An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.

Dan Goodin, writing for ArsTechnica: The Internet is awash with covert crypto currency miners that bog down computers and even smartphones with computationally intensive math problems called by hacked or ethically questionable sites. The latest examples came on Monday with the revelation from antivirus provider Trend Micro that at least two Android apps with as many as 50,000 downloads from Google Play were recently caught putting crypto miners inside a hidden browser window. The miners caused phones running the apps to run JavaScript hosted on Coinhive.com, a site that harnesses the CPUs of millions of PCs to mine the Monero crypto currency. In turn, Coinhive gives participating sites a tiny cut of the relatively small proceeds. Google has since removed the apps, which were known as Recitiamo Santo Rosario Free and SafetyNet Wireless App. Last week, researchers from security firm Sucuri warned that at least 500 websites running the WordPress content management system alone had been hacked to run the Coinhive mining scripts. Sucuri said other Web platforms -- including Magento, Joomla, and Drupal -- are also being hacked in large numbers to run the Coinhive programming interface.

You asked, he answered!

For Slashdot's 20th anniversary -- and the 23rd anniversary of the first release of Red Hat Linux -- here's a special treat.

Red Hat CEO Jim Whitehurst has responded to questions submitted by Slashdot readers. Read on for his answers...

Ad blocking firm AdGuard has found that over 500 million people are inadvertently mining cryptocurrencies through their computers after visiting websites that are running background mining software. The company found 220 popular websites with an aggregated audience of half a billion people use so-called crypto-mining scripts when a user opens their main page. Newsweek reports: The mining tool works by hijacking a computer's central processing unit (CPU), commonly referred to as "the brains" of a computer. Using part of a computer's CPU to mine bitcoin effects the machine's overall performance and will slow it down by using up processing power. The researchers found that bitcoin browser mining is mostly found on websites "with a shady reputation" due to the trouble such sites have with earning revenue through advertising. However, in the future it could become a legitimate and ethical way of making money if the website requests the permission of the visitor first.

"220 sites may not seem like a lot," the researchers wrote in a blogpost detailing their discovery. "But CoinHive was launched less than one month ago on September 14. The growth has been extremely rapid: from nearly zero to .22 percent of Alexa's top 100,000 websites. "This analysis well illustrates the whole web, so it's safe to say that one of every forty websites currently mines cryptocurrency (namely Monero) in the browsers their users employ."

An anonymous reader quotes BleepingComputer: The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI -- Python Package Index -- the official third-party software repository for the Python programming language. NBU experts say attackers used a technique known as typosquatting to upload Python libraries with names similar to legitimate packages -- e.g.: "urlib" instead of "urllib." The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.

Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts. "These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained. Experts say the malicious code only collected information on infected hosts, such as name and version of the fake package, the username of the user who installed the package, and the user's computer hostname. Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", was uploaded to a Chinese IP address. NBU officials contacted PyPI administrators last week who removed the packages before officials published a security advisory on Saturday."
The advisory lays some of the blame on Python's 'pip' tool, which executes arbitrary code during installations without requiring a cryptographic signature.

Ars Technica also reports that another team of researchers "was able to seed PyPI with more than 20 libraries that are part of the Python standard library," and that group now reports they've already received more than 7,400 pingbacks.

The latest version of Google Chrome has launched, bringing a host of new developer features like JavaScript modules and WebUSB support. An anonymous Slashdot reader shares a report from VentureBeat: Google has launched Chrome 61 for Windows, Mac, and Linux. Additions in this release include JavaScript modules and WebUSB support, among other developer features. You can update to the latest version now using the browser's built-in silent updater or download it directly from google.com/chrome. Google also released Chrome 61 for Android today. In addition to performance and stability fixes, you can expect two new features: Translate pages with a more compact toolbar and pick images with an improved image picker.

Chrome now supports JavaScript modules natively via the new element, letting developers declare a script's dependencies. Modules are already popular in third-party build tools, which use them to bundle only the required scripts. Native support means the browser can fetch granular dependencies in parallel, taking advantage of caching, avoiding duplications across the page, and ensuring the script executes in the correct order, all without a build step. Google recommends these two blog posts for more information: ECMAScript modules in browsers and ES6 Modules in Depth. Speaking of JavaScript, Chrome 61 also upgrades the browser's V8 JavaScript engine to version 6.1. Developers can expect performance improvements and a binary size reduction. The WebUSB API meanwhile allows web apps to access user-permitted USB devices. This enables all the functionality provided by hardware peripherals such as keyboards, mice, printers, and gamepads, while still preserving the security guarantees of the web.

An anonymous reader shares a report: Hackers who have leaked Game of Thrones scripts and other data from entertainment company HBO have released a note demanding a ransom payment. In a new dump, they also published a script for the as yet unbroadcast fifth episode of the current series. Company documents and video episodes of other HBO shows were also shared. The hackers claim to have 1.5TB of data in total, but HBO has said it does not believe its email system has been compromised. Documents in the latest leak were marked "HBO is falling," according to the Wired news site, and included legal information, employment agreements and other company files. The Associated Press reports that some documents appeared to contain personal contact information for Game of Thrones actors.

An anonymous reader writes: Ryzen customers experiencing segmentation faults under Linux when firing off many compilation processes have now had their problem officially acknowledged by AMD. The company describes it as a "performance marginality problem" affecting some Ryzen customers and only on Linux. AMD confirmed Threadripper and Epyc processors are unaffected; they will be dealing with the issue on a customer-by-customer basis, and their future consumer products will see better Linux testing/validation. Ryzen customers believed to be affected by the problem can contact AMD Customer Care. Michael Larabel writes via Phoronix: "With the Ryzen segmentation faults on Linux they are found to occur with many, parallel compilation workloads in particular -- certainly not the workloads most Linux users will be firing off on a frequent basis unless intentionally running scripts like ryzen-test/kill-ryzen. As I've previously written, my Ryzen Linux boxes have been working out great except in cases of intentional torture testing with these heavy parallel compilation tasks. [AMD's] analysis has also found that these Ryzen segmentation faults aren't isolated to a particular motherboard vendor or the like, contrary to rumors/noise online due to the complexity of the problem."

Orome1 shares a report from Help Net Security: New research released by MWR InfoSecurity reveals how attackers can compromise the Amazon Echo and turn it into a covert listening device, without affecting its overall functionality. Found to be susceptible to a physical attack, which allows an attacker to gain a root shell on the Linux Operating Systems and install malware, the Amazon Echo would enable hackers to covertly monitor and listen in on users and steal private data without their permission or knowledge. By removing the rubber base at the bottom of the Amazon Echo, the research team could access the 18 debug pads and directly boot into the firmware of the device, via an external SD card, and install persistent malware without leaving any physical evidence of tampering. This gained them remote root shell access and enabled them to access the "always listening" microphones. Following a full examination of the process running on the device and the associated scripts, MWR's researchers investigated how the audio media was being passed and buffered between the processes and the tools used to do so. Then they developed scripts that leveraged tools embedded on the device to stream the microphone audio to a remote server without affecting the functionality of the device itself. The raw data was then sampled via a remote device, where a decision could then be made as to play it out of the speakers on the remote device or save the audio as a WAV file. The vulnerability has been confirmed to affect the 2015 and 2016 editions of the device. The 2017 edition of the Amazon Echo is not vulnerable to this physical attack. The smaller Amazon Dot model also does not carry the vulnerability. More technical details can be found here.

Nate Oh, writing for AnandTech: Today Intel subsidiary Movidius is launching their Neural Compute Stick (NCS), a version of which was showcased earlier this year at CES 2017. The Movidius NCS adds to Intel's deep learning and AI development portfolio, building off of Movidius' April 2016 launch of the Fathom NCS and Intel's later acquisition of Movidius itself in September 2016. As Intel states, the Movidius NCS is "the world's first self-contained AI accelerator in a USB format," and is designed to allow host devices to process deep neural networks natively -- or in other words, at the edge. In turn, this provides developers and researchers with a low power and low cost method to develop and optimize various offline AI applications. Movidius's NCS is powered by their Myriad 2 vision processing unit (VPU), and, according to the company, can reach over 100 GFLOPs of performance within an nominal 1W of power consumption. Under the hood, the Movidius NCS works by translating a standard, trained Caffe-based convolutional neural network (CNN) into an embedded neural network that then runs on the VPU. In production workloads, the NCS can be used as a discrete accelerator for speeding up or offloading neural network tasks. Otherwise for development workloads, the company offers several developer-centric features, including layer-by-layer neural networks metrics to allow developers to analyze and optimize performance and power, and validation scripts to allow developers to compare the output of the NCS against the original PC model in order to ensure the accuracy of the NCS's model. According to Gary Brown, VP of Marketing at Movidius, this 'Acceleration mode' is one of several features that differentiate the Movidius NCS from the Fathom NCS. The Movidius NCS also comes with a new "Multi-Stick mode" that allows multiple sticks in one host to work in conjunction in offloading work from the CPU. For multiple stick configurations, Movidius claims that they have confirmed linear performance increases up to 4 sticks in lab tests, and are currently validating 6 and 8 stick configurations. Importantly, the company believes that there is no theoretical maximum, and they expect that they can achieve similar linear behavior for more devices. Though ultimately scalability will depend at least somewhat with the neural network itself, and developers trying to use the feature will want to play around with it to determine how well they can reasonably scale. As for the technical specifications, the Movidius Neural Compute Stick features a 4Gb LPDDR3 on-chip memory, and a USB 3.0 Type A interface.

Google is adding a set of features to its security roster to prevent a second run of last month's massive phishing attack. From a report: The company is adding warnings and interstitial screens to warn users that an app they are about to use is unverified and could put their account data at risk. This so-called "unverified app" screen will land on all new web apps that connect to Google user accounts to prevent a malicious app from appearing legitimate. Any Google Chrome user landing on a hacked or malicious website will recognize the prompt as the red warning screen. Some existing apps will also have to go through the same verification process as new apps, Google said. Google also said it will add those warnings to its Apps Scripts, which let Google use custom macros and add-ons for its productivity apps, like Google Docs.

Long-time Slashdot reader Paul Fernhout writes: Archive.org has made available 355 issues of Galaxy Magazine for free access. Galaxy Science Fiction was an American digest-size science fiction magazine, published from 1950 to 1980 with stories from many sci-fi greats [including Harlan Ellison, Ray Bradbury, and Robert Heinlein]. At its peak, Galaxy greatly influenced the science fiction field. See also Open Culture and The Verge for more about the history of a magazine that help shape the imaginations of a generation of techies..
Meanwhile, Archive.org's Jason Scott -- who also founded textfiles.com -- says his own group of preservationists "plans large scale backing up of Soundcloud soon" -- or at least part of it. A placeholder page already informs visitors that "We are currently working on getting all the API data... We also are writing the scripts to get a good grab of everything we can." Scott told Motherboard Saturday "Our main concern is artists and creators suddenly finding their stuff gone, and making it so it's not in oblivion."

"The seminal operating system Multics has been reborn," writes Slashdot reader doon386: The last native Multics system was shut down in 2000. After more than a dozen years in hibernation a simulator for the Honeywell DPS-8/M CPU was finally realized and, consequently, Multics found new life... Along with the simulator an accompanying new release of Multics -- MR12.6 -- has been created and made available. MR12.6 contains many bug and Y2K fixes and allows Multics to run in a post-Y2K, internet-enabled world.
Besides supporting dates in the 21st century, it offers mail and send_message functionality, and can even simulate tape and disk I/O. (And yes, someone has already installed Multics on a Raspberry Pi.) Version 1.0 of the simulator was released Saturday, and Multicians.org is offering a complete QuickStart installation package with software, compilers, install scripts, and several initial projects (including SysDaemon, SysAdmin, and Daemon). Plus there's also useful Wiki documents about how to get started, noting that Multics emulation runs on Linux, macOS, Windows, and Raspian systems.

The original submission points out that "This revival of Multics allows hobbyists, researchers and students the chance to experience first hand the system that inspired UNIX."

Thursday Lproven (Slashdot reader #6030) wrote: It appears that Ubuntu is using a feature it has added -- intended to insert headlines of breaking tech news (security alerts and so on) into the Message of the Day displayed at login to the console -- to display advertising and promotional messages.
The message in question linked to a Hacker Noon article titled "How HBO's Silicon Valley built 'Not Hotdog' with mobile TensorFlow, Keras & React Native." Later that day Dustin Kirkland, a Ubuntu Product Manager for the feature's design (and the Core Developer for its implementation) suggested the message had been mistaken for an ad, describing it on Hacker News as a "fun fact... an interesting tidbit of potpourri from the world of Ubuntu," and later saying it was intended like Google's doodles. "Last week's message actually announced an Ubuntu conference in Latin America. The week before, we linked to an article asking for feedback on Kubuntu. Before that, we announced the availability of Extended Security Maintenance updates for 12.04. And so on." He later confirmed Canonical received no money for the message, and also pointed out that the messages all come from an open source repository, and "You're welcome to propose your own messages for merging, if you have a well formatted, informative message for Ubuntu users."

Click through for a condensed version of the complete response by Dustin Kirkland, Ubuntu Product and Strategy at Canonical.

An anonymous reader shares a report: Those shameless scammers that cold-call people pretending to be from Microsoft and demanding money after walking users through supposed problems with their computers? They're going down, it seems, with four people arrested in the UK for enabling the rip-off. City of London Police and Microsoft, the real Microsoft, have been working together for two years to trace the operators of the scheme, with the four people -- two from Woking and two from South Shields -- arrested on suspicion of fraud. Although the calls were found to originate from India, the investigators found that the scam was allegedly being run out of the UK, with the poor overseas callers working from scripts and, presumably, not really aware they're doing anything hugely wrong.

An anonymous reader writes: "Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years," reports Bleeping Computer. "The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these 'hacks' to customize their cars' infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer)." Recently, a security researcher working for Bugcrowd has put together a GitHub repository that automates the exploitation of these bugs. The researcher says an attacker can copy the code of his GitHub repo on a USB flash drive, add malicious scripts and carry out attacks on Mazda cars. Mazda said the issues can't be exploited to break out of the infotainment system to other car components, but researchers disagreed with the company on Twitter. In the meantime, the car maker has finally plugged the bugs via a firmware update released two weeks ago.

BrianFagioli writes: Unfortunately, Kodi is not its own operating system, meaning it has to be run on top of an OS. Sure, you could use Windows 10, but that is overkill if you only want to run Kodi. Instead, a lightweight Linux distribution that only serves to run the media center is preferable. One of the most popular such distros is OpenELEC. It can run on traditional PC hardware, but also Raspberry Pi, and, my favorite — WeTek boxes. Today, version 8.0.4 achieves stable release. It is a fairly ho-hum update, focusing mostly on fixes and stability.

The team shares the following changes in the release.

- fix crash in WeTek DVB driver on WeTek Play (1st gen).
- enable Kernel NEON mode for RPi2 builds.
- enable some more SOC sound drivers for RPi/RPi2 builds.
- enable Regulator support on all builds.
- enable Extcon support on all builds.
- fix loading for some I2C sound modules on RPI/RPi2 builds.
- fix loading splash screen on systems with Nvidia GPUs.
- fix speed problems on Nvidia ION systems.
- fix problems loading dvbhdhomerun addons.
- fix using user created sleep scripts.
- build PNG support with SSE support for x86_64 builds.
- update to linux-4.9.30, mesa-17.0.7, alsa-lib-1.1.4.1, alsa-utils-1.1.4, kodi-17,3, mariadb-10.1.23, samba-4.6.4.

An anonymous reader quotes Fortune: A former developer for IBM pled guilty on Friday to economic espionage and to stealing trade secrets related to a type of software known as a clustered file system, which IBM sells to customers around the world. Xu Jiaqiang stole the secrets during his stint at IBM from 2010 to 2014 "to benefit the National Health and Family Planning Commission of the People's Republic of China," according to the U.S. Justice Department. In a press release describing the criminal charges, the Justice Department also stated that Xu tried to sell secret IBM source code to undercover FBI agents posing as tech investors. (The agency does not explain if Xu's scheme to sell to tech investors was to benefit China or to line his own pockets).

Part of the sting involved Xu demonstrating the stolen software, which speeds computer performance by distributing works across multiple servers, on a sample network. The former employee acknowledged that others would know the software had been taken from IBM, but said he could create extra computer scripts to help mask its origins.
At one point 31-year-old Xu even showed undercover FBI agents the part of the source code that identified it as coming from IBM "as well as the date on which it had been copyrighted."

An anonymous reader shares a report: There also should be plenty of new video fare if Hollywood's writers and studios can't agree on a new contract by Monday. The beautiful thing about a contract is everyone knows when it ends. In this case, the Alliance of Motion Picture and Television Producers, which represents some 350 production companies, and the Writers Guild of America, which comprises 12,000 professionals in two chapters, have had three years to prepare for a standoff. In these situations, show makers typically rush to complete a pile of scripts before the deadline. Jerry Nickelsburg, an economist at the University of California at Los Angeles, calls this stockpiling "the inventory effect." This is precisely what happened the last time writers walked off the job, from November 2007 to February 2008. If the writers do, in fact, go through with the strike they approved on Monday, jokes and soaps will be the first things to take a hit. Late-night talk shows and soap operas are to entertainment writers what delis are to hungry New Yorkers -- a daily frenzy of high-volume production. If the sandwich makers don't show up, everybody gets hungry quickly.

An anonymous reader quotes a report from BleepingComputer: GitHub user Zeffy has created a patch that removes a limitation that Microsoft imposed on users of 7th generation processors, a limit that prevents users from receiving Windows updates if they still use Windows 7 and 8.1. This limitation was delivered through Windows Update KB4012218 (March 2017 Patch Tuesday) and has made many owners of Intel Kaby Lake and AMD Bristol Ridge CPUs very angry last week, as they weren't able to install any Windows updates. Microsoft's move was controversial, but the company did its due diligence, and warned customers of its intention since January 2016, giving users enough time to update to Windows 10, move to a new OS, or downgrade their CPU, if they needed to remain on Windows 7 or 8.1 for various reasons. When the April 2017 Patch Tuesday came around last week, GitHub user Zeffy finally had the chance to test four batch scripts he created in March, after the release of KB4012218. His scripts worked as intended by patching Windows DLL files, skipping the CPU version check, and delivering updates to Windows 7 and 8.1 computers running 7th generation CPUs.