Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment SpamCop.net is not Dead (Score 1) 47

SpamCop is not dead. It is still up and running and the free blocklist is a great part of your anti-spam arsenal. Compare RCVD_IN_BL_SPAMCOP_NET to the other free options using SpamAssassin rule vetting stats and you'll see it's among the top performers. ("S/O" is a measure of relative precision, "SPAM%" is recall.)

Unlike the other DNSBLs, SpamCop also reports spam back to the networks that sent it (with filters to deal with spammer-friendly and negligent network operators, either of which might ignore or even pass on the heads-up to spammers rather than disciplining them).

In particular, SpamCop did well against this Necurs attack but it does not fare as well against hailstorm/snowshoe spam attacks (which IP reputation doesn't help combat). IP-based DNSBLs aren't anywhere near as effective today as they were ten years ago, but they're still quite worthwhile. That said, you're right in that the best ones cost money.

I feel happy, oh so happy. I don't want to go on the cart.

Submission + - Did last night's US presidential debate Wi-Fi rip-off break the law? (theregister.co.uk)

schwit1 writes: The host of the first presidential debate on Monday night, Hofstra University in New York, may have broken the law and could be in line for a huge fine.

Reporters at the event were appalled to find that among the heavily marked-up items they were offered – $150 to rent a lamp, anyone? – was a $200 charge for a "secure wireless internet connection."

Worse than the clear effort to price-gouge people trying to file stories, however, was the fact that the university decided that only its wireless access points were allowed to be used, and even sent someone around with a Wi-Fi signal detector apparently threatening to throw out anyone who was using an "unauthorized" access point.

That action – effectively shutting down people's ability to use their own internet connection in order to force them to use a paid-for service – was ruled illegal in 2014 by the Federal Communications Commission (FCC) in a landmark ruling against Marriott Hotels.

Botnet

Spam Hits Its Highest Level Since 2010 (networkworld.com) 47

Long-time Slashdot reader coondoggie quotes Network World: Spam is back in a big way -- levels that have not been seen since 2010 in fact. That's according to a blog post from Cisco Talos that stated the main culprit of the increase is largely the handiwork of the Necurs botnet... "Many of the host IPs sending Necurs' spam have been infected for more than two years.

"To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions... This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again."

Before this year, the SpamCop Block List was under 200,000 IP addresses, but surged to over 450,000 addresses by the end of August. Interestingly, Proofpoint reported that between June and July, Donald Trump's name appeared in 169 times more spam emails than Hillary Clinton's.

Comment lower infosec budgets will INCREASE hacking damage (Score 3, Insightful) 183

This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).

However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.

Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.

Earth

Stephen Hawking Wants To Find Aliens Before They Find Us (cnet.com) 280

Stephen Hawking is again reminding people that perhaps shouting about our existence to aliens is not the right way to go about it, especially if those aliens are more technologically advanced. In his new half-hour program dubbed, Stephen Hawking's Favorite Places, the theoretical physicist and cosmologist said (via CNET):"If intelligent life has evolved (on Gliese 832c), we should be able to hear it," he says while hovering over the exoplanet in the animated "U.S.S. Hawking." "One day we might receive a signal from a planet like this, but we should be wary of answering back. Meeting an advanced civilization could be like Native Americans encountering Columbus. That didn't turn out so well." Hawking manages to be both worried about exposing our civilization to aliens and excited about finding them. He supports not only Breakthrough: Listen, but also Breakthrough: Starshot, another initiative that aims to send tiny nanocraft to our closest neighboring star system, which was recently found to have an Earth-like planet.
Microsoft

Lenovo Denies Claims It Plotted With Microsoft To Block Linux Installs (theregister.co.uk) 181

Reader kruug writes: Several users noted certain new Lenovo machines' SSDs are locked in a RAID mode, with AHCI removed from the BIOS. Windows is able to see the SSD while in RAID mode due to a proprietary driver, but the SSD is hidden from Linux installations -- for which such a driver is unavailable. Speaking to The Register today, a Lenovo spokesperson claimed the Chinese giant "does not intentionally block customers using other operating systems on its devices and is fully committed to providing Linux certifications and installation guidance on a wide range of products."
Complaints on Lenovo's forums suggest that users have been unable to install GNU/Linux operating systems on models from the Yoga 900S to the Ideapad 710S, with one 19-page thread going into detail about the BIOS issue and users' attempts to work around it.

Microsoft

Microsoft Signature PC Requirements Now Blocks Linux Installation: Reports 484

Reader sombragris writes: According to a well-documented forum thread, the Signature PC program by Microsoft now requires to lock down PCs. This user found out that his Lenovo Yoga 900 ISK2 UltraBook has the SSD in a proprietary RAID mode which Linux does not understand and the BIOS is also locked down so it could not be turned off. When he complained that he was unable to install Linux, the answer he got was: "This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft."
Even worse, as the original poster said, "[t]he Yoga 900 ISK2 at Best Buy is not labeled as a Signature Edition PC, but apparently it is one, and Lenovo's agreement with Microsoft includes making sure Linux can't be installed." As some commenter said: "If you buy a computer with this level of lockdown you should be told."

There is also a report on ZDNet which looks very understanding towards Lenovo, but the fact remains: the SSD is locked down in a proprietary RAID mode that cannot be turned off.
Education

Kindergarteners Today Get Little Time To Play, and It's Stunting Their Development (qz.com) 228

Christopher Brown Associate professor, University of Texas at Austin, writes:Researchers have demonstrated that five-year-olds are spending more time engaged in teacher-led academic learning activities than play-based learning opportunities that facilitate child-initiated investigations and foster social development among peers.During his research and investigation, Brown found that a typical kindergarten classroom sees kids and one teacher with them almost the entire school day. During this period, they engage in about 15 different academic activities, which include "decoding word drills, practicing sight words, reading to themselves and then to a buddy, counting up to 100 by ones, fives and tens, practicing simple addition, counting money, completing science activities about living things, and writing in journals on multiple occasions." Recess did not occur until the last hour of the day, and only lasted for about 15 minutes. He adds:For children between the ages of five and six, this is a tremendous amount of work. Teachers too are under pressure to cover the material. When I asked the teacher, who I interviewed for the short film, why she covered so much material in a few hours, she stated, "There's pressure on me and the kids to perform at a higher level academically." So even though the teacher admitted that the workload on kindergartners was an awful lot, she also said she was unable to do anything about changing it.

Submission + - What Happens When Judges Pull the Plug on Rural America (backchannel.com)

mirandakatz writes: After the Sixth Circuit Court of Appeals ruled in favor of restrictive state laws that prevent municipalities from setting up their own networks, Pinetops, North Carolina had its internet cut off. And that's just the tip of the iceberg: as Susan Crawford points out at Backchannel, the court decision is likely to spur the introduction of even more restrictive laws, making it increasingly difficult to ensure that we move the entire country over to fiber-plus-advanced-wireless, not leaving pockets of rural America without 21st century connectivity. For too long, local heroes have been fighting this fight—but Crawford argues that this needs to be a focus of the next president of the United States.

Submission + - Anonymous hacker explains his attack on Boston Children's Hospital (huffingtonpost.com)

Okian Warrior writes: Martin Gottesfeld of Anonymous was arrested in connection with the spring/2014 attacks on a number of health care and treatment facilities in the Boston area. The attacks were in response/defense of a patient there named Justina Pelletier.

Gottesfeld now explains why he did what he did, in a statement provided to The Huffington Post.

Government

FBI Director James Comey: Cover Up Your Webcam (thehill.com) 168

An anonymous reader quotes a report from The Hill: The head of the FBI on Wednesday defended putting a piece of tape over his personal laptop's webcam, claiming the security step was a common sense one that most should take. "There's some sensible things you should be doing, and that's one of them," Director James Comey said during a conference at the Center for Strategic and International Studies. "You go into any government office and we all have the little camera things that sit on top of the screen," he added. "They all have a little lid that closes down on them. "You do that so that people who don't have authority don't look at you. I think that's a good thing." Comey was pilloried online earlier this year, after he revealed that he puts a piece of tap over his laptop camera to keep away prying eyes. The precaution is a common one among security advocates, given the relative ease of hacking laptop cameras. But many found it ironic for Comey, who this year launched a high profile battle against Apple to gain access to data locked inside of the iPhone used by one of the San Bernardino, Calif., terrorists. Many viewed that fight as a referendum on digital privacy.
Privacy

None of Your Pixelated or Blurred Information Will Stay Safe On The Internet (qz.com) 139

The University of Texas at Austin and Cornell University are saying blurred or pixelated images are not as safe as they may seem. As machine learning technology improves, the methods used to hide sensitive information become less secure. Quartz reports: Using simple deep learning tools, the three-person team was able to identify obfuscated faces and numbers with alarming accuracy. On an industry standard dataset where humans had 0.19% chance of identifying a face, the algorithm had 71% accuracy (or 83% if allowed to guess five times). The algorithm doesn't produce a deblurred image -- it simply identifies what it sees in the obscured photo, based on information it already knows. The approach works with blurred and pixelated images, as well as P3, a type of JPEG encryption pitched as a secure way to hide information. The attack uses Torch (an open-source deep learning library), Torch templates for neural networks, and standard open-source data. To build the attacks that identified faces in YouTube videos, researchers took publicly-available pictures and blurred the faces with YouTube's video tool. They then fed the algorithm both sets of images, so it could learn how to correlate blur patterns to the unobscured faces. When given different images of the same people, the algorithm could determine their identity with 57% accuracy, or 85% percent when given five chances. The report mentions Max Planck Institute's work on identifying people in blurred Facebook photos. The difference between the two research is that UT and Cornell's research is much more simple, and "shows how weak these privacy methods really are."

Submission + - The YouTube Demonetization of 2016 (dailydot.com)

Striek writes:

On Wednesday, several YouTube creators posted videos that voiced concerns over the platform’s process of demonetizing videos for not being friendly to advertisers.

Many YouTube creators have similar concerns — that no, this isn't censorship in the strictest sense, but that YouTube owes its users a better commitment to free speech than most private companies due to its dominant marketplace position. Its criteria for videos being "advertiser-friendly" are also incredibly vague or restrictive, or both:

Content that is considered inappropriate for advertising includes:

Sexually suggestive content, including partial nudity and sexual humor
Violence, including display of serious injury and events related to violent extremism
Inappropriate language, including harassment, profanity and vulgar language
Promotion of drugs and regulated substances, including selling, use and abuse of such items
Controversial or sensitive subjects and events, including subjects related to war, political conflicts, natural disasters and tragedies, even if graphic imagery is not shown

You read that right — any YouTube video covering any war or natural disaster is considered inappropriate for advertising — which essentially includes all news and current events shows. This might not seem like a big deal to many people, but it would be, if you made your living creating YouTube videos. So while technically not censorship, many people are arguing YouTube has gone a few steps too far with this, and are likewise worried that this will be too selectively enforced.

Google

Google Login Bug Allows Credential Theft (onthewire.io) 43

Trailrunner7 writes from a report via On the Wire: Attackers can add an arbitrary page to the end of a Google login flow that can steal users' credentials, or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don't consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter. Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user's credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. [Aidan Woods, the researcher who discovered the bug,] said an attacker also could send an arbitrary file to the target's browser any time the login form is submitted. In an email interview, Woods said exploiting the bug is a simple matter. "Attacker would not need to intercept traffic to exploit -- they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter," Woods said. Google told Woods they don't consider this a security issue.

Slashdot Top Deals

A penny saved is a penny to squander. -- Ambrose Bierce

Working...