Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Operating Systems

Linux Marketshare is Above 2-Percent For Third Month in a Row ( 89

For the third month in a row the share of worldwide desktop computer users running Linux has been above two percent -- up from one percent -- according to data from web analytics company Net Market Share. From a OMGUbuntu report: We reported back in July that Linux marketshare had passed two percent for the first time, and that figure remains the highest they've ever reported for Linux, at 2.33 percent. But the share for September 2016 was almost as good at 2.23 percent. It's the third consecutive month that Linux marketshare has been above 2 percent. Those of us who use Linux as our primary desktop computing platform can take a degree of pride in these figures. They do show a clear trend towards Linux, rather than away from it. But we should also remember that statistics, numbers and reporting methods vary between analytics companies and that all figures, however positive, remain open to interpretation and debate.

Google's AI Created Its Own Form of Encryption ( 119

An anonymous reader shares an Engadget report: Researchers from the Google Brain deep learning project have already taught AI systems to make trippy works of art, but now they're moving on to something potentially darker: AI-generated, human-independent encryption. According to a new research paper, Googlers Martin Abadi and David G. Andersen have willingly allowed three test subjects -- neural networks named Alice, Bob and Eve -- to pass each other notes using an encryption method they created themselves. As the New Scientist reports, Abadi and Andersen assigned each AI a task: Alice had to send a secret message that only Bob could read, while Eve would try to figure out how to eavesdrop and decode the message herself. The experiment started with a plain-text message that Alice converted into unreadable gibberish, which Bob could decode using cipher key. At first, Alice and Bob were apparently bad at hiding their secrets, but over the course of 15,000 attempts Alice worked out her own encryption strategy and Bob simultaneously figured out how to decrypt it. The message was only 16 bits long, with each bit being a 1 or a 0, so the fact that Eve was only able to guess half of the bits in the message means she was basically just flipping a coin or guessing at random.ArsTechnica has more details.

Seoul Considers Messaging Ban After Work Hours ( 71

An anonymous reader writes: The city legislature of Seoul, South Korea, is considering implementing a law that would ban after work messaging to employees, in an effort to reduce work-related stress among employees. Members of the Seoul Metropolitan Council proposed a revision to a public ordinance that would ban after-work messaging to employees of the city's government. The new rule is an attempt to guarantee employees the right to restand states that employee privacy must not be subject to employer contact outside of work hours. If passed, it would ban managers from contacting public sector employees after work hours through phone calls, text messaging, or social networking. Kim Kwang-soo, one of the councilors who submitted the ordinance revision, said that the Seoul Metropolitan Government (SMG) must guarantee the rights of city workers by protecting them from undue stress. He said, "Of course SMG officials must always be prepared for the needs of citizens, but many of them are working under conditions that infringe on their right to rest."

Red Cross Blood Service Admits To Personal Data Breach Affecting Half a Million Donors ( 30

The personal data of 550,000 blood donors that includes information about "at-risk sexual behaviour" has been leaked from the Red Cross Blood Service in what has been described as Australia's largest security breach. From an ABC report:The organisation said it was told on Wednesday that a file containing donor information was placed on an "insecure computer environment" and "accessed by an unauthorised person." The file contained the information of blood donors from between 2010 and 2016. The data came from an online application form and included "personal details" and identifying information including names, gender, addresses and dates of birth, a Red Cross statement said. Red Cross Blood Service chief executive Shelly Park said "due to human error" the unsecured data had been posted on a website by a contractor who maintains and develops the Red Cross website.

Feds Charge 61 People In Indian-Based IRS Phone Scam Case ( 130

BUL2294 writes: Following the arrests earlier this month in India of call center employees posing as IRS or immigration agents, USA Today and Consumerist are reporting that the U.S. Department of Justice has charged 61 people in the U.S. and India of facilitating the scam, bilking millions from Americans thinking they were facing immediate arrest and prosecution. "According to the indictment (PDF) -- which covers 20 individuals in the U.S. and 32 people and five call centers in India -- since about 2012 the defendants used information obtained from data brokers and other sources to call potential victims impersonating officers from the IRS or U.S. Citizenship and Immigration Services," reports Consumerist. The report adds: "To give the calls an air of authenticity, the organization was able to 'spoof' phone numbers, making the calls appear to have really come from a federal agency. The callers would then allegedly threaten potential victims with arrest, imprisonment, fines, or deportation if they did not pay supposed taxes or penalties to the government. In instances when the victims agreed to pay, the DOJ claims that the call centers would instruct them to go to banks or ATMs to withdraw money, use the funds to purchase prepaid stored value cards from retail stores, and then provide the unique serial number to the caller. At this point, the operations U.S.-based counterparts would use the serial numbers to transfer the funds to prepaid reloadable cards. The cards would then be used to purchase money orders that were transferred into U.S. bank accounts of individuals or businesses. To make matters worse, the indictment claims that the prepaid debit cards were often registered using personal information of thousands of identity theft victims, and the wire transfers were directed by the organizations using fake names and fraudulent identifications. The operation would then use 'hawalas' -- a system in which money is transferred internationally outside of the formal banking system -- to direct the pilfered funds to accounts belonging to U.S.-based individuals.

Wikipedia Community and Internet Archive Partner To Fix One Million Broken Links on Wikipedia ( 20

More than one million formerly broken links in the English Wikipedia have been updated to archived versions from the Wayback Machine, thanks to a partnership between the Internet Archive, and volunteers from the Wikipedia community, and the Wikimedia Foundation. From a blog post: The Internet Archive, the Wikimedia Foundation, and volunteers from the Wikipedia community have now fixed more than one million broken outbound web links on English Wikipedia. This has been done by the Internet Archive's monitoring for all new, and edited, outbound links from English Wikipedia for three years and archiving them soon after changes are made to articles. This combined with the other web archiving projects, means that as pages on the Web become inaccessible, links to archived versions in the Internet Archive's Wayback Machine can take their place. This has now been done for the English Wikipedia and more than one million links are now pointing to preserved copies of missing web content. What do you do when good web links go bad? If you are a volunteer editor on Wikipedia, you start by writing software to examine every outbound link in English Wikipedia to make sure it is still available via the "live web." If, for whatever reason, it is no longer good (e.g. if it returns a "404" error code or "Page Not Found") you check to see if an archived copy of the page is available via the Internet Archive's Wayback Machine. If it is, you instruct your software to edit the Wikipedia page to point to the archived version, taking care to let users of the link know they will be visiting a version via the Wayback Machine.

Web Bluetooth Opens New Abusive Channels ( 82

An anonymous reader writes: Recently, browsers are starting to ship Web Bluetooth API, soon to become a component of Web of Things. Web Bluetooth will allow to connect local user devices with remote web sites. While offering new development and innovation possibilities, it may also open a number of frightening security and privacy risks such as private data leaks, abuses and complexity. Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data. "There are numerous examples of data processing methods possible of extracting insight previously seemingly hidden," said Steve Hegenderfer, director of Developer Programs at the Bluetooth Special Interest Group. "With Web Bluetooth, core security and privacy responsibility is delegated to the already powerful Web browser. Browsers should consider the types of information made available to websites and act accordingly in designing their data privacy layers." Is pairing kettles with web sites a good idea?

Qualcomm To Buy NXP Semiconductors in $47 Billion Deal ( 40

Qualcomm, the largest maker of mobile-phone chips, will acquire NXP Semiconductors NV in a transaction valued at $47 billion, aiming to speed an expansion into new industries and reduce its dependence on the smartphone market. Bloomberg reports: San Diego-based Qualcomm agreed to pay $110 a share in cash for NXP, the biggest supplier of chips used in the automotive industry, or 11 percent more than Wednesday's close, the companies said in a statement Thursday. The deal will be funded with cash on hand as well as new debt. Chief Executive Officer Steve Mollenkopf is betting the deal, the largest in the chip industry's history, will accelerate his company's entry into the burgeoning market for electronics in cars. Eindhoven, Netherlands-based NXP is strong in that sector following its acquisition last year of Freescale Semiconductor Ltd. "It's no secret that we've been looking around," Mollenkopf said in an interview. "If you look at our growth strategy it's to grow into adjacent markets at the time that they are being disrupted by the technology of mobile."

Twitter Is Cutting 9% of Its Global Workforce ( 87

Twitter is planning to lay off 9 percent of its global workforce, as the ailing San Francisco tech giant struggles to please Wall Street despite beating earnings expectations. The company officially announced the cuts today in its third-quarter earnings, days after reports began to surface of the impending cuts. AdWeek reports: According to Twitter, the majority of the reductions will take place in its sales, partnerships and marketing divisions in order to "continue to fully fund our highest priorities," according to a letter to shareholders. However, the earnings also came with some good news. Total monthly active users grew for the second consecutive quarter to 317 million users, gaining 4 million over the past three months since its second-quarter results. Daily active users also increased, rising 7 percent year over year. Twitter's revenue totaled $616 million -- an 8 percent increase year over year. Earnings per share totaled 13 cents, beating expectations of 9 cents per share and $606 million in total revenue. However, the company reported profit fell by $103 million.

AI-Powered Body Scanners Could Soon Speed Up Your Airport Check-in ( 111

An anonymous reader shares a report on the Guardian:A startup bankrolled by Bill Gates is about to conduct the first public trials of high-speed body scanners powered by artificial intelligence (AI), the Guardian can reveal. According to documents filed with the US Federal Communications Commission (FCC), Boston-based Evolv Technology is planning to test its system at Union Station in Washington DC, in Los Angeles's Union Station metro and at Denver international airport. Evolv uses the same millimetre-wave radio frequencies as the controversial, and painfully slow, body scanners now found at many airport security checkpoints. However, the new device can complete its scan in a fraction of second, using computer vision and machine learning to spot guns and bombs. This means passengers can simply walk through a scanning gate without stopping or even slowing down -- like the hi-tech scanners seen in the 1990 sci-fi film Total Recall. A nearby security guard with a tablet is then shown either an "all-clear" sign, or a photo of the person with suspicious areas highlighted. Evolv says the system can scan 800 people an hour, without anyone having to remove their keys, coins or cellphones.

How Vigilante Hackers Could Stop the Internet of Things Botnet ( 62

An anonymous reader quotes a report from Motherboard: Some have put forth a perhaps desperate -- and certainly illegal -- solution to stop massive internet outages, like the one on Friday, from happening: Have white-hat vigilante hackers take over the insecure Internet of Things that the Mirai malware targets and take them away from the criminals. Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the "bad guys" Mirai can do it, a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same. The biggest technical hurdle to this plan, as F-Secure chief research officer Mikko Hypponen put it, is that once it infects a device, Mirai "closes the barn door behind it." Mirai spreads by scanning the internet for devices that have the old-fashioned remote access telnet protocol enabled and have easy to guess passwords such as "123456" or "passwords." Then, once it infects them, it disables telnet access, theoretically stopping others from doing the same. The good news is that the code that controls this function actually doesn't at times work very well, according to Darren Martyn, a security researcher who has been analyzing the malware and who said he's seen some infected devices that still have telnet enabled and thus can be hacked again. Also, Mirai disappears once an infected device is rebooted, which likely happens often as owners of infected cameras and DVRs try to fix their devices that suddenly have their bandwidth saturated. The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who've been tracking the botnets. So a vigilante hacker has a small window before the bad guys come back. The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning. The real challenge of this whole scenario, however, is that despite being for good, this is still illegal. "No one has any real motivation to do so. Anyone with the desire to do so, is probably afraid of the potential jail time. Anyone not afraid of the potential jail time...can think of better uses for the devices," Martyn told Motherboard, referring to criminals who can monetize the Mirai botnet.

Dyn DNS DDoS Likely The Work of Script Kiddies, Says FlashPoint ( 83

While nobody knows exactly who was responsible for the internet outrage last Friday, business risk intelligence firm FlashPoint released a preliminary analysis of the attack agains Dyn DNS, and found that it was likely the work of "script kiddies" or amateur hackers -- as opposed to state-sponsored actors. TechCrunch reports: Aside from suspicion falling on Russia, various entities have also claimed or implied responsibility for the attack, including a hacking group called the New World Hackers and -- bizarrely -- WikiLeaks, which put a (perhaps joke) tweet suggesting some of its supporters might be involved. FlashPoint dubs these claims "dubious" and "likely to be false," and instead comes down on the side of the script kidding theory. Its reasoning is based on a few factors, including a detail it unearthed during its investigation of the attack: namely that the infrastructure used in the attack also targeted a well-known video game company. The attack on Dyn DNS was powered in part by a botnet of hacked DVRs and webcams known as Mirai. The source code for the malware that controls this botnet was put on Github earlier this month. And FlashPoint also notes that the hacker who released Mirai is known to frequent a hacking forum called hackforums[.]net. That circumstantial evidence points to a link between the attack and users and readers of the English-language hacking community, with FlashPoint also noting the forum has been known to target video games companies. It says it has "moderate confidence" about this theory. The firm also argues that the attacks do not seem to have been financially or politically motivated -- given the broad scope of the targets, and the lack of any attempts to extort money. Which just leaves the most likely being motivation to show off skills and disrupt stuff. Aka, script kiddies.

Nuclear Plants Leak Critical Alerts In Unencrypted Pager Messages ( 76

mdsolar quotes a report from Ars Technica: A surprisingly large number of critical infrastructure participants -- including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers -- rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage. Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory and control data acquisition system belonging to one of the world's biggest chemical companies sent a page containing a complete "stack dump" of one of its devices. Other unencrypted alerts sent by or to "several nuclear plants scattered among different states" included:

-Reduced pumping flow rate
-Water leak, steam leak, radiant coolant service leak, electrohydraulic control oil leak
-Fire accidents in an unrestricted area and in an administration building
-Loss of redundancy
-People requiring off-site medical attention
-A control rod losing its position indication due to a data fault
-Nuclear contamination without personal damage
Trend Micro researchers wrote in their report titled "Leaking Beeps: Unencrypted Pager Messages in Industrial Environments": "We were surprised to see unencrypted pages coming from industrial sectors like nuclear power plants, substations, power generation plants, chemical plants, defense contractors, semiconductor and commercial manufacturers, and HVAC. These unencrypted pager messages are a valuable source of passive intelligence, the gathering of information that is unintentionally leaked by networked or connected organizations. Taken together, threat actors can do heavy reconnaissance on targets by making sense of the acquired information through paging messages. Though we are not well-versed with the terms and information used in some of the sectors in our research, we were able to determine what the pages mean, including how attackers would make use of them in an elaborate targeted attack or how industry competitors would take advantage of such information. The power generation sector is overseen by regulating bodies like the North American Electric Reliability Corporation (NERC). The NERC can impose significant fines on companies that violate critical infrastructure protection requirements, such as ensuring that communications are encrypted. Other similar regulations also exist for the chemical manufacturing sector."

The Phone Hackers At Cellebrite Have Had Their Firmware Leaked Online ( 29

An anonymous reader quotes a report from Motherboard: Cellebrite, an Israeli company that specializes in digital forensics, has dominated the market in helping law enforcement access mobile phones. But one apparent reseller of the company's products is publicly distributing copies of Cellebrite firmware and software for anyone to download. Although Cellebrite keeps it most sensitive capabilities in-house, the leak may still give researchers, or competitors, a chance to figure out how Cellebrite breaks into and analyzes phones by reverse-engineering the files. The apparent reseller distributing the files is McSira Professional Solutions, which, according to its website, "is pleased to serve police, military and security agencies in the E.U. And [sic] in other parts of the world." McSira is hosting software for various versions of Cellebrite's Universal Forensic Extraction Device (UFED), hardware that investigators can use to bypass the security mechanisms of phones, and then extract data from them. McSira allows anyone to download firmware for the UFED Touch, and a PC version called UFED 4PC. It is also hosting pieces of Cellebrite forensic software, such as the UFED Cloud Analyzer. This allows investigators to further scrutinize seized data. McSira is likely offering downloads so customers can update their hardware to the latest version with as little fuss as possible. But it may be possible for researchers to take those files, reverse-engineer them, and gain insight into how Cellebrite's tools work. That may include what sort of exploits Cellebrite uses to bypass the security mechanisms of mobile phones, and weaknesses in the implementation of consumer phones that could be fixed, according to one researcher who has started to examine the files, but was not authorised by his employer to speak to the press about this issue.

Rowhammer Attack Can Now Root Android Devices ( 100

An anonymous reader writes from a report via Softpedia: Researchers have discovered a method to use the Rowhammer RAM attack for rooting Android devices. For their research paper, called Drammer: Deterministic Rowhammer Attacks on Mobile Platforms, researchers tested and found multiple smartphone models to be vulnerable to their attack. The list includes LG Nexus (4, 5, 5X), LG G4, Motorola Moto G (2013 and 2014), One Plus One, HTC Desire 510, Lenovo K3 Note, Xiaomi Mi 4i, and Samsung Galaxy (S4, S5, and S6) devices. Researchers estimate that millions of Android users might be vulnerable. The research team says the Drammer attack has far more wide-reaching implications than just Android, being able to exploit any device running on ARM chips. In the past, researchers have tested the Rowhammer attack against DDR3 and DDR4 memory cards, weaponized it via JavaScript, took over PCs via Microsoft Edge, and hijacked Linux virtual machines. There's an app to test if your phone is vulnerable to this attack. "Rowhammer is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access," according to Wikipedia. "This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times."

Alibaba Founder To Chinese Government: Use Big Data To Stop Criminals ( 46

An anonymous reader quotes a report from Bloomberg: Chinese billionaire Jack Ma proposed that the nation's top security bureau use big data to prevent crime, endorsing the country's nascent effort to build unparalleled online surveillance of its billion-plus people. China's data capabilities are virtually unrivaled among its global peers, and policing cannot happen without the ability to analyze information on its citizens, the co-founder of Alibaba Group Holding Ltd. said in a speech published Saturday by the agency that polices crime and runs the courts. Ma's stance resonates with that of China's ruling body, which is establishing a system to collect and parse information on citizens in a country where minimal safeguards exist for privacy. "Bad guys in a movie are identifiable at first glance, but how can the ones in real life be found?" Ma said in his speech, which was posted on the official WeChat account of the Commission for Political and Legal Affairs. "In the age of big data, we need to remember that our legal and security system with millions of members will also face change." In his speech, Ma stuck mainly to the issue of crime prevention. In Alibaba's hometown of Hangzhou alone, the number of surveillance cameras may already surpass that of New York's, Ma said. Humans can't handle the sheer amount of data amassed, which is where artificial intelligence comes in, he added. "The future legal and security system cannot be separated from the internet and big data," Ma said. Ma's speech also highlights the delicate relationship between Chinese web companies and the government. The ruling party has designated internet industry leaders as key targets for outreach, with President Xi Jinping saying in May last year that technology leaders should "demonstrate positive energy in purifying cyberspace."

XPrize's New Challenge: Turn Air Into Water, Make More Than a Million Dollars ( 156

An anonymous reader shares a CNET report: If you can turn thin air into water, there may be more than $1 million in it for you. XPrize, which creates challenges that pit the brightest minds against one another, is hoping to set off a wave of new innovations in clean water -- and women's safety too. The company announced its Water Abundance XPrize and the Anu & Naveen Jain Women's Safety XPrize on Monday in New Delhi. The first competition will award $1.75 million to any team that can create a device able to produce at least 2,000 liters of water a day from the atmosphere, using completely renewable energy, for at most 2 cents a liter. Teams have up to two years to complete the challenge. India is at the center of the world's water crisis, with access to groundwater depleted in some northern and eastern parts of the country. Water has become so scarce in India that natural arsenic has infiltrated the soil and water in certain regions. While there are systems that can currently extract water from the atmosphere, many of them aren't energy-efficient, or generating enough water. "We know that overuse of groundwater resources are causing the water crisis and it's only getting worse," said Zenia Tata, XPrize's executive director of Global Expansion. The $1 million Women's Safety XPrize calls for an emergency alert system that women can use, even if they don't have access to their phones. The alert would have to be sent automatically and inconspicuously to emergency responders, within 90 seconds, at a cost of $40 or less a year. The device would have to work even in cases where there's no cellphone signal or internet access.

China Electronics Firm To Recall Some US Products After Hacking Attack ( 67

An anonymous reader writes:Chinese firm Hangzhou Xiongmai said it will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday. Hackers unleashed a complex attack on the Internet through common devices like webcams and digital recorders, and cut access to some of the world's best known websites in a stunning breach of global internet stability. The electronics components firm, which makes parts for surveillance cameras, said in a statement on its official microblog that it would recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year. It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches. It said reports that its products made up the bulk of those targeted in the attack were false. "Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.
Open Source

Linux Kernel 4.7 Reaches End of Life, Users Urged To Move To Linux 4.8 ( 76

prisoninmate writes: The Linux 4.7 kernel branch officially reached end of life, and it has already been marked as EOL on the website, which means that the Linux kernel 4.7.10 maintenance update is the last one that will be released for this branch. It also means that you need to either update your system to the Linux 4.7.10 kernel release or move to a more recent kernel branch, such as Linux 4.8. In related news, Linux kernel 4.8.4 is now the latest stable and most advanced kernel version, which is already available for users of the Solus and Arch Linux operating systems, and it's coming soon to other GNU/Linux distributions powered by a kernel from the Linux 4.8 series. Users are urged to update their systems as soon as possible.

Slashdot Asks: How Can We Prevent Packet-Flooding DDOS Attacks? ( 349

Just last month Brian Krebs wrote "What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale," warning that countless ISPs still weren't implementing the BCP38 security standard, which was released "more than a dozen years ago" to filter spoofed traffic. That's one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen: PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding... Rather than attempting to prevent attack packets, instead PEIP provides a way to rate-limit all packets based on their router path to a destination.
I've also heard people suggest "just unplug everything," but on Friday the Wall Street Journal's Christopher Mim suggested another point of leverage, tweeting "We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure." Is the best solution technical or legislative -- and does it involve hardware or software? Leave your best thoughts in the comments. How can we prevent packet-flooding DDOS attacks?

Slashdot Top Deals