Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Windows

Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft (venturebeat.com) 101

An anonymous reader writes: Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.In a blog post, security researchers at Google write, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

Submission + - Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft

An anonymous reader writes: Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.

Submission + - Secret government papers show taxpayers will pick up costs of Hinkley nuclear wa (theguardian.com)

mdsolar writes: Taxpayers will pick up the bill should the cost of storing radioactive waste produced by Britain’s newest nuclear power station soar, according to confidential documents which the government has battled to keep secret for more than a year.

The papers confirm the steps the government took to reassure French energy firm EDF and Chinese investors behind the £24bn Hinkley Point C plant that the amount they would have to pay for the storage would be capped.

The Department for Business, Energy & Industrial Strategy – in its previous incarnation as the Department for Energy and Climate Change – resisted repeated requests under the Freedom of Information Act for the release of the documents which were submitted to the European commission.

“The government has attempted to keep the costs to the taxpayer of Hinkley under wraps from the start,” said Dr Doug Parr, Greenpeace chief scientist. “It’s hardly surprising as it doesn’t look good for the government’s claim that they are trying to keep costs down for hardworking families.”

Canada

Police Used Cell Tower Logs To Text 7,500 Possible Crime Witnesses (www.cbc.ca) 153

"Investigators are calling it a 'digital canvass' -- the high-tech equivalent of knocking on thousands of doors for information," reports the CBC, describing how an Ontario police department sent text messages to 7,500 potential witnesses of a homicide using phone numbers from a nearby cell tower's logs. Police obtained the numbers through a court order, and sent two texts -- one in English, and another one in French -- asking recipients to "voluntarily answer a few simple questions..." Slashdot reader itamblyn writes: On one hand, this seems like the natural progression from the traditional approach of canvassing local residents by putting up flyers and knocking on doors. On the other hand, I think one can reasonably ask -- Are we OK with this approach...? Do we want this to happen whenever there is a major crime?
The article adds that the police force "will keep the numbers on file until the killing is solved, officers said at a news conference on Wednesday... Investigators will also consider calling the numbers of people who don't respond voluntarily, but they would be required to obtain another court order to do so."

Submission + - How did one contractor steal 50TB of NSA data? Easily, say former spies (zdnet.com)

An anonymous reader writes: Former employees at the NSA, who spoke on the condition of anonymity, said that Martin likely stole the files by simply walking out of the front door.

"The security folks there conduct random bag and purse checks on people leaving, but nobody does pocket checks," said one former employee, who spent almost 30 years at the agency in various jobs, before leaving late in the last decade.

"Anything that could fit in a pocket could go out undetected," the employee said.

The second employee said it wouldn't be difficult to steal data — noting that the NSA has "some of the best hackers on earth."

Submission + - How Google Almost Killed ProtonMail (protonmail.com)

An anonymous reader writes: From 2015 through 2016 for nearly a year, results from searching e.g. "secure email" or "encrypted email" would vary little in most popular search engines and commonly yield mention of ProtonMail, typically within the first page. Not in Google, though. The ProtonMail team investigated and could find no cause. After receiving no substantial reply to their inquiries, ProtonMail turned to Twitter in August, where soon after, Google responded after correcting the issue. Yen, author of the ProtonMail article, writes the following in reference to what he calls "Search Risk":

"The danger is that any service such as ProtonMail can easily be suppressed by either search companies, or the governments that control those search companies. This can happen even across national borders. For example, even though Google is an American company, it controls over 90% of European search traffic. In this case, Google directly caused ProtonMail’s growth rate worldwide to be reduced by over 25% for over 10 months."

Submission + - Police use cell tower logs to contact potential witnesses to unsolved murder (www.cbc.ca)

itamblyn writes: It what appears to be the first example of a new approach in investigative policing, Ontario Provincial Police are using cell phone tower logs to reach out to potential witnesses in an unsolved homicide case from 2015.

CBC reports (http://www.cbc.ca/news/canada/ottawa/frederick-john-hatch-homicide-cellphone-texts-1.3821821) that police "will be sending texts to about 7,500 people on Thursday to ask for information" to individuals that were, according to the cell phone tower logs, within the tower area near the time of the incident.

While we have heard lots of stories about cell phone tower logs being used in policing before (they are even discussed at length in Season 1 of Serial), I think this is the first case where they have been used to actively contact potential witnesses.

A news release by the police states that the texts will ask the recipient to "voluntarily answer a few simple questions to possibly help the Ontario Provincial Police solve this murder". CBC reports that "Investigators will also consider calling the numbers of people who don't respond voluntarily, but they would be required to obtain another court order to do so."

On one hand, this seems like the natural progression from the traditional approach of canvassing local residents by putting up flyers and knocking on doors. Indeed, the investigators use the term "digital canvas" to describe their plan.

On the other hand, I think one can reasonably ask — Are we OK with this approach? For example, presumably, it would be possible to get a better view of who was in the area by checking credit card transaction logs for all stores within the area. License plate readers and speed cameras might also give information about which vehicles were in the area. There are many levels of tracking that could be used simultaneously as a means of generating lists. The question is, do we want this to happen whenever there is a major crime? A minor one? Maybe this is just how things work now, and it really is no different than walking around, knocking on doors. I figured it was worth a discussion at the very least.

Submission + - SPAM: Search Risk – How Google Almost Killed ProtonMail

An anonymous reader writes: Excerpts from article:
"For nearly a year, Google was hiding ProtonMail from search results for queries such as ‘secure email’ and ‘encrypted email’."

"The danger is that any service such as ProtonMail can easily be suppressed by either search companies, or the governments that control those search companies. This can happen even across national borders. For example, even though Google is an American company, it controls over 90% of European search traffic. In this case, Google directly caused ProtonMail’s growth rate worldwide to be reduced by over 25% for over 10 months."

Link to Original Source

Submission + - FCC plans to make DD-WRT illegal to use (cnx-software.com) 2

An anonymous reader writes: Recent FCC rules have made it illegal for users to modify transmit power and other similar functions on personal WiFi access points. This makes loading custom illegal and opens easy backdoors into your network. Could this be the end of wireless?

Submission + - Could the Slashdot community take control of Slashdot? 10

turp182 writes: This is intended to be an idea generation story for how the community itself could purchase and then control Slashdot. If this happened I believe a lot of former users would at least come and take a look, and some of them would participate again.

This is not about improving the site, only about aquiring the site.

First, here's what we know:
1. DHI (Dice) paid $20 million for Slashdot, SourceForce, and Freecode, purchased from Geeknet back in 2012:
    http://techcrunch.com/2012/09/...
2. Slashdot has an Alexa Global Rank of 1,689, obtaining actual traffic numbers require money to see:
    http://www.alexa.com/siteinfo/...
3. According to Quantcast, Slashdot has over 250,000 unique monthly views:
    https://www.quantcast.com/slas...
4. Per an Arstechnia article, Slashdot Media (Slashdot and Sourceforge) had 2015Q2 revenues of $1.7 million and have expected full year revenues of $15-$16 million (which doesn't make sense given the quarterly number):
    http://arstechnica.com/informa...

Next, things we don't know:
0. Is Slashdot viable without a corporate owner? (the only question that matters)
1. What would DHI (Dice) sell Slashdot for? Would they split it from Sourceforge?
2. What are the hosting and equipment costs?
3. What are the personnel costs (editors, advertising saleforce, etc.)?
4. What other expenses does the site incur (legal for example)?
5. What is Slashdot's portion of the revenue of Slashdot Media?

These questions would need to be answered in order to valuate the site. Getting that info and performing the valuation would require expensive professional services.

What are possible ways we could proceed?

In my opinion, a non-profit organization would be the best route.

Finally, the hard part: Funding. Here are some ideas.

1. Benefactor(s) — It would be very nice to have people with some wealth that could help.
2. Crowdfunding/Kickstarter — I would contribute to such an effort I think a lot of Slashdotters would contribute. I think this would need to be a part of the funding rather than all of it.
3. Grants and Corporate Donations — Slashdot has a wide and varied membership and audience. We regularly see post from people that work at Google, Apple, and Microsoft. And at universities. We are developers (like me), scientists, experts, and also ordinary (also like me). A revived Slashdot could be a corporate cause in the world of tax deductions for companies.
4. ????
5. Profit!

Oh, the last thing: Is this even a relevant conversation?

I can't say. I think timing is the problem, with generating funds and access to financial information (probably won't get this without the funds) being the most critical barriers. Someone will buy the site, we're inside the top 2,000 global sites per info above.

The best solution, I believe, is to find a large corporate "sponsor" willing to help with the initial purchase and to be the recipient of any crowd sourcing funds to help repay them. The key is the site would have to have autonomy as a separate organization. They could have prime advertising space (so we should focus on IBM...) with the goal would be to repay the sponsor in full over time (no interest please?).

The second best is seeking a combination of "legal pledges" from companies/schools/organizations combined with crowdsourcing. This could get access to the necessary financials.

Also problematic, from a time perspective, a group of people would need to be formed to handle organization (managing fundraising/crowdsourcing) and interations with DHI (Dice). All volunteer for sure.

Is this even a relevant conversation? I say it is, I actually love Slashdot; it offers fun, entertaining, and enlightning conversation (I browse above the sewer), and I find the article selection interesting (this gyrates, but I still check a lot).

And to finish, the most critical question: Is Slashdot financially viable as an independent organization?

Submission + - Ask Slashdot: What Web Platform For A Small Municipality?

r3dR0v3r writes: I have the opportunity to help improve / replace the website of my small U.S. town (~6000 people). The town leaders are open to most any suggestions, and are open to the idea of having the website facilitate a more open government — by being a place at which town documents, meeting agendas, meeting minutes, legal forms, ordinances, etc. can be found in an organized way and downloaded. And of course the site should provide general info about the town, it's services, recreation opportunities, etc.. Now, we have no budget, so we'll be looking at free/open software. I've considered options such as Drupal, but I'm doing this as volunteer work so I don't want to start from scratch and spend overly much time. Thus, I'm looking for advice about any existing platforms made specifically for municipalities as a great way to get a jump start. I'm guessing there are other slashdotters that have helped their communities in this way. Your suggestions please?
Security

Submission + - Ask Slashdot: Router Security Vulerability?

An anonymous reader writes: I am a freelance security/pentest consultant. I've discovered the modem/routers my local ISP leases out to customers are affected by a security vulnerability that would allow an attacker to (relatively easily) gain root access. The vulnerability is publicly known, and the manufacturer is aware of the issue and has since released a firmware update resolving it. However, unless you are a service provider, there is no way for an end-user to get the update individually.

After numerous failed attempts at contacting anyone at the corporate office of my ISP (customer service tech support was hopeless), I got in touch with someone from the manufacturer who notified me about the firmware update. Filing a CERT report does not seem like an option as the issue has already been addressed by the OEM, but what can I do to get my ISP to take action? How about the thousands of other customers potentially affected?
The Internet

Submission + - U.S Congressman Wants to Ban Internet Bills (gizmodo.com)

SchrodingerZ writes: "Representative Darrell Issa, a republican congressman from California, has drafted a bill for the internet. The bill, aptly named the Internet American Moratorium Act (IAMA), is, "a two-year moratorium on any new laws, rules or regulations governing the Internet." In short it hopes to deny any new government bills related to lawmaking on the internet for the next two years. The bill was first made public on the website Reddit, and is currently on the front page of Keepthewebopen.com, a website advocating internet rights. "Together we can make Washington take a break from messing w/ the Internet," Issa writes on his Reddit post. The initial response to the bill has been mixed. Users of Reddit are skeptical of the paper's motives and credibility. As of now, the bill is just a discussion draft, whether it will gain footing in the future is up in the air."

Submission + - InTrade bans U.S. customers. (intrade.com)

MyFirstNameIsPaul writes: "In an announcement dated Monday, Nov 26, 2012, Dublin based InTrade stated "that due to legal and regulatory pressures, Intrade can no longer allow US residents to participate in our real-money prediction markets." The Washington Post reports that the Commodity Futures Trading Commission filed a complaint in federal court against InTrade for "illegally facilitating bets on future economic data, the price of gold and even acts of war," demonstrating just how far the long arm of U.S. law can reach."
Privacy

Submission + - "Anonymous" File-Sharing Darknet Ruled Illegal by German Court (torrentfreak.com)

An anonymous reader writes: A court in Hamburg, Germany, has granted an injunction against a user of the anonymous and encrypted file-sharing network RetroShare . RetroShare users exchange data through encrypted transfers and the network setup ensures that the true sender of the file is always obfuscated. The court, however, has now ruled that RetroShare users who act as an exit node are liable for the encrypted traffic that’s sent by others.

Slashdot Top Deals

Stupidity, like virtue, is its own reward.

Working...