Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Bug

Apple Will Finally Let Developers Respond To App Store Reviews (techcrunch.com) 45

An anonymous reader shares a TechCrunch report: Apple is finally going to give its developers a way to respond to customer reviews on its App Store and Mac App Store -- a feature that's long been available to Android developers on Google Play, much to the chagrin of the Apple developer community. According to developer documentation for the iOS 10.3 beta, when this version of Apple's mobile operating ships, developers will also be able to ask for reviews in new ways, in addition to responding to those posted publicly on the App Store. Apple's ratings and reviews system has felt antiquated, and has been a source of frustration for developers and users alike. When a customer leaves a negative review, developers couldn't respond to the criticism -- which is sometimes unwarranted -- in a way that other App Store customers could see. For example, a customer may be misunderstanding a feature, or may have complained about a bug that's been fixed in a later release.
Australia

Australia Plans Biometric Border Control (bbc.com) 70

The Australian government is planning to allow 90% of travellers to pass through passport control without human help by 2020. From a report: With a $100m budget, it has begun the search for technology companies that could provide biometric systems, such as facial, iris and fingerprint recognition. Head of border security John Coyne said it could be a "world first." But critics have questioned the privacy implications of such a system. "Biometrics are now going in leaps and bounds, and our ability to harness the power of big data is increasing exponentially," Mr Coyne told the Sydney Morning Herald. The department of border security hopes to pilot the "Seamless Traveller" project in Canberra this summer, with rollout to larger airports scheduled to be completed by spring 2019.
United States

Yahoo Sale To Verizon Delayed After Hack Disclosures (securityweek.com) 11

wiredmikey quotes a report from SecurityWeek: Yahoo said Monday that the closing of a $4.8 billion deal to sell its core internet assets to U.S. telecom titan Verizon has been delayed several months. A close originally set for this quarter has been pushed into next quarter, and has been thrown into doubt following disclosures of two huge data breaches. Yahoo announced in September that hackers in 2014 stole personal data from more than 500 million of its user accounts. It admitted another cyberattack in December, this one dating from 2013, affecting over a billion users. The U.S. Securities and Exchange Commission has opened an investigation into whether Yahoo should have informed investors sooner about the two major data breaches.
Security

Ransomware Infects All St Louis Public Library Computers (theguardian.com) 158

An anonymous reader quotes a report from The Guardian: Libraries in St Louis have been bought to a standstill after computers in all the city's libraries were infected with ransomware, a particularly virulent form of computer virus used to extort money from victims. Hackers are demanding $35,000 (£28,000) to restore the system after the cyberattack, which affected 700 computers across the Missouri city's 16 public libraries. The hackers demanded the money in electronic currency bitcoin, but, as CNN reports, the authority has refused to pay for a code that would unlock the machines. As a result, the library authority has said it will wipe its entire computer system and rebuild it from scratch, a solution that may take weeks. On Friday, St Louis public library announced it had managed to regain control of its servers, with tech staff continuing to work to restore borrowing services. The 16 libraries have all remained open, but computers continue to be off limits to the public. Spokeswoman Jen Hatton told CNN that the attack had hit the city's schoolchildren and its poor worst, as many do not have access to the internet at home. "For many [...] we're their only access to the internet," she said. "Some of them have a smartphone, but they don't have a data plan. They come in and use the wifi." As well as causing the loans system to seize up, preventing borrowers from checking out or returning books, the attack froze all computers, leaving no one able to access the four million items that should be available through the service. The system is believed to have been infected through a centralized computer server, and staff emails have also been frozen by the virus. The FBI has been called in to investigate.
Government

Yahoo Faces SEC Probe Over Data Breaches (wsj.com) 19

New submitter Linorgese quotes a report from The Wall Street Journal (Warning: paywalled; alternate source): U.S. authorities are investigating whether Yahoo Inc.'s two massive data breaches should have been reported sooner to investors, according to people familiar with the matter, in what could prove to be a major test in defining when a company is required to disclose a hack. Last month, the Federal Bureau of Investigation said it had begun an investigation into a 2013 data breach that involved more than 1 billion users' accounts. That followed Yahoo's disclosure that a 2014 intrusion involved about 500 million accounts. As part of its investigation, the SEC last month requested documents from Yahoo, the Journal said, citing persons familiar with the situation. The agency has been seeking a model case for cybersecurity rules it issued in 2011, legal experts told the Journal. In a November 2016 SEC filing, Yahoo noted that it was cooperating with the SEC, Federal Trade Commission and other federal, state, and foreign governmental officials and agencies including "a number of State Attorneys General, and the U.S. Attorney's office for the Southern District of New York." When Yahoo reported the 2014 breach it said that evidence linked it to a state-sponsored attacker. It has not announced a suspected responsibility for the larger 2013 intrusion, but the company has said it does not believe the two breaches are linked.
Movies

FBI Is Probing Sundance Cyberattack That Forced Box Office To Close (hollywoodreporter.com) 35

Over the weekend, the Sundance Film Festival was hacked. "Sundance Film Festival has been subject to a cyberattack, causing network outages that have shut down our box office," said a spokesperson for the festival. "No further information about the attack is available at this time, but our team is working hard to get our system back up and running as soon as possible. All screenings will still take place as planned." According to The Hollywood Reporter, the FBI is now investigating the hack and is working with Sundance officials to identify the culprit. From their report: Although the festival was able to get its ticketing systems back online within an hour of the Saturday breach, multiple other denial-of-service (DDoS) attacks on Sundance's IT infrastructure followed. A DDoS attack works by flooding the bandwidth or resources of a targeted server. A Sundance Film Festival rep offers the following statement: "The FBI is reviewing the case. At this point, we do not have any reason to believe the cyberattack was targeted towards a specific film. No artist or customer information was compromised." At the time of the hack, the festival offered little in the way of explanation of what happened, but hinted that filmmakers at the annual celebration of independent cinema may have been the target. One producer of a Sundance documentary critical of the Russian government believes his film could have played a role in the attack. "There's been speculation that our film may have sparked retribution," Icarus consulting producer Doug Blush tells THR. "It does not paint a flattering picture of [president Vladimir] Putin." Icarus, which made its world premiere at the festival the day before the hack, centers on a Russian doctor who oversaw and then spoke out about Russia's widespread state-sponsored sports doping. The Bryan Fogel-helmed film, which is being pitched to distributors, has played throughout the weekend in Park City at screenings for both press-and-industry and the public. Icarus isn't the only Sundance film that could antagonize the Russian government and Putin. Evgeny Afineevsky's Cries From Syria -- one of several docs tackling the war-torn nation -- also takes a critical look at Putin and Russia's military intervention in Syria. Cries From Syria made its world premiere at Sundance on Sunday, the day after the initial box-office cyberattack.
China

China Cracks Down On International VPN Usage (thestack.com) 65

An anonymous reader writes: China's government has announced a 14-month crackdown on the use of unauthorised Virtual Private Networks (VPNs), commonly used by visitors and native activists, amongst others, to communicate with the world beyond the Great Firewall of China. Sunday's announcement [Chinese] from the Ministry of Industry and Information Technology reiterated regulations first outlined in 2002, but which have since been subject to sparse, selective or lenient enforcement. The new announcement promises a 'clean up' regarding the VPN situation in China, beginning immediately and running until March of 2018.
Security

Android Device's Pattern Lock Can Be Cracked Within Five Attempts, Researchers Show (phys.org) 142

The popular Pattern Lock system used to secure millions of Android phones can be cracked within just five attempts -- and more complicated patterns are the easiest to crack, security experts reveal. From a research paper: Pattern Lock is a security measure that protects devices, such as mobile phones or tablets, and which is preferred by many to PIN codes or text passwords. It is used by around 40 percent of Android device owners. In order to access a device's functions and content, users must first draw a pattern on an on-screen grid of dots. If this matches the pattern set by the owner then the device can be used. However, users only have five attempts to get the pattern right before the device becomes locked. New research from Lancaster University, Northwest University in China, and the University of Bath, which benefitted from funding from the Engineering and Physical Sciences Research Council (EPSRC), shows for the first time that attackers can crack Pattern Lock reliably within five attempts by using video and computer vision algorithm software. By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy cafe; for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner's fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet.
Transportation

'IT Issue' Grounded All United Airlines Flights In The US (nbcnews.com) 115

For two and a half hours -- no take-offs. An anonymous reader quotes NBC News: All of United Airlines' domestic flights were grounded Sunday night because of a computer outage, the Federal Aviation Administration said as scores of angry travelers sounded off on social media... U.S. officials told NBC News that the Aircraft Communications Addressing and Reporting System, or ACARS, had issues with low bandwidth. No further explanation was immediately available for what United described only as "an IT issue."
An hour ago United tweeted that they'd finally lifted the stop and were "working to get flights on their way." 66 flights were cancelled just at Chicago's O'Hare Airport, the Chicago Department of Aviation told the Associated Press, and though the article doesn't identify the total number of flights affected, "Chicago-based United Airlines and United Express operate more than 4,500 flights a day to 339 airports across five continents."
Businesses

Ask Slashdot: Should Commercial Software Prices Be Pegged To a Country's GDP? 288

Here's a bright idea from dryriver Why don't software makers look at the average income level in a given country -- per capita GDP for example -- and adjust their software prices in these countries accordingly? Most software makers in the U.S. and EU currently insist on charging the full U.S. or EU price in much poorer countries. "Rampant piracy" and "low sales" is often the result in these countries. Why not change this by charging lower software prices in less wealthy countries?
This presupposes the continuing existence of closed-source software businesses -- but is there a way to make that pricing more fair? Leave your best suggestions in the comments. should commercial software prices be pegged to a country's GDP?
Databases

Database Attacks Spread To CouchDB, Hadoop, and ElasticSearch Servers (bleepingcomputer.com) 67

An anonymous reader writes: Two weeks after cybercriminal groups started to hijack and hold for ransom MongoDB servers, similar attacks are now taking place against CouchDB, Hadoop, and ElasticSearch servers. According to the latest tallies, the number of hijacked MongoDB servers is 34,000 (out of 69,000 available on Shodan), 4,681 ElasticSearch clusters (out of 33,000), 126 Hadoop datastores (out of 5,400), and 452 CouchDB databases (out of 4,600). Furthermore, the group that has hijacked the most MongoDB and ElasticSearch servers is also selling the scripts it used for the attacks.
Two security researchers are tracking the attacks on Google spreadsheets, and report that when a ransom is paid, many victims still report that their data is never restored. But the researchers also identified 124 Hadoop servers where the attacker simply replaced all the tables with a data entry named NODATA4U_SECUREYOURSHIT. "What's strange about these attacks is that the threat actor isn't asking for a ransom demand," reports Bleeping Computer. "Instead, he's just deleting data from Hadoop servers that have left their web-based admin panel open to remote connections on the Internet."
Bug

Army Bug Bounty Researcher Compromises US Defense Department's Internal Network (threatpost.com) 42

Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to." An anonymous reader quotes Threatpost: The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.

"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."

United States

Is The Tech Industry Driving Families Out of San Francisco? (nytimes.com) 379

Why does San Francisco now have fewer children per capita than any of America's largest 100 cities? An anonymous reader writes: A move to the suburbs began in the 1970s, but "The tech boom now reinforces the notion that San Francisco is a place for the young, single and rich," according to the New York Times. "When we imagine having kids, we think of somewhere else," one software engineer tells the paper. The article describes "neighborhoods where employees of Google, Twitter and so many other technology companies live or work" where the sidewalks make it seem "as if life started at 22 and ended somewhere around 40."

Or is San Francisco just part of a larger trend? "California, which has one of the world's 10 largest economies, recently released data showing the lowest birthrate since the Great Depression. And the Los Angeles Times argues California's experience may just be following national trends. The drop "likely stems from the recession, a drop in teenage pregnancies and an increase in people attending college and taking longer to graduate, therefore putting off having children, said Walter Schwarm, a demographer at the Department of Finance."

So is this part of a larger trend -- or something unique about San Francisco? The New York Times also quotes Richard Florida, author of The Rise of the Creative Class, who believes technology workers are putting off families when they move to the Silicon Valley area because they anticipate long working hours. There's also complaints about San Francisco's public school system -- 30% of its children now attend private schools, the highest percentage of any large American city. But according to the article, Peter Thiel believes that San Francisco is just "structurally hostile to families."
Crime

Geek Avenges Stolen Laptop By Remotely Accessing Thief's Facebook Account (hothardware.com) 365

An anonymous reader quotes Hot Hardware: Stu Gale, who just so happens to be a computer security expert, had the misfortune of having his laptop stolen from his car overnight. However, Gale did have remote software installed on the device which allowed him to track whenever it came online. So, he was quite delighted to see that a notification popped up on one of his other machines alerting him that his stolen laptop was active. Gale took the opportunity to remote into the laptop, only to find that the not-too-bright thief was using his laptop to login to her Facebook account.

The thief eventually left her Facebook account open and left the room, after which Gale had the opportunity to snoop through her profile and obtain all of her private information. "I went through and got her phone numbers, friends list and pictures..." Given that Gale was able to see her phone numbers listed on Facebook, he sent text messages to all of those numbers saying that he was going to report her to the police. He also posted her info to a number of Facebook groups, which spooked the thief enough to not only delete her Facebook account, but also her listed phone numbers.

In 2008 Slashdot ran a similar story, where it took several weeks of remote monitoring before a laptop thief revealed his identity. (The victim complained that "It was kind of frustrating because he was mostly using it to watch porn.") But in this case, Gale just remotely left a note on the laptop -- and called one of the thief's friends -- and eventually turned over all the information to the police, who believe an arrest will follow.

Gale seems less confident, and tells one Calgary newspaper "I'm realistic. I'm not going to see that computer again. But at least I got some comic relief."
Firefox

The SHA-1 End Times Have Arrived (threatpost.com) 50

"Deadlines imposed by browser makers deprecating support for the weakened SHA-1 hashing algorithm have arrived," writes Slashdot reader msm1267. "And while many websites and organizations have progressed in their migrations toward SHA-2 and other safer hashing algorithms, pain points and potential headaches still remain." Threatpost reports: Starting on Jan. 24, Mozilla's Firefox browser will be the first major browser to display a warning to its users who run into a site that doesn't support TLS certificates signed by the SHA-2 hashing algorithm... "SHA-1 deprecation in the context of the browser has been an unmitigated success. But it's just the tip of the SHA-2 migration iceberg. Most people are not seeing the whole problem," said Kevin Bocek, VP of security strategy and threat intelligence for Venafi. "SHA-1 isn't just a problem to solve by February, there are thousands more private certificates that will also need migrating"...

Experts warn the move to SHA-2 comes with a wide range of side effects; from unsupported applications, new hardware headaches tied to misconfigured equipment and cases of crippled credit card processing gear unable to communicate with backend servers. They say the entire process has been confusing and unwieldy to businesses dependent on a growing number of digital certificates used for not only their websites, but data centers, cloud services, and mobile apps... According to Venafi's research team, 35 percent of the IPv4 websites it analyzed in November are still using insecure SHA-1 certificates. However, when researchers scanned Alexa's top 1 million most popular websites for SHA-2 compliance it found only 536 sites were not compliant.
The article describes how major tech companies are handling the move to SHA-2 compliance -- including Apple, Google, Microsoft, Facebook, Salesforce and Cloudflare
Security

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com) 54

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

Power

Are Squirrels A Bigger Threat To Our Critical Infrastructure? (bbc.com) 149

"The real threat to global critical infrastructure is not enemy states or organizations but squirrels, according to one security expert." Long-time Slashdot reader randomErr quotes the BBC. Cris Thomas has been tracking power cuts caused by animals since 2013... His Cyber Squirrel 1 project was set up to counteract what he called the "ludicrousness of cyber-war claims by people at high levels in government and industry", he told the audience at the Shmoocon security conference in Washington. Squirrels topped the list with 879 "attacks", followed by birds with 434 attacks and then snakes at 83 attacks.
Those three animals -- along with rats -- have caused 1,700 different power cuts affecting nearly 5,000,000 people .
Google

Google Pressured 90,000 Android Developers Over Insecure Apps (pcworld.com) 50

An anonymous reader quotes PCWorld: Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps...

In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.

100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.
Microsoft

Microsoft To Lay Off 700 Employees Next Week, Report Says (geekwire.com) 168

According to a report by Business Insider (Warning: may be paywalled), Microsoft will cut about 700 jobs in conjunction with its quarterly earnings release next week. GeekWire reports: The latest layoffs are part of the company's previously announced plan to cut about 2,850 roles globally during its current fiscal year, according to the Business Insider report. The company declined to comment this afternoon, but we understand the report to be accurate, based on our own sources. Next week's cuts will be spread across a variety of job functions inside the company. The company's previous job cuts have come in areas including its smartphone business and global sales team. Microsoft announced its largest cuts in July 2014, eliminating 18,000 jobs, or 14 percent of the company at the time.
Encryption

Lavabit Is Relaunching (theintercept.com) 54

The encrypted email service once used by whistleblower Edward Snowden is relaunching today. Ladar Levison, the founder of the encrypted email service Lavabit, announced on Friday that he's relaunching the service with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. In addition, he's also announcing plans to roll out end-to-end encryption later this year. The Intercept provides some backstory in its report: In 2013, [Levison] took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users -- Edward Snowden. Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password. And though the feds insisted they were only after Snowden's account, the key would have helped them obtain the credentials for other users as well. Lavabit had 410,000 user accounts at the time. Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well. Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he'll never have to help the feds break into customer accounts again. "The SSL key was our biggest threat," he says.

Slashdot Top Deals