DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Microsoft

Class Action Lawsuit Launched Over Forced Windows 10 Upgrades (courthousenews.com) 189

Slashdot reader AmiMoJo quotes The Register: Three people in Illinois have filed a lawsuit against Microsoft, claiming that its Windows 10 update destroyed their data and damaged their computers. The complaint, filed in Chicago's U.S. District Court on Thursday, charges that Microsoft Windows 10 [installer] is a defective product, and that its maker failed to provide adequate warning about the potential risks posed by Windows 10 installation -- specifically system stability and data loss... The attorneys representing the trio are seeking to have the case certified as a class action that includes every person in the U.S. who upgraded to Windows 10 from Windows 7 and suffered data loss or damage to software or hardware within 30 days of installation. They claim there are hundreds or thousands of affected individuals.
Microsoft responded that they'd offered free customer service and other support options for "the upgrade experience," adding "We believe the plaintiffs' claims are without merit." But the complaint argues Windows 10's installer "does not check the condition of the PC and whether or not the hard drive can withstand the stress of the Windows 10 installation," according to Courthouse News, which adds that the lead plaintiff "says her hard drive failed after Windows 10 installed without her express approval, and she had to buy a new computer."
Encryption

After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Past Contributors (openssl.org) 72

After nearly 20 years and 31,000 commits, OpenSSL wants to change to Apache License v2.0. They're now tracking down all 400 contributors to sign new license agreements, a process expected to take several months. Slashdot reader rich_salz shares links to OpenSSL's official announcement (and their agreement-collecting web site). "This re-licensing activity will make OpenSSL, already the world's most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software," said Mishi Choudhary, Legal Director of Software Freedom Law Center and counsel to OpenSSL. "OpenSSL's team has carefully prepared for this re-licensing, and their process will be an outstanding example of 'how to do it right.'"
Click through for some comments on the significance of this move from the Linux Foundation, Intel, and Oracle.
United Kingdom

London Terrorist Used WhatsApp, UK Calls For Backdoors (yahoo.com) 239

Wednesday 52-year-old Khalid Masood "drove a rented SUV into pedestrians on Westminster Bridge before smashing it into Parliament's gates and rushing onto the grounds, where he fatally stabbed a policeman and was shot by other officers," writes the Associated Press. An anonymous reader quotes their new report: Westminster Bridge attacker Khalid Masood sent a WhatsApp message that cannot be accessed because it was encrypted by the popular messaging service, a top British security official said Sunday. British press reports suggest Masood used the messaging service owned by Facebook just minutes before the Wednesday rampage that left three pedestrians and one police officer dead and dozens more wounded.... Home Secretary Amber Rudd used appearances on BBC and Sky News to urge WhatsApp and other encrypted services to make their platforms accessible to intelligence services and police trying to carrying out lawful eavesdropping. "We need to make sure that organizations like WhatsApp -- and there are plenty of others like that -- don't provide a secret place for terrorists to communicate with each other," she said...

Rudd also urged technology companies to do a better job at preventing the publication of material that promotes extremism. She plans to meet with firms Thursday about setting up an industry board that would take steps to make the web less useful to extremists.

Businesses

Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites (bleepingcomputer.com) 208

BleepingComputer reports: During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word 'PayPal' in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store... Lynch, who points out the abuse of Let's Encrypt's infrastructure, doesn't blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks... Phishers don't target these CAs because they're commercial services, but also because they know these organizations will refuse to issue certificates for certain hot terms, like "PayPal," for example. Back in 2015, Let's Encrypt made it clear in a blog post it doesn't intend to become the Internet's HTTPS watchdog.
Of course, some web browsers don't even check whether a certificate has been revoked. An anonymous reader writes: Browser makers are also to blame, along with "security experts" who tell people HTTPS is "secure," when they should point out HTTPS means "encrypted communication channel," and not necessarily that the destination website is secure.
Robotics

US Workers Face A Higher Risk Of Being Replaced By Robots (cnn.com) 246

There's a surprising prediction for the next 15 years from the world's second largest professional services firm. An anonymous reader quotes CNN: Millions of workers around the world are at risk of losing their jobs to robots -- but Americans should be particularly worried. Thirty-eight percent of jobs in the U.S. are at high risk of being replaced by robots and artificial intelligence over the next 15 years, according to a new report by PwC. Meanwhile, only 30% of jobs in the U.K. are similarly endangered. The same level of risk applies to only 21% of positions in Japan.
61% of America's financial service jobs "are at a high risk of being replaced by robots," according to the article, vs. just 32% of the finance jobs in the U.K. (Those U.S. finance jobs tend to be "domestic retail operations" like small-town bank tellers, whereas U.K. finance jobs concentrate more in international finance and investment banking.) The firm's chief economist sees a world where new jobs are more likely to go to higher-skilled workers, and he ultimately predicts "a restructuring of the jobs market... The gap between rich and poor could get even wider."
Businesses

Comcast Launches New 24/7 Workplace Surveillance Service (philly.com) 144

America's largest ISP just rolled out a new service that allows small and medium-sized business owners "to oversee their organization" with continuous video surveillance footage that's stored in the cloud -- allowing them to "improve efficiency." An anonymous reader quotes the Philadelphia Inquirer: Inventory is disappearing. Workplace productivity is off. He said/she said office politics are driving people crazy. Who you gonna call...? Comcast Business hopes it will be the one, with the "SmartOffice" surveillance offering formally launched this week in Philadelphia and across "70 percent of our national [internet] service footprint," said Christian Nascimento, executive director of premise services for the Comcast division. Putting a "Smart Cities" (rather than "Big Brother is watching you") spin on "the growing trend for...connected devices across the private and public sectors," the SmartOffice solution "can provide video surveillance to organizations that want to monitor their locations more closely," Nascimento said...
The surveillance cameras are equipped with zoom lenses, night-vision, motion detection, and wide-angle lenses, while an app allows remote access to the footage from smartphones and tablets (though the footage can also be downloaded, or stored online for up to a month). Last year Comcast was heavily involved in an effort to provide Detroit's police department with real-time video feeds from over 120 local businesses, which the mayor said wouldn't have been successful "Without the complete video technology system Comcast provides."
Security

Anti-Virus Vendors Scramble To Patch Hijacking Exploit Involving Microsoft Tool (securityweek.com) 45

"A zero-day attack called Double Agent can take over antivirus software on Windows machines," Network World reported Wednesday. wiredmikey writes: The attack involves the Microsoft Application Verifier, a runtime verification tool for unmanaged code that helps developers find subtle programming errors in their applications... [The exploit] allows a piece of malware executed by a privileged user to register a malicious DLL for a process associated with an antivirus or other endpoint security product, and hijack its agent.
Patches were released by Malwarebytes, AVG, and Trend Micro, the security researchers told BleepingComputer earlier this week. Kaspersky Lab told ZDNet "that measures to detect and block the malicious scenario have now been added to all its products," while Norton downplayed the exploit, saying the attack "would require physical access to the machine and admin privileges to be successful," with their spokesperson "adding that it has deployed additional detection and blocking protections in the unlikely event users are targeted."

BetaNews reports that the researchers "say that it is very easy for antivirus producers to implement a method of protection against this zero-day, but it is simply not being done. 'Microsoft has provided a new design concept for antivirus vendors called Protected Processes...specially designed for antivirus services...the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks.'"
Government

After Healthcare Defeat, Can The Trump Administration Fix America's H-1B Visa Program? (bloomberg.com) 493

Friday the Trump administration suffered a political setback when divisions in the president's party halted a move to repeal healthcare policies passed in 2010. But if Trump hopes to turn his attention to how America's H-1B visa program is affecting technology workers, "time is running out," writes Slashdot reader pteddy. Bloomberg reports: [T]he application deadline for the most controversial visa program is the first week of April, which means new rules have to be in place for that batch of applicants or another year's worth of visas will be handed out under the existing guidelines... There probably isn't enough time to pass legislation on such a contentious issue. But Trump could sign an executive order with some changes. The article points out that under the current system, one outsourcing firm was granted 6.5 times as many U.S. visas as Amazon. There's also an interesting map showing which countries' workers received the most H-1B visas in 2015 -- 69.4% went to workers in India, with another 10.5% going to China -- and a chart showing which positions are most in demand, indicating that two-thirds of the visa applications are for tech workers.
Stats

Stack Overflow Reveals Results From 'Largest Developer Survey Ever Conducted' (stackoverflow.com) 133

More than 64,000 developers from 213 countries participated in this year's annual survey by Stack Overflow -- the largest number ever -- giving a glimpse into the collective psyche of programmers around the world. An anonymous reader quotes their announcement: A majority of developers -- 56.5% -- said they were underpaid. Developers who work in government and non-profits feel the most underpaid, while those who work in finance feel the most overpaid... While only 13.1% of developers are actively looking for a job, 75.2% of developers are interested in hearing about new job opportunities...

When asked what they valued most when considering a new job, 53.3% of respondents said remote options were a top priority. 65% of developers reported working remotely at least one day a month, and 11.1% say they're full-time remote or almost all the time. Also, the highest job satisfaction ratings came from developers who work remotely full-time.

62.5% of the respondents reported using JavaScript, while 51.2% reported SQL, with 39.7% using Java and 34.1% using C# -- but for the #5 slot, "the use of Python [32.0%] overtook PHP [28.1%] for the first time in five years." Yet as far as which languages developers wanted to continue using, "For the second year in a row, Rust was the most loved programming language... Swift, last year's second most popular language, ranked as fourth. For the second year in a row, Visual Basic (for 2017, Visual Basic 6, specifically) ranked as the most dreaded language; 88.3% of developers currently using Visual Basic said they did not want to continue using it."
China

Microsoft Delivers Secure China-Only Cut of Windows 10 (theregister.co.uk) 97

Earlier this week, CEO of Microsoft Greater China, Alain Crozier, told China Daily that the company is ready to roll out a version of Windows 10 with extra security features demanded by China's government. "We have already developed the first version of the Windows 10 government secure system. It has been tested by three large enterprise customers," Crozier said. The Register reports: China used Edward Snowden's revelations to question whether western technology products could compromise its security. Policy responses included source code reviews for foreign vendors and requiring Chinese buyers to shop from an approved list of products. Microsoft, IBM and Intel all refused to submit source code for inspection, but Redmond and Big Blue have found other ways to get their code into China. IBM's route is a partnership with Dalian Wanda to bring its cloud behind the Great Firewall. Microsoft last year revealed its intention to build a version of Windows 10 for Chinese government users in partnership with state-owned company China Electronics Technology Group Corp. There's no reason to believe Crozier's remarks are incorrect, because Microsoft has a massive incentive to deliver a version of Windows 10 that China's government will accept. To understand why, consider that China's military has over two million active service personnel, the nation's railways employ similar numbers and Microsoft's partner China Electronics Technology Group Corp has more than 140,000 people on its books. Not all of those are going to need Windows, but plenty will.
Software

FedEx Will Pay You $5 To Install Flash (theregister.co.uk) 89

FedEx's Office Print department is offering customers $5 to enable Adobe Flash in their browsers. Why would they do such a thing you may ask? It's because they want customers to design posters, signs, manuals, banners and promotional agents using their "web-based config-o-tronic widgets," which requires Adobe Flash. The Register reports: But the web-based config-o-tronic widgets that let you whip and order those masterpieces requires Adobe Flash, the enemy of anyone interested in security and browser stability. And by anyone we mean Google, which with Chrome 56 will only load Flash if users say they want to use it, and Microsoft which will stop supporting Flash in its Edge browser when the Windows 10 Creators Update debuts. Mozilla's Firefox will still run Flash, but not for long. The impact of all that Flash hate is clearly that people are showing up at FedEx Office Print without the putrid plug-in. But seeing as they can't use the service without it, FedEx has to make the offer depicted above or visible online here. That page offers a link to download Flash, which is both a good and a bad idea. The good is that the link goes to the latest version of Flash, which includes years' worth of bug fixes. The bad is that Flash has needed bug fixes for years and a steady drip of newly-detected problems means there's no guarantee the software's woes have ended. Scoring yourself a $5 discount could therefore cost you plenty in future.
Communications

T-Mobile Kicks Off Industry Robocall War With Network-Level Blocking and ID Tools (venturebeat.com) 76

T-Mobile is among the first U.S. telecom companies to announce plans to thwart pesky robocallers. From a report on VentureBeat: The move represents part of an industry-wide Robocall Strike Force set up by the Federal Communications Commission (FCC) last year to combat the 2 billion-plus automated calls U.S. consumers deal with each month. Other key members of the group include Apple, Google, Microsoft, and Verizon. T-Mobile's announcement comes 24 hours after the FCC voted to approve a new rule that would allow telecom companies to block robocallers who use fake caller ID numbers to conceal their true location and identity. From a report on WashingtonPost: The Federal Communications Commission on Thursday proposed new rules (PDF) that would allow phone companies to target and block robo-calls coming from what appear to be illegitimate or unassigned phone numbers. The rules could help cut down on the roughly 2.4 billion automated calls that go out each month -- many of them fraudulent, according to FCC Chairman Ajit Pai. "Robo-calls are the No. 1 consumer complaint to the FCC from members of the American public," he said, vowing to halt people who, in some cases, pretend to be tax officials demanding payments from consumers, or, in other cases, ask leading questions that prompt consumers to give up personal information as part of an identity theft scam.
IT

Samsung's Calls For Industry To Embrace Its Battery Check Process as a New Standard Have Been Ignored (cnet.com) 51

Months after the Galaxy Note 7 debacle, the topic remains too hot for the rest of the wireless industry to handle. From a report on CNET: With Samsung's Galaxy S8 to launch next week, a renewed discussion of the Note 7, which had an unhealthy tendency to catch fire and which had to be recalled, is inevitable. Samsung opened that door in January when it embarked on a mea culpa tour. Beyond spelling out the cause of the overheating problem in its popular phone, the company unveiled an eight-point battery check system it said surpassed industry practices, and it invited rivals to follow its model. But two months after the introduction, what's the industry response? A collective shrug. Interviews with phone makers and carriers found that while all placed a high priority on safety, few would talk specifically about Samsung's new battery check process or the idea of adopting it for themselves.
Software

Blinking Cursor Devours CPU Cycles in Visual Studio Code Editor (theregister.co.uk) 229

An anonymous reader shares a report on The Register: Microsoft describes Visual Studio Code as a source code editor that's "optimized for building and debugging modern web and cloud applications." In fact, VSC turns out to be rather inefficient when it comes to CPU resources. Developer Jo Liss has found that the software, when in focus and idle, uses 13 percent of CPU capacity just to render its blinking cursor. Liss explains that the issue can be reproduced by closing all VSC windows, opening a new window, opening a new tab with an empty untitled file, then checking CPU activity. For other macOS applications that present a blinking cursor, like Chrome or TextEdit, Liss said, the CPU usage isn't nearly as excessive. The issue is a consequence of rendering the cursor every 16.67ms (60 fps) rather than every 500ms.
Privacy

Some Of Hacker Group's Claims Of Having Access To 250M iCloud Accounts Aren't False (zdnet.com) 45

Earlier this week, a hacker group claimed that it had access to 250 million iCloud accounts. The hackers, who called themselves part of Turkish Crime Family group, threatened to reset passwords of all the iCloud accounts and remotely wipe those iPhones. Apple could stop them, they said, if it paid them a ransom by April 7. In a statement, Apple said, "the alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services," and that it is working with law enforcement officials to identify the hackers. Now, ZDNet reports that it obtained a set of credentials from the hacker group and was able to verify some of the claims. From the article: ZDNet obtained a set of 54 credentials from the hacker group for verification. All the 54 accounts were valid, based on a check using the site's password reset function. These accounts include "icloud.com," dating back to 2011, and legacy "me.com" and "mac.com" domains from as early as 2000. The list of credentials contained just email addresses and plain-text passwords, separated by a colon, which according to Troy Hunt, data breach expert and owner of notification site Have I Been Pwned, makes it likely that the data "could be aggregated from various sources." We started working to contact each person, one by one, to confirm their password. Most of the accounts are no longer registered with iMessage and could not be immediately reached. However, 10 people in total confirmed that their passwords were accurate, and as a result have now been changed.
Government

US Ordered 'Mandatory Social Media Check' For Visa Applicants Who Visited ISIS Territory (theverge.com) 191

An anonymous reader quotes a report from The Verge: U.S. Secretary of State Rex Tillerson has ordered a "mandatory social media check" on all visa applicants who have ever visited ISIS-controlled territory, according to diplomatic cables obtained by Reuters. The four memos were sent to American diplomatic missions over the past two weeks, with the most recent issued on March 17th. According to Reuters, they provide details into a revised screening process that President Donald Trump has described as "extreme vetting." A memo sent on March 16th rescinds some of the instructions that Tillerson outlined in the previous cables, including an order that would have required visa applicants to hand over all phone numbers, email addresses, and social media accounts that they have used in the past. The secretary of state issued the memo after a Hawaii judge blocked the Trump administration's revised travel ban on citizens from six predominantly Muslim countries. In addition to the social media check, the most recent memo calls for consular officials to identify "populations warranting increased scrutiny." Two former government officials tell Reuters that the social media order could lead to delays in processing visa applications, with one saying that such checks were previously carried out on rare occasions.
Chrome

Google Reducing Trust In Symantec Certificates Following Numerous Slip-Ups (bleepingcomputer.com) 77

An anonymous Slashdot reader writes from a report via BleepingComputer: Google Chrome engineers announced plans to gradually remove trust in old Symantec SSL certificates and intent to reduce the accepted validity period of newly issued Symantec certificates, following repeated slip-ups on the part of Symantec. Google's decision comes after the conclusion of an investigation that started on January 19, which unearthed several problems with Symantec's certificate issuance process, such as 30,000 misused certificates. In September 2015, Google also discovered that Symantec issued SSL certificates for Google.com without authorization. Symantec blamed the incident on three rogue employees, whom it later fired. This move from Google will force all owners of older Symantec certificates to request a new one. Google hopes that by that point, Symantec would have revamped its infrastructure and will be following the rules agreed upon by all the other CAs and browser makers.
Cellphones

Feds: We're Pulling Data From 100 Phones Seized During Trump Inauguration (arstechnica.com) 226

An anonymous reader quotes a report from Ars Technica: In new filings, prosecutors told a court in Washington, DC that within the coming weeks, they expect to extract all data from the seized cellphones of more than 100 allegedly violent protesters arrested during the inauguration of President Donald Trump. Prosecutors also said that this search is validated by recently issued warrants. The court filing, which was first reported Wednesday by BuzzFeed News, states that approximately half of the protestors prosecuted with rioting or inciting a riot had their phones taken by authorities. Prosecutors hope to uncover any evidence relevant to the case. Under normal judicial procedures, the feds have vowed to share such data with defense attorneys and to delete all irrelevant data. "All of the Rioter Cell Phones were locked, which requires more time-sensitive efforts to try to obtain the data," Jennifer Kerkhoff, an assistant United States attorney, wrote. Such phone extraction is common by law enforcement nationwide using hardware and software created by Cellebrite and other similar firms. Pulling data off phones is likely more difficult under fully updated iPhones and Android devices.
United States

71 Percent of Android Phones On Major US Carriers Have Out of Date Security Patches (betanews.com) 103

Ian Barker, writing for BetaNews: Slow patching of security flaws is leaving many US mobile users at risk of falling victim to data breaches according to the findings of a new report. The study from mobile defense specialist Skycure analyzed patch updates among the five leading wireless carriers in the US and finds that 71 percent of mobile devices still run on security patches more than two months old. This is despite Google releasing Android patches every month, indeed six percent of devices are running patches that are six or more months old. Without the most updated patches, these devices are susceptible to attacks, including rapidly rising network attacks and new malware, also detailed in the report.
Security

WikiLeaks' New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago (vice.com) 110

WikiLeaks said on Thursday morning it will release new documents it claims are from the Central Intelligence Agency which show the CIA had the capability to bug iPhones and Macs even if their operating systems have been deleted and replaced. From a report on Motherboard: "These documents explain the techniques used by CIA to gain 'persistenc'' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware," WikiLeaks stated in a press release. EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs. By targeting the UEFI, hackers can compromise Macs and the infection persists even after the operating system is re-installed. The documents are mostly from last decade, except a couple that are dated 2012 and 2013. While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who's been studying Apple computers for years. Judging from the documents, Vilaca told Motherboard in an online chat, it "looks like CIA were very early adopters of attacks on EFI."

Slashdot Top Deals