something users want to have," Segura told Ars...

Equifax on Thursday was quick to say that its systems were never compromised in the attacks. TransUnion said much the same thing. This is an important distinction in some respects because it means that the redirections weren't the result of attackers having access to restricted parts of either company's networks. At the same time, the incidents show that visitors to both sites remain much more vulnerable to malicious content than they should be.
Both sites hosted fireclick.js, an old script from a small web analytics company which pulls pages from sites like Akamai, SiteStats.info, and Ostats.net. "It appears that attackers have compromised the third-party library," writes BankInfoSecurity, adding that Malwarebytes estimates over a 1,000 more sites are using the same library.

For several hours on Wednesday Equifax's website was compromised again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers, reports Dan Goodin at Ars Technica. From the report: Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp:centerbluray.info. He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the control of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he'd see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once. Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. Update: Equifax said on Thursday it was taking one of its web pages offline as its security team looks into reports of another potential cyber breach.

A Washington D.C. judge has told the U.S. Department of Justice it "does not have the right to rummage" through the files of an anti-Trump protest website -- and has ordered the dot-org site's hosting company to protect the identities of its users. The Register reports: Chief Judge Robert E. Morin issued the revised order [PDF] Tuesday following a high-profile back and forth between the site's hosting biz DreamHost and prosecutors over what details Uncle Sam was entitled to with respect to the disruptj20.org website. "As previously observed, courts around the country have acknowledged that, in searches for electronically stored information, evidence of criminal activity will likely be intermingled with communications and other records not within the scope of the search warrant," he noted in his ruling. "Because of the potential breadth of the government's review in this case, the warrant in its execution may implicate otherwise innocuous and constitutionally protected activity. As the Court has previously stated, while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities." The order then lists a series of protocols designed to protect netizens "to comply with First Amendment and Fourth Amendment considerations, and to prevent the government from obtaining any identifying information of innocent persons."

Slashdot reader Orome1 quotes Help Net Security: A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...

The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.

An anonymous reader quotes a report from Science Magazine: Scholarly publishing giants Elsevier and the American Chemical Society (ACS) have filed a lawsuit in Germany against ResearchGate, a popular academic networking site, alleging copyright infringement on a mass scale. The move comes after a larger group of publishers became dissatisfied with ResearchGate's response to a request to alter its article-sharing practices. ResearchGate, a for-profit firm based in Berlin, Germany, which was founded in 2008, is one of the largest social networking sites aimed at the academic community. It claims more than 13 million users, who can use their personal pages to upload and share a wide range of material, including published papers, book chapters and meeting presentations.

Yesterday, a group of five publishers -- ACS, Elsevier, Brill, Wiley and Wolters Kluwer -- announced that ResearchGate had rejected the association's proposal. Instead, the group, which calls itself the "Coalition for Responsible Sharing," said in a October 5th statement that ResearchGate suggested publishers should send the company formal notices, called "takedown notices," asking it to remove content that breaches copyright. The five publishers will be sending takedown notices, according to the group. But the coalition also alleges that ResearchGate is illicitly making as many as 7 million copyrighted articles freely available, and that the company's "business model depends on the distribution of these in-copyright articles to generate traffic to its site, which is then commercialized through the sale of targeted advertising." The coalition also states that sending millions of takedown notices "is not a viable long-term solution, given the current and future scale of infringement Sending large numbers of takedown notices on an ongoing basis will prove highly disruptive to the research community." As a result, two coalition members -- ACS and Elsevier -- have opted to go to court to try to force ResearchGate's hand.

An anonymous reader quotes a report from Ars Technica: Back in April, Facebook published a report called "Information Operations and Facebook" that detailed the company's efforts to combat fake news and other misinformation campaigns on the site. The report was released in the midst of an uproar over potential Russian meddling in the 2016 presidential campaign. But the report doesn't mention Russia by name, saying only that Facebook's data "does not contradict" a January report by the Obama administration detailing Russian meddling in the election. On Friday, The Wall Street Journal reported that the decision not to mention Russia was hotly debated inside Facebook. An earlier draft of the report discussed what Facebook knew at that time about Russian meddling, but that material was ultimately removed from the report before publication. "Some at Facebook pushed to not include a mention of Russia in the report because the company's understanding of Russian activity was too speculative, according to one of the people," according to the Journal.

Today we're marking Slashdot's 20th birthday. 20 years is a long time on the internet. Many websites have come and gone over that time, and many that stuck around haven't had any interest in preserving their older content. Fortunately, as Slashdot approaches its 163,000th story, we've managed to keep track of almost all our old postings - all but the first 2^10, or so. In addition to that, we've held onto user comments, the lifeblood of the site, from 1999 onward. As we celebrate Slashdot's 20th anniversary this month, we thought we'd take a moment to highlight a few of the notable or interesting stories and discussions that have happened here in the past decade and a half. This is part of our 20-year anniversary celebration, and we've set up a page to coordinate user meet-ups. We'll be continuing to run some special pieces throughout the month, so keep an eye out for those.

Read on for a trip down memory lane.

Update: Slashdot founder CmdrTaco has taken to Medium with some of his own Slashdot nostalgia.

Mark Wilson writes: Bitcoin has been in the news for some time now as its value climbs and drops, but most recently interest turned to mining code embedded in websites. The Pirate Bay was one of the first sites to be seen using Coinhive code to secretly mine using visitors' CPU time, and then we saw similar activity from the SafeBrowse extension for Chrome. The discovery of the code was a little distressing for visitors to the affected sites, and internet security and content delivery network (CDN) firm Cloudflare is taking action to clamp down on what it is describing as malware. Torrent proxy site ProxyBunker.online has contacted TorrentFreak to say that Cloudflare has dropped it as a customer. The reason given for ProxyBunker's suspension is that the site has been using Coinhive code on several of the domains it owns.

An anonymous reader writes: Google is working on blocking tab-under behavior in Chrome, according to a document seen by Bleeping Computer. For users unfamiliar with the jargon, Google considers tab-under behavior when an unsuspecting user is scrolling or clicking on a page, but the site duplicates the current page in another tab and shows an ad or a new website in the page the user was initially reading. Countless of website owners and advertisers have abused tab-unders to show ads and redirect users to unwanted sites, all for the sake of ad impressions and redirection fees. This demo site created by Google engineers that shows how tab-unders work. Earlier today, Google published a document detailing three ways it's currently looking at for dealing with tab-unders in Chrome. The current approved proposal is for the browser maker to block websites before opening a new tab, similar to the pop-up blocking mechanism. According to Chrome engineer Charles Harrison, the tab-under blocking feature will be supported on five of the six Blink platforms -- Windows, Mac, Linux, Chrome OS, and Android, but not Android WebView. Once the feature is ready, it will ship with Chrome Canary under its own option on the chrome://flags settings page.

Sci-Hub, which is regularly referred to as the "Pirate Bay of Science," faces one of the strongest anti-piracy injunctions we have seen in the US to date, reports TorrentFreak. From the article: Earlier this year the American Chemical Society (ACS), a leading source of academic publications in the field of chemistry, filed a lawsuit against Sci-Hub and its operator Alexandra Elbakyan. Sci-Hub was made aware of the legal proceedings but did not appear in court. As a result, a default was entered against the site. In addition to millions of dollars in damages, ACS also requested third-party Internet intermediaries to take action against the site. While the request is rather unprecedented for the US, as it includes search engine and ISP blocking, Magistrate Judge John Anderson has included these measures in his recommendations. Judge Anderson agrees that Sci-Hub is guilty of copyright and trademark infringement. In addition to $4,800,000 in statutory damages, he recommends a broad injunction that would require search engines, ISPs, domain registrars and other services to block Sci-Hub's domain names. If the U.S. District Court Judge adopts this recommendation, it would mean that Internet providers such as Comcast could be ordered to block users from accessing Sci-Hub.

The world's most powerful information gatekeepers neglected their duties in Las Vegas. Again. From a report: In the crucial early hours after the Las Vegas mass shooting, it happened again: Hoaxes, completely unverified rumors, failed witch hunts, and blatant falsehoods spread across the internet. But they did not do so by themselves: They used the infrastructure that Google and Facebook and YouTube have built to achieve wide distribution. These companies are the most powerful information gatekeepers that the world has ever known, and yet they refuse to take responsibility for their active role in damaging the quality of information reaching the public. BuzzFeed's Ryan Broderick found that Google's "top stories" results surfaced 4chan forum posts about a man that right-wing amateur sleuths had incorrectly identified as the Las Vegas shooter. 4chan is a known source not just of racism, but hoaxes and deliberate misinformation. In any list a human might make of sites to exclude from being labeled as "news," 4chan would be near the very top. [...] Of course, it is not just Google. On Facebook, a simple search for "Las Vegas" yields a Group called "Las Vegas Shooting /Massacre," which sprung up after the shooting and already has more than 5,000 members. The group is run by Jonathan Lee Riches, who gained notoriety by filing 3,000 frivolous lawsuits while serving a 10 year prison sentence after being convicted for stealing money by impersonating people whose bank credentials had been phished. Now, he calls himself an "investigative journalist" with Infowars, though there is no indication he's been published on the site, and given that he also lists himself as a former male underwear model at Victoria's Secret, a former nuclear scientist at Chernobyl, and a former bodyguard at Buckingham Palace, his work history may not be reliable. The problems with surfacing this man's group to Facebook users is obvious to literally any human. But to Facebook's algorithms, it's just a fast-growing group with an engaged community.

According to Reuters, Equifax said about 2.5 million additional U.S. consumers may have been impacted by a cyber attack at the company last month. Last month, the company disclosed that personal details of up to 143 million U.S. consumers were accessed by hackers between mid-May and July.

As for what led to the breach, Ars Technica reports it was "a series of costly delays and crucial errors." From the report: Chief among the failures: an Equifax e-mail directing administrators to patch a critical vulnerability in the open source Apache Struts Web application framework went unheeded, despite a two-day deadline to comply. Equifax also waited a week to scan its network for apps that remained vulnerable. Even then, the delayed scan failed to detect that the code-execution flaw still resided in a section of the sprawling Equifax site that allows consumers to dispute information they believe is incorrect. Equifax said last month that the still-unidentified attackers gained an initial hold in the network by exploiting the critical Apache Struts vulnerability.