DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
China

Microsoft Delivers Secure China-Only Cut of Windows 10 (theregister.co.uk) 87

Earlier this week, CEO of Microsoft Greater China, Alain Crozier, told China Daily that the company is ready to roll out a version of Windows 10 with extra security features demanded by China's government. "We have already developed the first version of the Windows 10 government secure system. It has been tested by three large enterprise customers," Crozier said. The Register reports: China used Edward Snowden's revelations to question whether western technology products could compromise its security. Policy responses included source code reviews for foreign vendors and requiring Chinese buyers to shop from an approved list of products. Microsoft, IBM and Intel all refused to submit source code for inspection, but Redmond and Big Blue have found other ways to get their code into China. IBM's route is a partnership with Dalian Wanda to bring its cloud behind the Great Firewall. Microsoft last year revealed its intention to build a version of Windows 10 for Chinese government users in partnership with state-owned company China Electronics Technology Group Corp. There's no reason to believe Crozier's remarks are incorrect, because Microsoft has a massive incentive to deliver a version of Windows 10 that China's government will accept. To understand why, consider that China's military has over two million active service personnel, the nation's railways employ similar numbers and Microsoft's partner China Electronics Technology Group Corp has more than 140,000 people on its books. Not all of those are going to need Windows, but plenty will.
Software

FedEx Will Pay You $5 To Install Flash (theregister.co.uk) 84

FedEx's Office Print department is offering customers $5 to enable Adobe Flash in their browsers. Why would they do such a thing you may ask? It's because they want customers to design posters, signs, manuals, banners and promotional agents using their "web-based config-o-tronic widgets," which requires Adobe Flash. The Register reports: But the web-based config-o-tronic widgets that let you whip and order those masterpieces requires Adobe Flash, the enemy of anyone interested in security and browser stability. And by anyone we mean Google, which with Chrome 56 will only load Flash if users say they want to use it, and Microsoft which will stop supporting Flash in its Edge browser when the Windows 10 Creators Update debuts. Mozilla's Firefox will still run Flash, but not for long. The impact of all that Flash hate is clearly that people are showing up at FedEx Office Print without the putrid plug-in. But seeing as they can't use the service without it, FedEx has to make the offer depicted above or visible online here. That page offers a link to download Flash, which is both a good and a bad idea. The good is that the link goes to the latest version of Flash, which includes years' worth of bug fixes. The bad is that Flash has needed bug fixes for years and a steady drip of newly-detected problems means there's no guarantee the software's woes have ended. Scoring yourself a $5 discount could therefore cost you plenty in future.
Communications

T-Mobile Kicks Off Industry Robocall War With Network-Level Blocking and ID Tools (venturebeat.com) 74

T-Mobile is among the first U.S. telecom companies to announce plans to thwart pesky robocallers. From a report on VentureBeat: The move represents part of an industry-wide Robocall Strike Force set up by the Federal Communications Commission (FCC) last year to combat the 2 billion-plus automated calls U.S. consumers deal with each month. Other key members of the group include Apple, Google, Microsoft, and Verizon. T-Mobile's announcement comes 24 hours after the FCC voted to approve a new rule that would allow telecom companies to block robocallers who use fake caller ID numbers to conceal their true location and identity. From a report on WashingtonPost: The Federal Communications Commission on Thursday proposed new rules (PDF) that would allow phone companies to target and block robo-calls coming from what appear to be illegitimate or unassigned phone numbers. The rules could help cut down on the roughly 2.4 billion automated calls that go out each month -- many of them fraudulent, according to FCC Chairman Ajit Pai. "Robo-calls are the No. 1 consumer complaint to the FCC from members of the American public," he said, vowing to halt people who, in some cases, pretend to be tax officials demanding payments from consumers, or, in other cases, ask leading questions that prompt consumers to give up personal information as part of an identity theft scam.
Software

Blinking Cursor Devours CPU Cycles in Visual Studio Code Editor (theregister.co.uk) 210

An anonymous reader shares a report on The Register: Microsoft describes Visual Studio Code as a source code editor that's "optimized for building and debugging modern web and cloud applications." In fact, VSC turns out to be rather inefficient when it comes to CPU resources. Developer Jo Liss has found that the software, when in focus and idle, uses 13 percent of CPU capacity just to render its blinking cursor. Liss explains that the issue can be reproduced by closing all VSC windows, opening a new window, opening a new tab with an empty untitled file, then checking CPU activity. For other macOS applications that present a blinking cursor, like Chrome or TextEdit, Liss said, the CPU usage isn't nearly as excessive. The issue is a consequence of rendering the cursor every 16.67ms (60 fps) rather than every 500ms.
Microsoft

Microsoft's OneDrive Web App Crippled With Performance Issues On Linux and Chrome OS (theregister.co.uk) 114

Iain Thomson, reporting for The Register: Plenty of Linux users are up in arms about the performance of the OneDrive web app. They say that when accessing Microsoft's cloudy storage system in a browser on a non-Windows system -- such as on Linux or ChromeOS -- the service grinds to a barely usable crawl. But when they use a Windows machine on the same internet connection, speedy access resumes. Crucially, when they change their browser's user-agent string -- a snippet of text the browser sends to websites describing itself -- to Internet Explorer or Edge, magically their OneDrive access speeds up to normal on their non-Windows PCs. In other words, Microsoft's OneDrive web app slows down seemingly deliberately when it appears you're using Linux or some other Windows rival. This has been going on for months, and complaints flared up again this week after netizens decided enough is enough. When gripes about this suspicious slowdown have cropped up previously, Microsoft has coldly reminded people that OneDrive for Business is not supported on Linux, thus the crap performance is to be expected. But when you change the user-agent string of your browser on Linux to match IE or Edge, suddenly OneDrive's web code runs fine. The original headline of the story is, "Microsoft loves Linux so much, its OneDrive web app runs like a dog on Windows OS rivals".
DRM

W3C Erects DRM As Web Standard (theregister.co.uk) 237

The World Wide Web Consortium (W3C) has formally put forward highly controversial digital rights management as a new web standard. "Dubbed Encrypted Media Extensions (EME), this anti-piracy mechanism was crafted by engineers from Google, Microsoft, and Netflix, and has been in development for some time," reports The Register. "The DRM is supposed to thwart copyright infringement by stopping people from ripping video and other content from encrypted high-quality streams." From the report: The latest draft was published last week and formally put forward as a proposed standard soon after. Under W3C rules, a decision over whether to officially adopt EME will depend on a poll of its members. That survey was sent out yesterday and member organizations, who pay an annual fee that varies from $2,250 for the smallest non-profits to $77,000 for larger corporations, will have until April 19 to register their opinions. If EME gets the consortium's rubber stamp of approval, it will lock down the standard for web browsers and video streamers to implement and roll out. The proposed standard is expected to succeed, especially after web founder and W3C director Sir Tim Berners-Lee personally endorsed the measure, arguing that the standard simply reflects modern realities and would allow for greater interoperability and improve online privacy. But EME still faces considerable opposition. One of its most persistent vocal opponents, Cory Doctorow of the Electronic Frontier Foundation, argues that EME "would give corporations the new right to sue people who engaged in legal activity." He is referring to the most recent controversy where the W3C has tried to strike a balance between legitimate security researchers investigating vulnerabilities in digital rights management software, and hackers trying to circumvent content protection. The W3C notes that the EME specification includes sections on security and privacy, but concedes "the lack of consensus to protect security researchers remains an issue." Its proposed solution remains "establishing best practices for responsible vulnerability disclosure." It also notes that issues of accessibility were ruled to be outside the scope of the EME, although there is an entire webpage dedicated to those issues and finding solutions to them.
Firefox

Firefox for Linux is Now Netflix Compatible (betanews.com) 70

Brian Fagioli, writing for BetaNews: For a while, Netflix was not available for traditional Linux-based operating systems, meaning users were unable to enjoy the popular streaming service without booting into Windows. This was due to the company's reliance on Microsoft Silverlight. Since then, Netflix adopted HTML5, and it made Google Chrome and Chromium for Linux capable of playing the videos. Unfortunately, Firefox -- the open source browser choice for many Linux users -- was not compatible. Today this changes, however, as Mozilla's offering is now compatible with Netflix!
Microsoft

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com) 144

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
Microsoft

Microsoft Outlook, Skype, OneDrive Hit By Another Authentication Issue (zdnet.com) 48

Two weeks after a widespread authentication issue hit Outlook, Skype, OneDrive, Xbox and other Microsoft services, it's happening again. From a report: On March 21, users across the world began reporting via Twitter that they couldn't sign into Outlook.com, OneDrive and Skype, (and possibly more). I, myself, am unable to sign into Outlook.com, OneDrive or Skype at 2:30 pm ET today, but my Office 365 Mail account is working fine. (Knock wood.) I believe the issue started about an hour ago, or 1:30 p.m. ET or so. MSA is Microsoft's single sign-on service which authenticates users so they can log into their various Microsoft services. As happened two weeks ago, Skype Heartbeat site, has posted a message noting that users may be experiencing problems sending messages and signing in.
Businesses

Microsoft Just Showed Off Exactly What Salesforce Was Worried About (cnbc.com) 73

Microsoft just took a direct swipe at Salesforce with a new enterprise-ready version of LinkedIn's customer relationship management product called Sales Navigator. From a report on CNBC: "Today's announcements take Sales Navigator to the next level," Doug Camplejohn, LinkedIn sales solutions head of product, said in a blog. The new product steps up competition with arch rival Salesforce. Microsoft beat out Salesforce to acquire Linkedin for $26.2 billion -- by far the company's largest acquisition to date -- in June. Salesforce CEO Marc Benioff was so concerned, he accused the company of "anti-competitive behavior" and urged regulators to investigate. Flash-forward less than a year and Microsoft's new Sales Navigator Enterprise Edition incorporates many features aimed at turning LinkedIn into a must-have tool for sales teams at big companies.
Businesses

Apple's Next Big Thing: Augmented Reality (bloomberg.com) 94

Apple is beefing up its staff with acquisitions and some big hires to help design augmented reality glasses and iPhone features, according to Bloomberg. From a report: Apple is working on "digital spectacles" that could connect to an iPhone and beam content like movies and maps, Bloomberg's Mark Gurman reported on Monday. The Cupertino, Calif.- based company is also working on augmented reality features for the iPhone that are similar to Snapchat, Bloomberg said. To make its augmented reality push, Apple has acquired augmented reality start-ups FlyBy Media and Metaio, and hired major players from Amazon, Facebook's Oculus, Microsoft's HoloLens, and Dolby.
Microsoft

Windows 10 Will Download Some Updates Even Over a Metered Connection (winsupersite.com) 320

Reader AmiMoJo writes: Until now Windows 10 has allowed users to avoid downloading updates over metered (pay-per-byte) connections, to avoid racking up huge bills. Some users were setting their ethernet/wifi connections as metered in order to prevent Windows 10 from downloading and installing updates without their permission. In its latest preview version of the OS, Microsoft is now forcing some updates necessary for "smooth operation" to download even on these connections. As well as irritating users who want to control when updates download and install, users of expensive pay-per-byte connections could face massive bills.
Microsoft

WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com) 227

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
AI

The First Practical Use For Quantum Computers: Chemistry (technologyreview.com) 42

"The first quantum computer to start paying its way with useful work in the real world looks likely to do so by helping chemists," writes MIT Technology Review, "trying to do things like improve batteries or electronics." An anonymous reader quotes their report: So far, simulating molecules and reactions is the use case for early, small quantum computers sketched out in most detail by researchers developing the new kind of algorithms needed for such machines... "From the point of view of what is theoretically proven, chemistry is ahead," says Scott Crowder, chief technology officer for the IBM division that today sells hardware including supercomputers and hopes to add cloud-hosted quantum computers to its product line-up in the next few years...

Researchers have long used simulations of molecules and chemical reactions to aid research into things like new materials, drugs, or industrial catalysts. The tactic can reduce time spent on physical experiments and scientific dead ends, and it accounts for a significant proportion of the workload of the world's supercomputers. Yet the payoffs are limited because even the most powerful supercomputers cannot perfectly re-create all the complex quantum behaviors of atoms and electrons in even relatively small molecules, says Alan Aspuru-Guzik, a chemistry professor at Harvard. He's looking forward to the day simulations on quantum computers can accelerate his research group's efforts to find new light-emitting molecules for displays, for example, and batteries suitable for grid-scale energy storage.

Microsoft is already focusing on chemistry and materials science in its quantum algorithm effort, saying a hybrid system combining conventional computers with a small quantum computer "has great promise for studying molecules." Meanwhile, the article argues that breaking encryption, "although a genuine threat, is one of the most distant applications of the technology, because the algorithms involved would require an extremely large quantum processor."
Security

Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017 (trendmicro.com) 82

The 10th annual Pwn2Own hacking competition ended Friday in Vancouver. Some of the highlights:
  • Ars Technica reports one team "compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in... by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware."
  • Digital Trends reports "Samuel Grob and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro, [and] impressed onlookers even more by adding a custom message to the Touch Bar which read: "pwned by niklasb and saelo."
  • Ubuntu 16.10 Linux was also successfully attacked by exploiting a flaw in the Linux 4.8 kernel, "triggered by a researcher who only had basic user access but was able to elevate privileges with the vulnerability to become the root administrative account user..." reports eWeek. "Chaitin Security Research Lab didn't stop after successfully exploiting Ubuntu. It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS."
  • Another attacker "leveraged two separate use-after-free bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel."

None of the attendees registered to attempt an attack on the Apache Web Server on Ubuntu 16.10 Linux, according to eWeek, but the contest's blog reports that "We saw a record 51 bugs come through the program. We paid contestants $833,000 USD in addition to the dozen laptops we handed out to winners. And, we awarded a total of 196 Master of Pwn points."


Security

Windows 10 UAC Bypass Uses Backup and Restore Utility (bleepingcomputer.com) 58

An anonymous reader writes: "A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning," reports BleepingComputer. The technique works when an attacker launches the Backup and Restore utility, which loads its control panel settings page. Because the utility doesn't known where this settings page is located, it queries the Windows Registry. The problem is that low-privileged users can modify Windows Registry values and point to malware. Because the Backup and Restore utility is a trusted application, UAC prompts are suppressed. This technique only works in Windows 10 (not earlier OS versions) and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. The same researcher had previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility
AMD

Microsoft Locks Ryzen, Kaby Lake Users Out of Updates On Windows 7, 8.1 (kitguru.net) 419

Artem Tashkinov writes: In a move that will shock a lot of people, someone at Microsoft decided to deny Windows 7/8.1 updates to the users of the following CPU architectures: Intel seventh (7th)-generation processors (Kaby Lake); AMD "Bristol Ridge" (Zen/Ryzen); Qualcomm "8996." It's impossible to find any justification for this decision to halt support for the x86 architectures listed above because you can perfectly run MS-DOS on them. Perhaps, Microsoft has decided that the process of foisting Windows 10 isn't running at full steam, so the company created this purely artificial limitation. I expect it to be cancelled soon after a wide backlash from corporate customers. KitGuru notes that users may encounter the following error message when they attempt to update their OS: "Your PC uses a processor that isn't supported on this version of Windows." The only resolution is to upgrade to Windows 10.
Microsoft

Microsoft To End Support For Windows Vista In Less Than a Month (pcworld.com) 167

In less than a month's time, Microsoft will put Windows Vista to rest once and for all. If you're one of the few people still using it, you have just a few weeks to find another option before time runs out. (I mean, nobody will uninstall it from your computer, but.) From a report on PCWorld: After April 11, 2017, Microsoft will no longer support Windows Vista: no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates, Microsoft says. (Mainstream Vista support expired in 2012.) Like it did for Windows XP, Microsoft has moved on to better things after a decade of supporting Vista. As Microsoft notes, however, running an older operating system means taking risks -- and those risks will become far worse after the deadline. Vista's Internet Explorer 9 has long since expired, and the lack of any further updates means that any existing vulnerabilities will never be patched -- ever. Even if you have Microsoft's Security Essentials installed -- Vista's own antivirus program -- you'll only receive new signatures for a limited time.
Security

Canonical Preps Security Lifeboat, Yells: Ubuntu 12.04 Hold-Outs, Get In (theregister.co.uk) 88

Gavin Clarke, writing for The Register: Canonical is extending the deadline for security updates for paying users of its five-year-old Ubuntu 12.04 LTS -- a first. Ubuntu 12.04 LTS will become the first Long Term Support release of Canonical's Linux to get Extended Security Maintenance (ESM). There are six LTS editions. All others have been end-of-lifed -- and given no security reprieve. LTS editions of Ubuntu Linux are released every two years. Desktop support runs for three years and the server edition receives security patches and updates for a period of five years. Security updates for 12.04 were scheduled to run out on April 28, 2017 but that now won't happen for those on Canonical's Ubuntu Advantage programme. They'll now receive important security fixes for the kernel and "most essential" userspace packages on their servers running 12.04. In what's shaping up to be Canonical's Windows XP moment over at Microsoft, the Linux spinner rolled out the lifeline because customers are clinging to 12.04.
Government

Apple, Amazon, and Microsoft Are Helping Google Fight an Order To Hand Over Foreign Emails (businessinsider.com) 67

Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court ruled that the company had to hand over emails stored overseas in response to an FBI warrant. From a report: An amicus brief is filed by people or companies who have an interest in the case, but aren't directly involved. In this case, it's in Silicon Valley's interest to keep US law enforcement from accessing customer data stored outside the US. It isn't clear what data Google might have to hand over and, last month, the company said it would fight to the order. In the brief, the companies argue: "When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States -- in the place where the customers' private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer's consent."

Slashdot Top Deals