Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Lenovo pre-installs malware injecting ads and spoofing SSL certs (

janoc writes: Lenovo is pre-installing adware/malware called Superfish on their laptops which serves ads for products you may be browsing/shopping for, "but cheaper". Unfortunately it also breaks into SSL sessions by installing a false root certificate, allowing for potential snooping on secure sessions.

Submission + - Silk Road 2.0 Seized By FBI, Alleged Founder Arrested In San Francisco

blottsie writes: The FBI has arrested the online persona "Defcon," identified as Blake Benthall, a 26-year-old in San Francisco, who the agency claims ran the massive online black market Silk Road 2.0. Benthall's FBI arrest comes a year after that of Ross Ulbricht, also from San Francisco, who's alleged mastermind of the original Silk Road and still awaiting trial.

The largest of those reported down is Silk Road 2.0. But a host of smaller markets also seized by law enforcement include Appaca, BlueSky, Cloud9, Hydra, Onionshop, Pandora, and TheHub.

Submission + - Drupal patches critical SQL Injection vulnerability, SA-CORE-2014-005

newfurniturey writes:

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

It is, relatively, rare to find core vulnerabilities in content management platforms, but when they are found, they're normally great! The security advisory SA-CORE-2014-005 states that Drupal core 7.x versions prior to 7.3.2 are affected and they have already released both an upgrade and standalone patch to resolve the issue.

Submission + - Dairy Queen's new flavor - Backoff malware (

newfurniturey writes: Dairy Queen is the latest retailer to come forward about discovering their Point-of-Sale (PoS) systems are infected by data-stealing malware, in this case the common one known as the Backoff Point-of-Sale Malware. The difference between Dairy Queen and say Target or Home Depot is that the majority of Dairy Queen stores are franchise-owned, though they often share the same PoS infrastructure.

As a result of our investigation, we discovered evidence that the systems of some DQ locations and one Orange Julius location were infected with the widely-reported Backoff malware that is targeting retailers across the country. The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at those locations.

The affected systems contained customers’ names, payment card numbers and expiration dates. We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection.

Submission + - Can anything escape a black hole? (

Annanag writes: *Nothing* escapes a black hole, right? Except 40 years ago Stephen Hawking threw a spanner in the works by suggesting that, courtesy of quantum mechanics, some light particles can actually break free of a black hole's massive pull. Then you have the tantalising question of whether information can also escape, encoded in that so-called 'Hawking radiation'. The only problem being that no one has ever been able to detect Hawking radiation being emitted from a black hole. BUT a physicist has now come closer than ever before to creating an imitation of a black hole event horizon in the lab, opening up a potential avenue for investigating Hawking radiation and exploring how quantum mechanics and general relativity might be brought together.

Submission + - PETA is not happy that Google used a camel to get a desert "StreetView" (

flopwich writes: So Google used a camel-mounted camera to get a "street view" of a stretch of desert in the United Arab Emirates. PETA's director is all sniffy about it, saying they should have used jeeps. Oblivious to PETA's opinion, the camel in the video, munching food as it carries the camera, really doesn't look like it minds all that much.

Comment CISO of Yahoo says "not Shellshock" (Score 1) 69

Alex Stamos, the CISO of Yahoo, posted an in-response bulletin on Hacker News to clear up the rumor that this breach was caused by Shellshock.

Straight to the point, he states that it was not Shellshock that the system was vulnerable to but a separate command-injection vulnerability in their log parsing scripts. Though... Shellshock itself is a command-injection / parsing vulnerability so I'm sure many will skip over the technicalities and consider them one-in-the-same.

At first I was surprised that he came forward and gave explicit details that, well, can now be targeted against. On the other hand, I think it's pretty cool of them to be so open (either that, or they really didn't want to be the "large company" that was effected by Shellshock =P).

Submission + - "Rosetta Flash" attack leverages JSONP callbacks to steal cookies! (

newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today dubbed the "Rosetta Flash" attack..

JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the "Rosetta Stone" attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the site being targeted bypassing all Same-Origin policies in place.

Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack; however, several were patched prior to the public release and Tumblr has patched within hours of the release.

Comment Comments based on experience? (Score 0) 516

When Microsoft first announced Windows 8, the bashing began (as usual and expected). "Metro's bad", "no Start Menu", yada yada.

Now, fast forward to today - Windows 8.1 and still no Start Menu. Is it really that bad? How many users that are commenting here, complaining about it, have actually tried it? Does it truly hinder your ability to use the computer?

I, for one, have not tried Windows 8. Not because I don't like the idea of it but because I'm still on Windows 7 and have no need to actually upgrade yet. However, I have *seen* both PCs and laptops with Windows 8 (neither with touch screen) and it actually looked pretty good. Both switched from the Metro-giant-buttons screen over to the desktop and it looked like a normal computer with a normal version of Windows on it, nothing crazy.

The primary reason I'm not going to issue a complaint about the "no Start Menu" isn't because I haven't actually tried Windows 8 and dislike it, it's because as an actual "power user" of Windows, I don't use the Start Menu that much. WinKey+R to run whatever I need, main apps pinned to the taskbar, "My Computer" / "Documents" icons available on the desktop - everything one double-click away. My linux boxes are quite similar (except the WinKey+R, of course =P).

Are there any users out there that actually had their "experience" ruined because they didn't have a Start Menu and, if so, why / how?

Comment Not too convincing... (Score 4, Insightful) 60

The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.

The one hint it does include is a picture and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.

If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).

Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?

Submission + - Tumblr, joining the ranks with full SSL

newfurniturey writes: Hopping on the privacy train, Tumblr. now offers opt-in SSL to all users. Their directly-to-the-point Staff post is worded to attract as many users as possible, tech-friendly or not, to the adoption of enabling SSL for the site:

You can now take extra precaution against hackers and snoops by enabling SSL security on your Tumblr Dashboard. Just head over to your Account Settings and flip the switch.

"Any reason I shouldn’t do this?" Nope, not really. It doesn’t change anything about the dashboard, it just encrypts your connection to it. We’ve been using it for weeks and haven’t even noticed. So, yeah, turn it on and forget about it. Easy.

Slashdot Top Deals

Executive ability is deciding quickly and getting somebody else to do the work. -- John G. Pollard