Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Privacy

Scottish Court Awards Damages For CCTV Camera Pointed At Neighbor's House (boingboing.net) 95

AmiMoJo quotes a report from BoingBoing: Edinburgh's Nahid Akram installed a CCTV system that let him record his downstairs neighbors Debbie and Tony Woolley in their back garden, capturing both images and audio of their private conversations, with a system that had the capacity to record continuously for five days. A Scottish court has ruled that the distress caused by their neighbor's camera entitled the Woolleys to $21,000 (17,000 British Pounds) in damages, without the need for them to demonstrate any actual financial loss. The judgment builds on a 2015 English court ruling against Google for spying on logged out Safari users, where the users were not required to show financial losses to receive compensation for private surveillance.
Iphone

Apple Fails To Remove 'Deleted' Safari Web Browser Histories From iCloud (betanews.com) 29

Reader BrianFagioli writes: Apple was storing Safari browsing histories in iCloud, even after they had been 'deleted' by the user, with such records being kept going back to 2015 -- although apparently this was an accidental by-product of the way the cloud syncing system works rather than anything malicious, and the issue has now been fixed. This information first came to light in a Forbes report, which cited Vladimir Katalov, the chief executive of Elcomsoft, a Russian security firm (which focuses on password/system recovery). Katalov stumbled onto the issue when reviewing the browsing history on his iPhone, when he discovered his supposedly deleted surfing history still present in iCloud, being able to extract it by using his company's Phone Breaker tool.
Japan

Japanese Government Requires Java and Internet Explorer 11 X86 81

Long time reader AmiMoJo writes: Japan has introduced "My Number", a social security number assigned to citizens and used to access government services. Unfortunately, the My Number management web portal requires the Java plug-in. Because this plug-in is deprecated in many browsers, only Internet Explorer 11 (32 bit) and Safari on Mac are supported. The explanation (translated) given for this is that in order to access My Number contactless card readers Java is the only option. Some browsers support IC card access but it seems that it is not mature enough to be viable.
Security

Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits (eweek.com) 56

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:
  • $100,000 for escaping a virtualization hypervisor
  • $80,000 for a Microsoft Edge or Google Chrome exploit
  • $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
  • $50,000 for an Apple Safari exploit
  • $30,000 for a Firefox exploit
  • $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
  • $200,000 for an Apache Web Server exploit

Youtube

Safari Users Unable to Play Newer 4K Video On YouTube in Native Resolution (macrumors.com) 124

It appears Google recently turned on VP9 codec on YouTube for delivering 4K video. However, because of this, Safari users are unable to watch videos uploaded to the service since early December in full 4K resolution. From a report: Specifically, YouTube appears to be storing video on its servers using either the more efficient VP9 codec or the older H.264 codec. Safari only supports the latter, which explains why recently uploaded 4K videos are only able to be viewed in up to 1440p. Funnily enough, the same videos can be streamed by Safari in native 4K as long as they're embedded in another website, suggesting that the VP9 codec support requirement only applies to videos viewed directly on YouTube's website. Until Apple updates Safari to support the VP9 codec, Mac users who want to access newer 4K video on YouTube in native 2160p resolution are advised to use a different browser.John Gruber of DaringFireball writes, "I'm curious what Google's thinking is here. My guess: a subtle nudge to get more Mac users to switch from Safari to Chrome. 4K playback is going to require H.264 support if they want it to work on iOS, though."
Operating Systems

Consumer Reports Now Recommends MacBook Pros (macrumors.com) 164

Consumer Reports has updated their report on the 2016 MacBook Pros, and is now recommending Apple's latest notebooks. MacRumors reports: In the new test, conducted running a beta version of macOS that fixes the Safari-related bug that caused erratic battery life in the original test, all three MacBook Pro models "performed well." The 13-inch model without a Touch Bar had an average battery life of 18.75 hours, the 13-inch model with a Touch Bar lasted for 15.25 hours on average, and the 15-inch MacBook Pro with Touch Bar had an average battery life of 17.25 hours. "Now that we've factored in the new battery-life measurements, the laptops' overall scores have risen, and all three machines now fall well within the recommended range in Consumer Reports ratings," reports Consumer Reports. Consumer Reports originally denied the 2016 MacBook Pro a purchase recommendation in late December due to extreme battery life variance that didn't match up with Apple's 10 hour battery life claim. Apple worked with Consumer Reports to figure out why the magazine encountered battery life issues, which led to the discovery of an obscure Safari caching bug. Consumer Reports used a developer setting to turn off Safari caching, triggering an "obscure and intermittent bug reloading icons" that drained excessive battery. The bug, fixed by Apple in macOS Sierra 10.12.3 beta 3, is not one the average user will encounter as most people don't turn off the Safari caching option, but it's something done in all Consumer Reports tests to ensure uniform testing conditions. A fix for the issue will be available to the general public when macOS Sierra 10.12.3 is released, but users can get it now by signing up for Apple's beta testing program.
Privacy

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC (bleepingcomputer.com) 88

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.
Portables (Apple)

Consumer Reports Updates Its MacBook Pro Review (consumerreports.org) 246

Reader TheFakeTimCook writes: Last month, the new MacBook Pro failed to receive a purchase recommendation from Consumer Reports due to battery life issues that it encountered during testing. Apple subsequently said it was working with Consumer Reports to understand the results, which it said do not match its "extensive lab tests or field data." According to an article from Consumer Reports, Apple has since concluded its work, and says it learned that Consumer Reports was using a "hidden Safari setting" which triggered an "obscure and intermittent bug" that led to inconsistent battery life results. With "normal user settings" enabled, Apple said Consumer Reports "consistently" achieved expected battery life. Apple stated: "We learned that when testing battery life on Mac notebooks, Consumer Reports uses a hidden Safari setting for developing web sites which turns off the browser cache. This is not a setting used by customers and does not reflect real-world usage. Their use of this developer setting also triggered an obscure and intermittent bug reloading icons which created inconsistent results in their lab. After we asked Consumer Reports to run the same test using normal user settings, they told us their MacBook Pro systems consistently delivered the expected battery life." Apple said it has fixed the Safari bug in the latest macOS Sierra beta seeded to developers and public testers this week.
Mozilla

Browser Autofill Profiles Can Be Abused For Phishing Attacks (bleepingcomputer.com) 112

An anonymous reader quotes Bleeping Computer: Browser autofill profiles are a reliable phishing vector that allow attackers to collect information from users via hidden form fields, which the browser automatically fills with preset personal information and which the user unknowingly sends to the attacker when he submits a form... Finnish web developer Viljami Kuosmanen has published a demo on GitHub... A user looking at this page will only see a Name and Email input field, along with a Submit button. Unless the user looks at the page's source code, he won't know that the form also contains six more fields named Phone, Organization, Address, Postal Code, City, and Country. If the user has an autofill profile set up in his browser, if he decides to autofill the two visible fields, the six hidden fields will be filled in as well, since they're part of the same form, even if invisible to the user's eye.

Browsers that support autofill profiles are Google Chrome, Safari, and Opera. Browsers like Edge, Vivaldi, and Firefox don't support this feature, but Mozilla is currently working on a similar feature.

Firefox

Firefox Takes the Next Step Towards Rolling Out Multi-Process To Everyone (arstechnica.com) 154

An anonymous reader quotes a report from Ars Technica: With Firefox 50, Mozilla has rolled out the first major piece of its new multi-process architecture. Edge, Internet Explorer, Chrome, and Safari all have a multiple process design that separates their rendering engine -- the part of the browser that reads and interprets HTML, CSS, and JavaScript -- from the browser frame. They do this for stability reasons (if the rendering process crashes, it doesn't kill the entire browser) and security reasons (the rendering process can be run in a low-privilege sandbox, so exploitable flaws in the rendering engine are harder to take advantage of). Moreover, these browsers can all create multiple rendering engine processes and use different processes for different tabs. This means that the scope of a crash is narrowed even further, typically to a single tab. Internet Explorer and Chrome both implemented this long ago, in 2009. Firefox, however, has not offered a similar design. Although work on a multi-process browser was started in 2009, under the codename Electrolysis, that work was suspended between 2011 and 2013 as priorities within the organization shifted. In response, Mozilla started switching to a new extension system in 2015 that opened the door to a multi-process design. The first stage of Firefox's move to multi-process involves separating the browser shell from a single rendering process that's used by every tab. In Firefox 48, that feature was enabled for a small number of users who used no extensions. Firefox 49 was rolled out to include users running a limited selection of extensions. Now, in Firefox 50, a separate renderer process is used for most users and most extensions. Developers are now able to mark their extensions as explicitly multi-process compatible. Firefox 51 will extend this even further to cover all extensions, except those that are explicitly marked as incompatible. Mozilla says that, even with the limited changes made in Firefox 50, responsiveness of the browser has improved by 400 percent due to the separation between the renderer and the browser shell. During page loads, responsiveness will increase to 700 percent.
Chrome

Slashdot Asks: Why Are Browsers So Slow? (ilyabirman.net) 766

Designer Ilya Birman writes: I understand why rendering a complicated layout may be slow. Or why executing a complicated script may be slow. Actually, browsers are rather fast doing these things. If you studied programming and have a rough idea about how many computations are made to render a page, it is surprising the browsers can do it all that fast. But I am not talking about rendering and scripts. I am talking about everything else. Safari may take a second or two just to open a new blank tab on a 2014 iMac. And with ten or fifteen open tabs it eventually becomes sluggish as hell. Chrome is better, but not much so. What are they doing? The tabs are already open. Everything has been rendered. Why does it take more than, say, a thousandth of a second to switch between tabs or create a new one? Opening a 20-megapixel photo from disk doesn't take any noticeable amount of time, it renders instantaneously. Browsers store their stuff in memory. Why can't they just show the pixels immediately when I ask for them? [...] Unfortunately, modern browsers are so stupid that they reload all the tabs when you restart them. Which takes ages if you have a hundred of tabs. Opera was sane: it did not reload a tab unless you asked for it. It just reopened everything from cache. Which took a couple of seconds. Modern browsers boast their rendering and script execution performance, but that's not what matters to me as a user. I just don't understand why programmers spend any time optimising for that while the Chrome is laughably slow even by ten-years-old standards.Do you agree with Birman? If yes, why do you think browsers are generally slow today?
Bug

Malicious Video Link Can Cause Any iOS Device To Freeze (9to5mac.com) 53

A new bug in iOS has surfaced that will cause any iOS device to freeze when trying to view a certain .mp4 video in Safari. YouTube channel EverythingApplePro explains the bug in a video titled "This Video Will CRASH ANY iPhone!" 9to5Mac reports: As you'll see in the video below from EverythingApplePro, viewing a certain video in Safari will cause iOS to essentially overload and gradually become unusable. We won't link the infectious video here for obvious reasons, but you can take our word for it when we say that it really does render your device unusable. It's not apparently clear as to why this happens. The likely reason is that it's simply a corrupted video that's some sort of memory leak and when played, iOS isn't sure how to properly handle it, but there's like more to it than that. Because of the nature of the flaw, it isn't specific to a certain iOS build. As you can see in the video below, playing the video on an iPhone running as far back as iOS 5 will cause the device to freeze and become unusable. Interestingly, with iOS 10.2 beta 3, if you let an iPhone affected by the bug sit there for long enough, it will power off and indefinitely display the spinning wheel that you normally see during the shutdown process. If someone sends you the malicious link and you fall for it, this is luckily a pretty easy problem to fix. All you have to do is hard reboot your device. For any iPhone but the iPhone 7, this can be done by long-pressing the power and Home buttons at the same time. The iPhone 7, of course, uses a new non-mechanical Home button. In order to reboot an iPhone 7, you must long-press the power button and volume down button at the same time.
Firefox

Mozilla Launches Firefox Focus, a Stripped-Down Private Browser For iOS (venturebeat.com) 35

Krystalo quotes a report from VentureBeat: Mozilla today launched a new browser for iOS. In addition to Firefox, the company now also offers Firefox Focus, a browser dedicated to user privacy that by default blocks many web trackers, including analytics, social, and advertising. You can download the new app now from Apple's App Store. If you're getting a huge feeling of deja vu, that's because in December 2015, Mozilla launched Focus by Firefox, a content blocker for iOS. The company has now rebranded the app as Firefox Focus, and it serves two purposes. The content blocker, which can still be used with Safari, remains unchanged. The basic browser, which can be used in conjunction with Firefox for iOS, is new. Firefox Focus is basically just an iOS web view with tracking protection. If you shut it down, or iOS shuts it down while it's in the background, the session is lost. There's also an erase button if you want to wipe your session sooner. But those are really the only features -- there's no history, menus, or even tabs.
Bug

iOS WebView Bug Can Force iPhones To Make Calls While UI Freezes (bleepingcomputer.com) 22

An anonymous reader writes: "A bug in the iOS WebView component allows an attacker to force someone's iPhone to dial any number, while also locking the user's interface for a few moments, preventing him to cancel the outgoing call," reports BleepingComputer. "The bug was at the heart of the recent accidental DDoS of 911 call centers across the U.S." At the heart of the issue is a Safari bug reported in 2008, which was fixed in iOS 3.0. The same bug also exists in the WebView component used by app makers to show web pages inside other apps. The researcher that found the bug writes in a blog post: "If you think automatically dialing a phone number after clicking a link in an app is not a big issue think again. DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen. [...] Apple should change the default behavior of WebViews to exclude execution of TEL URIs and make it an explicit feature to avoid this kind of issues in the future."
Firefox

Firefox Disables Loophole that Allows Sites To Track Users Via Battery Status (theguardian.com) 104

New submitter xogg writes: Battery Status API allows web sites to read the battery level of user's system. The API was found to bring privacy risks and abuse potential and a number of implementation bugs. Now with apparent no legitimate use cases, Mozilla is taking the unprecedented decision to vaporize a browser API due to privacy concerns. And apparently, WebKit, powering Apple's Safari follows. Is that the first time a browser reduces functionality following research reports warning of privacy risks?
Businesses

Apple CEO Tim Cook: 'We're Going To Kill Cash' (cnet.com) 394

At a media event on Thursday, Apple CEO Tim Cook said that the Touch ID on the new MacBook Pros will make it incredibly easy for people to do online money transactions. After the event, speaking to reporters Cook made a bold statement about how he sees Apple Pay. CNET reports: "We're going to kill cash," he said. "Nobody likes to carry around cash." He makes most of his purchases with Apple Pay (which is not surprising).Cook's comment comes days after Australia's top banks refused to support Apple Pay, saying that the company has been 'intransigent, closed and controlling'.
Encryption

Firefox Users Reach HTTPS Encryption Milestone (techcrunch.com) 63

For the first time ever, secure HTTPS encryption was used for over half the pageloads served to Mozilla users, representing a big milestone for encryption. TechCrunch reports on the telemetry data tweeted by the Head of Let's Encrypt: Mozilla, which is one of the organizations backing Let's Encrypt, was reporting that 40% of page views were encrypted as of December 2015. So it's an impressively speedy rise...

The Let's Encrypt initiative, which exited beta back in April, is doing some of that work by providing sites with free digital certificates to help accelerate the switch to HTTPS. According to [co-founder Josh] Aas, Let's Encrypt added more than a million new active certificates in the past week -- which is also a significant step up. In the initiative's first six months (when still in beta) it only issued around 1.7 million certificates in all.

The "50% HTTPS" figure is just a one-day snapshot, and it's from "only a subset of Firefox users who are running Mozilla's telemetry browser...not default switched on for most Firefox users (only for users of pre-release Firefox builds)." But the biggest caveat is it's only counting Firefox users, which in July represented just 7.7% of web surfers (according to Statista), behind both Chrome (49.5%) and Safari (13.68%) -- but also ahead of Internet Explorer (5.4%) and Opera (5.99%).
IOS

19-Year-Old Jailbreaks iPhone 7 In 24 Hours (vice.com) 97

An anonymous reader writes: 19-year-old hacker qwertyoruiop, aka Luca Todesco, jailbroke the new iPhone 7 just 24 hours after he got it, in what's the first known iPhone 7 jailbreak. Todesco tweeted a screenshot of a terminal where he has "root," alongside the message: "This is a jailbroken iPhone 7." He even has video proof of the jailbreak. Motherboard reports: "He also said that he could definitely submit the vulnerabilities he found to Apple, since they fall under the newly launched bug bounty, but he hasn't decided whether to do that yet. The hacker told me that he needs to polish the exploits a bit more to make the jailbreak 'smoother,' and that he is also planning to make this jailbreak work through the Safari browser just like the famous 'jailbreakme.com,' which allowed anyone to jailbreak their iPhone 4 just by clicking on a link." Apple responded to the news by saying, "Apple strongly cautions against installing any software that hacks iOS."
Security

Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security (theintercept.com) 77

Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept: "Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."

The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.

Slashdot Top Deals