Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Google

Is Google's Comment Filtering Tool 'Vanishing' Legitimate Comments? (vortex.com) 29

Slashdot reader Lauren Weinstein writes: Google has announced (with considerable fanfare) public access to their new "Perspective" comment filtering system API, which uses Google's machine learning/AI system to determine which comments on a site shouldn't be displayed due to perceived high spam/toxicity scores. It's a fascinating effort. And if you run a website that supports comments, I urge you not to put this Google service into production, at least for now.

The bottom line is that I view Google's spam detection systems as currently too prone to false positives -- thereby enabling a form of algorithm-driven "censorship" (for lack of a better word in this specific context) -- especially by "lazy" sites that might accept Google's determinations of comment scoring as gospel... as someone who deals with significant numbers of comments filtered by Google every day -- I have nearly 400K followers on Google Plus -- I can tell you with considerable confidence that the problem isn't "spam" comments that are being missed, it's completely legitimate non-spam, non-toxic comments that are inappropriately marked as spam and hidden by Google.

Lauren is also collecting noteworthy experiences for a white paper about "the perceived overall state of Google (and its parent corporation Alphabet, Inc.)" to better understand how internet companies are now impacting our lives in unanticipated ways. He's inviting people to share their recent experiences with "specific Google services (including everything from Search to Gmail to YouTube and beyond), accounts, privacy, security, interactions, legal or copyright issues -- essentially anything positive, negative, or neutral that you are free to impart to me, that you believe might be of interest."
Bug

Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE (bleepingcomputer.com) 42

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...

Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.
Microsoft

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com) 150

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
Businesses

How Cable Monopolies Hurt ISP Customers (backchannel.com) 82

"New York subscribers have had to overpay month after month for services that Spectrum deliberately didn't provide," reports Backchannel -- noting these practices are significant because together Comcast and Charter (formerly Time Warner Cable) account for half of America's 92 million high-speed internet connections. An anonymous reader quotes Backchannel: Based on the company's own documents and statements, it appears that just about everything it has been saying since 2012 to New York State residents about their internet access and data services is untrue...because of business decisions the company deliberately made in order to keep its capital expenditures as low as possible... Its marketing department kept sending out advertising claims to the public that didn't match the reality of what consumers were experiencing or square with what company engineers were telling Spectrum executives. That gives the AG's office its legal hook: Spectrum's actions in knowingly saying one thing but doing another amount to fraudulent, unfair, and deceptive behavior under New York law...

The branding people went nuts, using adjectives like Turbo, Extreme, and Ultimate for the company's highest-speed 200 or 300 Mbps download offerings. But no one, or very few people, could actually experience those speeds...because, according to the complaint, the company deliberately required that internet data connections be shared among a gazillion people in each neighborhood... [T]he lawsuit won't by itself make much of a difference. But maybe the public nature of the attorney-general's assault -- charging Spectrum for illegal misconduct -- will lead to a call for alternatives. Maybe it will generate momentum for better, faster, wholesale fiber networks controlled by cities and localities themselves. If that happened, retail competition would bloom. We'd get honest, straightforward, inexpensive service, rather than the horrendously expensive cable bundles we're stuck with today.

The article says Spectrum charged 800,000 New Yorkers $10 a month for outdated cable boxes that "weren't even capable of transmitting and receiving wifi at the speeds the company advertised customers would be getting," then promised the FCC in 2013 that they'd replace them, and then didn't. "With no competition, it had no reason to upgrade its services. Indeed, the company's incentives went exactly in the other direction."
Security

Ask Slashdot: How Are You Responding To Cloudbleed? (reuters.com) 76

An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did."

And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers?

Leave your own answers in the comments. How did you respond to Cloudbleed?
Bug

Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks (bleepingcomputer.com) 88

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

Government

FCC To Halt Rule That Protects Your Private Data From Security Breaches (arstechnica.com) 117

According to Ars Technica, "The Federal Communications Commission plans to halt implementation of a privacy rule that requires ISPs to protect the security of its customers' personal information." From the report: The data security rule is part of a broader privacy rulemaking implemented under former Chairman Tom Wheeler but opposed by the FCC's new Republican majority. The privacy order's data security obligations are scheduled to take effect on March 2, but Chairman Ajit Pai wants to prevent that from happening. The data security rule requires ISPs and phone companies to take "reasonable" steps to protect customers' information -- such as Social Security numbers, financial and health information, and Web browsing data -- from theft and data breaches. The rule would be blocked even if a majority of commissioners supported keeping them in place, because the FCC's Wireline Competition Bureau can make the decision on its own. That "full commission vote on the pending petitions" could wipe out the entire privacy rulemaking, not just the data security section, in response to petitions filed by trade groups representing ISPs. That vote has not yet been scheduled. The most well-known portion of the privacy order requires ISPs to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. The opt-in rule is supposed to take effect December 4, 2017, unless the FCC or Congress eliminates it before then. Pai has said that ISPs shouldn't face stricter rules than online providers like Google and Facebook, which are regulated separately by the Federal Trade Commission. Pai wants a "technology-neutral privacy framework for the online world" based on the FTC's standards. According to today's FCC statement, the data security rule "is not consistent with the FTC's privacy standards."
Government

Security Lapse Exposed New York Airport's Critical Servers For a Year (zdnet.com) 44

An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.
Bug

Cloudflare Leaks Sensitive User Data Across the Web (theregister.co.uk) 86

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica
Wikipedia

Study Reveals Bot-On-Bot Editing Wars Raging On Wikipedia's Pages (theguardian.com) 96

An anonymous reader quotes a report from The Guardian: A new study from computer scientists has found that the online encyclopedia is a battleground where silent wars have raged for years. Since Wikipedia launched in 2001, its millions of articles have been ranged over by software robots, or simply "bots," that are built to mend errors, add links to other pages, and perform other basic housekeeping tasks. In the early days, the bots were so rare they worked in isolation. But over time, the number deployed on the encyclopedia exploded with unexpected consequences. The more the bots came into contact with one another, the more they became locked in combat, undoing each other's edits and changing the links they had added to other pages. Some conflicts only ended when one or other bot was taken out of action. The findings emerged from a study that looked at bot-on-bot conflict in the first ten years of Wikipedia's existence. The researchers at Oxford and the Alan Turing Institute in London examined the editing histories of pages in 13 different language editions and recorded when bots undid other bots' changes. While some conflicts mirrored those found in society, such as the best names to use for contested territories, others were more intriguing. Describing their research in a paper entitled Even Good Bots Fight in the journal Plos One, the scientists reveal that among the most contested articles were pages on former president of Pakistan Pervez Musharraf, the Arabic language, Niels Bohr and Arnold Schwarzenegger. One of the most intense battles played out between Xqbot and Darknessbot which fought over 3,629 different articles between 2009 and 2010. Over the period, Xqbot undid more than 2,000 edits made by Darknessbot, with Darknessbot retaliating by undoing more than 1,700 of Xqbot's changes. The two clashed over pages on all sorts of topics, from Alexander of Greece and Banqiao district in Taiwan to Aston Villa football club.
Businesses

Website Builder Wix Acquires Art Community DeviantArt For $36 Million (techcrunch.com) 63

An anonymous reader quotes a report from TechCrunch: Wix.com has made another acquisition to build out the tools that it provides to users to build and administer websites: it has acquired DeviantArt, an online community for artists, designers and art/design enthusiasts with some 325 million individual pieces of original art and more than 40 million registered members, for $36 million in cash, including $3 million of assumed liabilities. Wix said that it will continue to operate DeviantArt as a standalone site, but it will also use it to boost its own business in a couple of ways. First, DeviantArt users will get access to Wix's web design tools to build out more dynamic online presences. These tools do not only cover design, but commerce and other features for running businesses online. Second, Wix will open up DeviantArt's repository of art and creative community to the Wix platform, giving Wix's users access to that work to use in their own site building. The deal will also include putting further investment into developing DeviantArt's desktop and mobile apps. (Today, that desktop experience is based on a very simple, pared-down interface that is reminiscent of the 2000 birthdate of the startup itself.)
Communications

FCC Votes To Lift Net Neutrality Transparency Rules For Smaller Internet Providers (theverge.com) 114

The Federal Communications Commission today voted to lift transparency requirements for smaller internet providers. According to The Verge, "Internet providers with fewer than 250,000 subscribers will not be required to disclose information on network performance, fees, and data caps, thanks to this rule change. The commission had initially exempted internet providers with fewer than 100,000 subscribers with the intention of revisiting the issue later to determine whether a higher or lower figure was appropriate." From the report: The rule passed in a 2-1 vote, with Republicans saying the reporting requirements unfairly burdened smaller ISPs with additional work. Only Democratic commissioner Mignon Clyburn opposed. Clyburn argued that the disclosures were an important consumer protection that was far from overbearing on businesses, particularly ones this large. Clyburn also argued that the rule would allow larger internet providers to avoid disclosing information by simply breaking their service areas up into different subsidiaries. Republican commissioner Michael O'Rielly voted in favor of the change, saying he actually would have preferred the subscriber exemption to be even higher. And commission chairman Ajit Pai said the rules were necessary to protect "mom and pop internet service providers" from "burdensome requirements [...] that impose serious and unnecessary costs."
Google

Google Releases an AI Tool For Publishers To Spot and Weed Out Toxic Comments (bbc.com) 195

Google today launched a new technology to help news organizations and online platforms identify and swiftly remove abusive comments on their websites. The technology, called Perspective, will review comments and score them based on how similar they are to comments people said were "toxic" or likely to make them leave a conversation. From a report on BBC: The search giant has developed something called Perspective, which it describes as a technology that uses machine learning to identify problematic comments. The software has been developed by Jigsaw, a division of Google with a mission to tackle online security dangers such as extremism and cyberbullying. The system learns by seeing how thousands of online conversations have been moderated and then scores new comments by assessing how "toxic" they are and whether similar language had led other people to leave conversations. What it's doing is trying to improve the quality of debate and make sure people aren't put off from joining in.
The Courts

Judge Blocks California Law Limiting Publication of Actor's Ages (politico.com) 123

mi writes: IMDb has a reason to rejoice. Politico reports: "A federal judge has barred the State of California from enforcing a new law limiting online publication of actors' ages. Acting in a case brought by online movie information website IMDb, U.S. District Court Judge Vince Chhabria ruled Wednesday that the California law likely violates the First Amendment and appears poorly tailored to proponents' stated goal of preventing age discrimination in Hollywood. The judge expressed deep skepticism that the law, which he said appeared to apply only to IMDb, would have any effect on discrimination. The judge rejected the state's arguments that the law was a regulation of commercial speech, finding that IMDb was acting as a publisher in posting the birthday and age information online." "It's not clear how preventing one mere website from publishing age information could meaningfully combat discrimination at all. And even if restricting publication on this one website could confer some marginal anti-discrimination benefit, there are likely more direct, more effective, and less speech-restrictive ways of achieving the same end," Chhabria wrote in a three-page order.
Power

Disney Develops Room With 'Ubiquitous Wireless' Charging (cnet.com) 109

An anonymous reader quotes a report from CNET: The scientific and tech arm of the entertainment giant Disney has built a prototype room with "ubiquitous wireless power delivery" that allows several devices to be charged wirelessly in much the way we get internet access through Wi-Fi. By tapping quasistatic cavity resonance, researchers discovered they could generate magnetic fields inside specially built structures to deliver kilowatts of power to mobile devices inside that structure. "This new innovative method will make it possible for electrical power to become as ubiquitous as WiFi," Alanson Sample, associate lab director and principal research scientist at Disney Research, told Phys.org. "This in turn could enable new applications for robots and other small mobile devices by eliminating the need to replace batteries and wires for charging." All you have to do is be in the room and your device will start charging automatically. And depending on where you are in the room, delivery efficiency can be as high as 95 percent, researchers said. There is one potential issue: you have to not mind being in a room constructed mostly of aluminum, that includes the walls, ceiling and floor. There's a copper pole in the middle of the room, and 15 discrete high quality factor capacitors that separate the magnetic field from the electric field.
Privacy

GE, Intel, and AT&T Are Putting Cameras and Sensors All Over San Diego (fortune.com) 125

An anonymous reader shares a Fortune report: General Electric will put cameras, microphones, and sensors on 3,200 street lights in San Diego this year, marking the first large-scale use of "smart city" tools GE says can help monitor traffic and pinpoint crime, but raising potential privacy concerns. Based on technology from GE's Current division, Intel and AT&T, the system will use sensing nodes on light poles to locate gunshots, estimate crowd sizes, check vehicle speeds and other tasks, GE and the city said on Wednesday. The city will provide the data to entrepreneurs and students to develop applications. Companies expect a growing market for such systems as cities seek better data to plan and run their operations. San Diego is a test of "Internet of things" technology that GE Current provides for commercial buildings and industrial sites.
Transportation

College Senior Turns His Honda Civic Into a Self-Driving Car Using Free Hardware, Software (technologyreview.com) 132

holy_calamity writes: University of Nebraska student Brevan Jorgenson swapped the rear-view mirror in his 2016 Honda Civic for a home-built device called a Neo, which can steer the vehicle and follow traffic on the highway. Jorgenson used hardware designs and open-source software released by Comma, a self-driving car startup that decided to give away its technology for free last year after receiving a letter asking questions about its functionality from the National Highway Traffic Safety Administration (NHTSA). Jorgenson is just one person in a new hacker community trying to upgrade their cars using Comma's technology. "A Neo is built from a OnePlus 3 smartphone equipped with Comma's now-free Openpilot software, a circuit board that connects the device to the car's electronics, and a 3-D-printed case," reports MIT Technology Review. The report notes that Neodriven, a startup based in Los Angeles, has recently started selling a pre-built Neo device that works with Comma's Openpilot software, but it costs $1,495.
Censorship

'We Won't Block Pirate Bay,' Swedish Telecoms Giant Says (torrentfreak.com) 27

Last week, a Swedish Patent and Market Court of Appeal ordered The Pirate Bay and streaming portal Swefilmer to be blocked by internet service provider Bredbandsbolaget for the next three years. The order was not well supported by other internet service providers in Sweden, as it appears they don't like the idea of becoming copyright policemen. TorrentFreak reports: Last week ISP Bahnhof absolutely slammed the decision to block The Pirate Bay, describing the effort as signaling the "death throes" of the copyright industry. It even hinted that it may offer some kind of technical solution to customers who are prevented from accessing the site. For those familiar with Bahnhof's stance over the years, this response didn't come as a surprise. The ISP is traditionally pro-freedom and has gone out of its way to make life difficult for copyright enforcers of all kinds. However, as one of the leading telecoms companies in Sweden and neighboring Norway, ISP Telia is more moderate. Nevertheless, it too says it has no intention of blocking The Pirate Bay, unless it is forced to do so by law. "No, we will not block if we are not forced to do so by a court," a company press officer said this morning. Telia says that the decision last week from the Patent and Market Court affects only Bredbandsbolaget, indicating that a fresh legal process will be required to get it to respond. That eventuality appears to be understood by the rightsholders but they're keeping their options open.
Government

Wyden To Introduce Bill To Prohibit Warrantless Phone Searches At Border (onthewire.io) 193

Trailrunner7 quotes a report from On the Wire: A senator from Oregon who has a long track record of involvement on security and privacy issues says he plans to introduce a bill soon that would prevent border agents from forcing Americans returning to the country to unlock their phones without a warrant. Sen. Ron Wyden said in a letter to the secretary of the Department of Homeland Security that he is concerned about reports that Customs and Border Patrol agents are pressuring returning Americans into handing over their phone PINs or using their fingerprints to unlock their phones. DHS Secretary John Kelly has said that he's considering the idea of asking visitors for the login data for their various social media accounts, information that typically would require a warrant to obtain. "Circumventing the normal protection for such private information is simply unacceptable," Wyden said in the letter, sent Monday. "There are well-established procedures governing how law enforcement agencies may obtain data from social media companies and email providers. The process typically requires that the government obtain a search warrant or other court order, and then ask the service provider to turn over the user's data."
Intel

Intel Supercharges Atom Chips With 16 Cores and Pro Level Features (pcworld.com) 77

Agam Shah, writing for PCWorld: Intel's Atom was mostly known as a low-end chip for mobile devices that underperformed. That may not be the case anymore. The latest Atom C3000 chips announced on Tuesday have up to 16 cores and are more sophisticated than ever. The chips are made for storage arrays, networking equipment, and internet of things devices. The new chips have features found mostly in server chips, including networking, virtualization, and error correction features. [...] A surprising feature in C3000 is RAS (reliability, availability, and serviceability) capabilities, which is mostly found on high-end Xeon chips. The feature corrects data errors on the fly and prevents networking and storage equipment from crashing.

Slashdot Top Deals