Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Java

Muni System Hacker Hit Others By Scanning For Year-Old Java Vulnerability (arstechnica.com) 30

An anonymous reader quotes a report from Ars Technica: The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan. In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers." That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident -- which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a "deserialization" attack after it was identified by a vulnerability scan. A security researcher told Krebs that he had been able to gain access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner's security question, and he provided details from the mailbox and another linked mailbox on Yandex. Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations' networks.
Security

Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker (bleepingcomputer.com) 138

An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.
Government

It Will Soon Be Illegal To Punish Customers Who Criticize Businesses Online (arstechnica.com) 154

An anonymous reader quotes a report from Ars Technica: Congress has passed a law protecting the right of U.S. consumers to post negative online reviews without fear of retaliation from companies. The bipartisan Consumer Review Fairness Act was passed by unanimous consent in the U.S. Senate yesterday, a Senate Commerce Committee announcement said. The bill, introduced in 2014, was already approved by the House of Representatives and now awaits President Obama's signature. The Consumer Review Fairness Act -- full text available here -- voids any provision in a form contract that prohibits or restricts customers from posting reviews about the goods, services, or conduct of the company providing the product or service. It also voids provisions that impose penalties or fees on customers for posting online reviews as well as those that require customers to give up the intellectual property rights related to such reviews. The legislation empowers the Federal Trade Commission to enforce the new law and impose penalties when necessary. The bill also protects reviews that aren't available via the Internet.
EU

Europe Is Getting a Network of 'Ultra-Fast, High-Powered' EV Chargers (theverge.com) 72

An anonymous reader quotes a report from The Verge: BMW Group, Daimler AG, Ford, and Volkswagen have entered into a partnership to create a network of high-speed charging stations for electric vehicles across Europe. The new chargers will be capable of doling out up to 350 kW of power -- which would make them almost three times as powerful as Tesla's Supercharging stations. The result will be "the highest-powered charging network in Europe," according to a statement released by the manufacturers. The automakers say that construction will begin in 2017 with "about 400 sites" being targeted, and that the network will have "thousands of high-powered charging points" available by 2020. Those four major conglomerates will be "equal partners" in the joint venture, but according to the statement they are encouraging other manufacturers to "participate in the network." One of the reasons for bothering to call on other automakers to hook into this system is because there's a standards war happening with fast charging networks. The charging network announced today will use the Combined Charging System (CCS) technology, which is what that most major automakers already use for their EVs. But Nissan, Toyota, and Honda are notable holdouts from CCS, because many of their EVs and plug-in hybrids use a competing standard known as CHAdeMO.
Microsoft

Microsoft Brings Collaborative Editing To PowerPoint On Desktop (venturebeat.com) 38

Microsoft today said that it has enhanced certain versions of its PowerPoint presentation-building program with real-time collaborative editing. VentureBeat adds: This feature came to Word on desktop last year. And before that it was available through Office Online. Microsoft said last year that real-time coauthoring would come to all of its desktop apps, and now Microsoft is executing on that commitment. Just like in Google Docs, Sheets, and Slides, this feature lets you "see what others are typing as it happens on a given slide," Microsoft Office corporate vice president Kirk Koenigsbauer wrote in a blog post. The feature is live now in PowerPoint on Windows for people who subscribe to Office 365 and belong to the Office Insider program. In addition, it's now available to everyone in PowerPoint Mobile on Windows tablets, Koenigsbauer wrote.

Submission + - What's the best Linux Laptop?

sconeu writes: This came up in the "Which laptop could replace a Macbook Pro?" story. It was rightfully marked off-topic there, but I thought it might make an interesting discussion.

I'm currently looking into replacing my 10 year old Toshiba Satellite with a newer laptop. I'm looking to run some flavor of Linux (probably KDE based UI, but not mandatory) while using a VM to run Win 7 (for stuff needed for work).

For me, personally, battery life and weight are more important than raw power. I'm not going to be running games on this.

I've been considering an XPS 13 Developer Edition, or something from System76, ZaReason or Emperor Linux.

What laptop do you use? Do you have any suggestions?
Communications

The UK Is About to Legalize Mass Surveillance [Update] (vice.com) 392

From a report on Motherboard: On Tuesday, the UK is due to pass its controversial new surveillance law, the Investigatory Powers Act, according to the Home Office. The Act, which has received overwhelming support in both the House of Commons and Lords, formally legalizes a number of mass surveillance programs revealed by Edward Snowden in 2013. It also introduces a new power which will force internet service providers to store browsing data on all customers for 12 months. Civil liberties campaigners have described the Act as one of the most extreme surveillance laws in any democracy, while law enforcement agencies believe that the collection of browsing data is vital in an age of ubiquitous internet communications. "The Investigatory Powers Act 2016 will ensure that law enforcement and the security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks, subject to strict safeguards and world-leading oversight," a statement from the Home Office reads. Much of the Act gives stronger legal footing to the UK's various bulk powers, including "bulk interception," which is, in general terms, the collection of internet and phone communications en masse. In June 2013, using documents provided by Edward Snowden, The Guardian revealed that the GCHQ taps fibre-optic undersea cables in order to intercept emails, internet histories, calls, and a wealth of other data. Update: "Snooper's charter" bill has become the law. The home secretary said:"The Investigatory Powers Act is world-leading legislation, that provides unprecedented transparency and substantial privacy protection. "The government is clear that, at a time of heightened security threat, it is essential our law enforcement and security and intelligence services have the power they need to keep people safe. The internet presents new opportunities for terrorists and we must ensure we have the capabilities to confront this challenge. But it is also right that these powers are subject to strict safeguards and rigorous oversight."
AT&T

AT&T Unveils DirecTV Now Streaming TV Service With Over 100 Channels (theverge.com) 80

ATT has officially unveiled its DirecTV Now internet TV streaming service, which launches Wednesday, November 30th, in the U.S. on iPhone, Android, Amazon Fire TV, Chromecast, and PC/Mac, starting at $35 per month. The Verge reports: Like its over-the-top rivals, DirecTV Now will let customers stream live programming on smartphones, tablets, and PCs -- no cable box necessary -- and requires no long-term contracts or commitments. For a limited time, ATT will offer the "Go Big" channel tier with 100 channels for $35 per month. If you sign up in time, the offer will remain valid each month until you cancel. But that $35 rate is not the long-term pricing for 100+ channels. DirecTV Now offers step-up subscriptions that include other channels and content for a higher monthly cost. ATT has signed programming agreements with nearly all major networks with the exception of CBS and Showtime; negotiations with those companies remain ongoing. DirecTV Now allows customers to watch up to two streams simultaneously. HBO and Cinemax can be added to any of these packages for just $5 extra (each) per month. DirecTV Now is "zero rated" for the company's wireless customers, so regardless of how much time they spend streaming, that activity will have no impact on data usage for their monthly bill. Importantly, while these are the subscription rates as of today, the company is being straightforward about the possibility of increases in the future. ATT also plans to air original shows including a Taylor Swift series.
Government

EPA Increases Amount of Renewable Fuel To Be Blended Into Gasoline (arstechnica.com) 350

An anonymous reader quotes a report from Ars Technica: Last week the Environmental Protection Agency (EPA) announced its final renewable fuel standards for 2017, requiring that fuel suppliers blend an additional 1.2 billion gallons of renewable fuel into U.S. gas and diesel from 2016 levels. The rule breaks down the requirements to include quotas for cellulosic biofuels, biomass-based diesel, advanced biofuel, and traditional renewable fuel. Reuters points out that the aggressive new biofuel standards will create a dilemma for an incoming Trump administration, given that his campaign courted both the gas and corn industries. While the EPA under the Obama administration has continually increased so-called renewable fuel standards (RFS), the standards were first adopted by a majority-Republican Congress in 2005 and then bolstered in 2007 with a requirement to incorporate 36 billion gallons of renewable fuel into the fuel supply by 2022, barring "a determination that implementation of the program is causing severe economic or environmental harm," as the EPA writes. Some biofuels are controversial not just for oil and gas suppliers but for some wildlife advocates as well. Collin O'Mara, CEO of the National Wildlife Federation, said in a statement that the corn ethanol industry that most stands to benefit from the EPA's expansion of the renewable fuel standards "is responsible for the destruction of millions of acres of wildlife habitat and degradation of water quality." Still, the EPA contends that biofuels made from corn and other regenerating plants offer reductions in overall fuel emissions, if the processes used to make and transport the fuels are included. "Advanced biofuels" will offer "50 percent lifecycle carbon emissions reductions," and their share of the new standards will grow by 700 million gallons in 2017 from 2016 requirements, the EPA says. Cellulosic biofuel will be increased by 81 million gallons and biomass-based diesel will be increased by 100 million gallons. "Non-advanced or 'conventional' renewable fuel" will be increased to 19.28 billion gallons from 18.11 billion gallons in 2016. Conventional renewable fuel "typically refers to ethanol derived from corn starch and must meet a 20 percent lifecycle GHG [greenhouse gas] reduction threshold," according to EPA guidelines. Other kinds of renewable fuels include sugarcane-based ethanol, cellulosic ethanol derived from the stalks, leaves, and cobs leftover from a corn harvest, and compressed natural gas gleaned from wastewater facilities.
China

Microsoft Confirms Its Chinese-Language Chatbot Filters Certain Topics (fortune.com) 19

Microsoft's Chinese-language AI chat bot filters certain topics, the company confirmed Monday, although it did not clarify whether that included interactions deemed politically sensitive. From a report on Fortune: Last week, CNNMoney and China Digital Times reported that Xiaoice would not directly respond to questions surrounding topics deemed sensitive by the Chinese state. References to the Tiananmen Square massacre of 1989 or "Steamed Bun Xi," a nickname of Chinese President Xi Jinping, would draw evasive answers or non sequiturs from the chat bot, according to the report. "Am I stupid? Once I answer you'd take a screengrab," read one answer to a question that contained the words "topple the Communist Party." Even the mention of Donald Trump, the American President-elect, drew an evasive response from the chat bot, according to reports. "I don't want to talk about it," Xiaoice said, reports CNN Money. In response to inquiries from Fortune, Microsoft confirmed that there was some filtering around Xiaoice's interaction. "We are committed to creating the best experience for everyone chatting with Xiaoice," a Microsoft spokesperson tells Fortune. "With this in mind, we have implemented filtering on a range of topics." The tech giant did not further elaborate to which specific topics the filtering applied.
The Almighty Buck

Fearing Tighter US Visa Regime, Indian IT Firms Rush To Hire (moneycontrol.com) 184

From a report on Reuters: Anticipating a more protectionist US technology visa programme under a Donald Trump administration, India's $150 billion IT services sector will speed up acquisitions in the United States and recruit more heavily from college campuses there. Indian companies including Tata Consultancy Services, Infosys, and Wipro have long used H1-B skilled worker visas to fly computer engineers to the US, their largest overseas market, temporarily to service clients. Staff from those three companies accounted for around 86,000 new H1-B workers in 2005-14. The US currently issues close to that number of H1-B visas each year. President-elect Trump's campaign rhetoric, and his pick for Attorney General of Senator Jeff Sessions, a long-time critic of the visa programme, have many expecting a tighter regime.
Microsoft

Microsoft Exec Urges Linux Developers To Try Windows 10 (softpedia.com) 403

An anonymous reader shares a Softpedia article: Microsoft has finally acknowledged the potential that the open-source world in general, and Linux in particular, boasts, so the company is exploring its options to expand in this area with every occasion. Most recently, an episode posted on Channel 9 and entitled "Improvements to Bash on Windows and the Windows Console" with senior program manager Rich Turner calls for Linux developers to give up on their platforms for Windows 10. "Fire up a Windows 10 Insiders' build instance and run your code, run your tools, host your website on Apache, access your MySQL database from your Java code," he explained. Turner went on to point out that the Windows subsystem for Linux is there to provide developers with all the necessary tools to code just like they'd do it on Linux, all without losing the advantages of Windows 10. "Whatever it is that you normally do on Linux to build an application: whether it's in Go, in Erlang, in C, whatever you use, please, give it a try on Bash WSL, and importantly file bugs on us. It really makes our life a lot easier and helps us build a product that we can all use and be far more productive with, he continued. Editor's note: The original title from Softpedia was edited because it was misleading. A Microsoft employee doesn't represent the entire company (at least in this instant he wasn't speaking for the company), and at no point has he asked "all Linux developers" to "give up" on Linux.
Microsoft

Microsoft Update Servers Left All Azure RHEL Instances Hackable (theregister.co.uk) 35

An anonymous reader shares a report on The Register: Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS. From there Duffy found a package labeled PrepareRHUI (Red Hat Update Infrastructure) that runs on all Azure RHEL boxes, and contains the rhui-monitor.cloud build host. Duffy accessed that host and found it had broken username and password authentication. This allowed him to access a backend log collector application which returned logs and configuration files along with a SSL certificate that granted full administrative access to the four Red Hat Update Appliances. Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.
Bug

iOS 10.1.1 Is Causing Battery Issues For Many iPhone Users (itwire.com) 91

An anonymous reader writes: A recent iOS update to 10.1.1 fix Apple's Health application has had unintended consequences for many users -- shutdown at 30% battery remaining and lack of audio using Apple Earpods. Users on an Apple forum report that the battery indicator jumps from 30% to 1% (dubbed the 30% bug) and a reboot is required where the phone then runs for a few more hours. Some have taken the iPhone back to receive a replacement only to find the same thing happens. Apple has not responded to the 11 pages of forum complaints but apparently, Genius Bar staff have identified unusual discharging of the battery -- which does not make sense if a reboot temporarily fixes the issue and returns the battery indicator to 30%. It also appears to affect all versions of iPhone that support iOS 10.x.
Government

Will Trump Protect America's IT Workers From H-1B Visa Abuses? (cio.com.au) 399

Monday president-elect Donald Trump sent "the strongest signal yet that the H-1B visa program is going get real scrutiny once he takes office," according to CIO. Slashdot reader OverTheGeicoE summarizes their report: President-elect Donald Trump released a video message outlining his policy plans for his first 100 days in office. At 1 minute, 56 seconds into the message, he states that he will direct the Department of Labor to investigate "all abuses of the visa programs that undercut the American worker." During his presidential campaign, Trump was critical of the H-1B visa program that has been widely criticized for displacing U.S. high-technology workers. "Companies are importing low-wage workers on H-1B visas to take jobs from young college-trained Americans," said Trump at an Ohio rally. At other rallies, Trump invited former IT workers from Disney who had been forced to train their H-1B replacements to speak.
"What he didn't say was that he was going to close the door to skilled immigrants," one tech entrepreneur told CNN Money -- although Trump's selection for attorney general has called the shortage of qualified American tech workers "a hoax".

Slashdot Top Deals

The generation of random numbers is too important to be left to chance.

Working...