Slashdot Mirror

The Linux operating system kernel is 25 years old this month, ArsTechnica writes. It was August 25, 1991 when Linus Torvalds posted his famous message announcing the project, claiming that Linux was "just a hobby, won't be big and professional like gnu." From the article: But now, Linux is far bigger and more professional than Torvalds could have imagined. Linux powers huge portions of the Internet's infrastructure, corporate data centers, websites, stock exchanges, the world's most widely used smartphone operating system, and nearly all of the world's fastest supercomputers. The successes easily outweigh Linux's failure to unseat Microsoft and Apple on PCs, but Linux has still managed to get on tens of millions of desktops and laptops and Linux software even runs on Windows.Do you use any Linux-based operating system? Share your experience with it. What changes would you want to see in it in the next five years?

The Linux operating system kernel is 25 years old this month, ArsTechnica writes. It was August 25, 1991 when Linus Torvalds posted his famous message announcing the project, claiming that Linux was "just a hobby, won't be big and professional like gnu." From the article: But now, Linux is far bigger and more professional than Torvalds could have imagined. Linux powers huge portions of the Internet's infrastructure, corporate data centers, websites, stock exchanges, the world's most widely used smartphone operating system, and nearly all of the world's fastest supercomputers. The successes easily outweigh Linux's failure to unseat Microsoft and Apple on PCs, but Linux has still managed to get on tens of millions of desktops and laptops and Linux software even runs on Windows.Do you use any Linux-based operating system? Share your experience with it. What changes would you want to see in it in the next five years?

The Linux operating system kernel is 25 years old this month, ArsTechnica writes. It was August 25, 1991 when Linus Torvalds posted his famous message announcing the project, claiming that Linux was "just a hobby, won't be big and professional like gnu." From the article: But now, Linux is far bigger and more professional than Torvalds could have imagined. Linux powers huge portions of the Internet's infrastructure, corporate data centers, websites, stock exchanges, the world's most widely used smartphone operating system, and nearly all of the world's fastest supercomputers. The successes easily outweigh Linux's failure to unseat Microsoft and Apple on PCs, but Linux has still managed to get on tens of millions of desktops and laptops and Linux software even runs on Windows.Do you use any Linux-based operating system? Share your experience with it. What changes would you want to see in it in the next five years?

An anonymous reader writes: The Los Angeles Times is estimating that an explosion that occurred at a New Mexico nuclear waste dumping facility in 2014 could cost upwards of $2 billion to clean up. Construction began on the Waste Isolation Pilot Plant (WIPP) in New Mexico's Carlsbad desert in the 1980s. The site was built to handle transuranic waste from the US' nuclear weapons program. The WIPP had been eyed to receive nuclear waste from commercial power-generating plants as well. According to the LA Times, the 2014 explosion at the WIPP was downplayed by the federal government, with the Department of Energy (DoE) putting out statements indicating that cleanup was progressing quickly. Indeed, a 2015 Recovery Plan insisted that "limited waste disposal operations" would resume in the first quarter of 2016. Instead, two years have passed since the incident without any indication that smaller nuclear waste cleanup programs around the US will be able to deliver their waste to the New Mexico facility any time soon. The 2014 explosion apparently occurred when engineers at the Los Alamos National Laboratory were preparing a drum of plutonium and americium waste -- usually packed with kitty litter (yes, kitty litter) -- and decided to "substitute an organic material for a mineral one."

Megan Geuss, writing for ArsTechnica: Mozilla is trying a rebranding. Back in June, the browser developer announced that it would freshen up its logo and enlist the Internet's help in reaching a final decision. The company hired British design company Johnson Banks to come up with seven new "concepts" to illustrate the company's work. The logos rely on vibrant colors, and several of them recall '80s and '90s style. In pure, nearly-unintelligible marketing speak, Mozilla writes that each new design reflects a story about the company. "From paying homage to our paleotechnic origins to rendering us as part of an ever-expanding digital ecosystem, from highlighting our global community ethos to giving us a lift from the quotidian elevator open button, the concepts express ideas about Mozilla in clever and unexpected ways," Mozilla's Creative Director Tim Murray writes in a blog post. Mozilla is soliciting comment and criticism on the seven new designs for the next two weeks, but this is no Boaty McBoatface situation. Mozilla is clear that it's not crowdsourcing a design, asking anyone to work on spec, or holding a vote over which logo the Internet prefers. It's just asking for comments.

An anonymous reader writes: T-Mobile's new "unlimited" data plan that throttles video has upset the Electronic Frontier Foundation (EFF), which accuses the company of violating net neutrality principles. The new $70-per-month unlimited data plan "limits video to about 480p resolution and requires customers to pay an extra $25 per month for high-definition video," reports Ars Technica. "Going forward, this will be the only plan offered to new T-Mobile customers, though existing subscribers can keep their current prices and data allotments." EFF Senior Staff Technologist Jeremy Gillula told the Daily Dot, "From what we've read thus far it seems like T-Mobile's new plan to charge its customers extra to not throttle video runs directly afoul of the principle of net neutrality." The FCC's net neutrality rules ban throttling, though Ars notes "there's a difference between violating 'the principle of net neutrality' and violating the FCC's specific rules, which have exceptions to the throttling ban and allow for case-by-case judgements." "Because our no-throttling rule addresses instances in which a broadband provider targets particular content, applications, services, or non-harmful devices, it does not address a practice of slowing down an end user's connection to the internet based on a choice made by the end user," says the FCC's Open Internet Order (PDF). "For instance, a broadband provider may offer a data plan in which a subscriber receives a set amount of data at one speed tier and any remaining data at a lower tier." The EFF is still determining whether or not to file a complaint with the Federal Communications Commission.

Beth Mole, writing for Ars Technica: Always keeping your house tidy and spotless may earn you the label of "neat freak" -- but "super happy" may be a more accurate tag. When people voluntarily take on unpleasant tasks such as housework, they tend to be in particularly happy states, according to a new study on hedonism. The finding challenges an old prediction by some researchers that humans can be constant pleasure-seekers. Instead, the new study suggests we might seek out fun, uplifting activities mainly when we're in bad or down moods. But when we're on the up, we're more likely to go for the dull and dreary assignments. This finding of "flexible hedonism," reported this week in The Proceedings of the National Academy of Sciences, may seem counterintuitive because it suggests we sabotage our own high spirits. But it hints at the idea that humans tend to make sensible short-term trade-offs on happiness for long-term gains. "Although our data cannot directly tell us whether regularly engaging in unpleasant activities predicts psychological and social adjustment five or 10 years down the line, a large body of work has consistently demonstrated the importance of sleeping, employment, and living in a reasonably clean and organized home on mental and physical health," according to the study authors, led by Maxime Taquet of Harvard and Jordi Quoidbach of the University Pompeu Fabra in Spain.

Two and a half months after a federal jury concluded that Google's Android operating system does not infringe Oracle-owned copyrights because its re-implementation of 37 Java APIs is protected by "fair use," Oracle's attorney says her client missed a crucial detail in the trial, adding that this detail could change everything. ArsTechnica reports: Oracle lawyers argued in federal court today that their copyright trial loss against Google should be thrown out because they were denied key evidence in discovery. Oracle attorney Annette Hurst said that the launch of Google Play on Chrome OS, which happened in the middle of the trial, showed that Google was trying to break into the market for Java SE on desktops. In her view, that move dramatically changes the amount of market harm that Oracle experienced, and the evidence should have been shared with the jury. "This is a game-changer," Hurst told U.S. District Judge William Alsup, who oversaw the trial. "The whole foundation for their case is gone. [Android] isn't 'transformative'; it's on desktops and laptops." Google argued that its use of Java APIs was "fair use" for several reasons, including the fact that Android, which was built for smartphones, didn't compete with Java SE, which is used on desktops and laptops. During the post-trial hearing today, Hurst argued that it's clear that Google intends to use Android smartphones as a "leading wedge" and has plans to "suck in the entire Java SE market. [...] Android is doing this using Java code," said Hurst. "That's outrageous, under copyright law. This verdict is tainted by the jury's inability to hear this evidence. Viewing the smartphone in isolation is a Google-gerrymandered story."In the meanwhile, Google attorney said Oracle was aware of Google's intentions of porting Android to laptops and desktops, and that if Oracle wanted to use this piece of information, it could have.

An anonymous reader writes: Nvidia has called out Intel for juicing its chip performance in specific benchmarks -- accusing Intel of publishing some incorrect "facts" about the performance of its long-overdue Knights Landing Xeon Phi cards. Nvidia's primary beef is with the following Intel slide, which was presented at a high performance computing conference (ISC 2016). Nvidia disputes Intel's claims that Xeon Phi provides "2.3x faster training" for neural networks and that it has "38 percent better scaling" across nodes. It looks like Intel opted for the classic using-an-old-version-of-some-benchmarking-software manoeuvre. Intel claimed that a Xeon Phi system is 2.3 times faster at training a neural network than a comparable Maxwell GPU system; Nvidia says that if Intel used an up-to-date version of the benchmark (Caffe AlexNet), the Maxwell system is actually 30 percent faster. And of course, Maxwell is Nvidia's last-gen part; the company says a comparable Pascal-based system would be 90 percent faster. On the 38-percent-better-scaling point, Nvidia says that Intel compared 32 of its new Xeon Phi servers against four-year-old Nvidia Kepler K20 servers being used in ORNL's Titan supercomputer. Nvidia states that modern GPUs, paired with a newer interconnect, scale "almost linearly up to 128 GPUs."

Z00L00K writes: [Ars Technica reports:] "After a week of trying to part with green tides in two outdoor swimming pools, Olympic officials over the weekend wrung out a fresh mea culpa and yet another explanation -- neither of which were comforting. According to officials, a local pool-maintenance worker mistakenly added 160 liters of hydrogen peroxide to the waters on August 5, which partially neutralized the chlorine used for disinfection. With chlorine disarmed, the officials said that 'organic compounds' -- i.e. algae and other microbes -- were able to grow and turn the water a murky green in the subsequent days. The revelation appears to contradict officials' previous assurances that despite the emerald hue, which first appeared Tuesday, the waters were safe." I would personally have avoided using the green pools, but that's just me. "Hydrogen peroxide is sometimes used in pools -- often to de-chlorinate them," reports Ars. "Basically, the chemical, a common household disinfectant, is a weak acid that reacts with chlorine and chlorine-containing compounds to release oxygen and form other chlorine-containing compounds. Those may not be good at disinfecting pools, but they still may be picked up by monitoring systems. Hydrogen peroxide can also be used to disinfect pools but must be maintained in the waters -- not a one-time dumping -- and can't be used in combination with chlorine." Apparently, the green water irritates eyes and smells like farts.

An anonymous reader quotes a report from Ars Technica: Two former employees of the National Security Agency -- including exiled whistleblower Edward Snowden -- are speculating that Monday's leak of what are now confirmed to be advanced hacking tools belonging to the U.S. government is connected to the separate high-profile hacks and subsequent leaks of two Democratic groups. Private security firms brought in to investigate the breach of the Democratic National Committee and a separate hack of the Democratic Congressional Campaign Committee have said that the software left behind implicates hackers tied to the Russian government. U.S. intelligence officials have privately said they, too, have high confidence of Russian government involvement. Both Snowden and Dave Aitel, an offensive security expert who spent six years as an NSA security scientist, are speculating that Monday's leak by a group calling itself Shadow Brokers is in response to growing tensions between the U.S. and Russia over the hacks on the Democratic groups. As this post was being prepared, researchers with Kaspersky Lab confirmed that the tools belong to Equation Group, one of the most sophisticated hacking groups they've ever investigated. "Why did they do it?" Snowden wrote in a series of tweets early Tuesday morning. "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack." In a brief post of his own, Aitel agreed that Russia is the most likely suspect behind both the Democratic hacks and the leaking of the NSA spying tools. He also said the NSA data was likely obtained by someone with physical access to an NSA secure area who managed to walk out with a USB stick loaded with secrets.

The cable industry's grip on the U.S. broadband space increased last quarter, with Comcast and Charter gaining nearly 500,000 subscribers, combined. Phone companies AT&T, Verizon, CenturyLink, and Frontier, however, all lost Internet customers. ArsTechnica reports:The 14 largest ISPs, accounting for 95 percent of the US market, gained 192,510 Internet customers in Q2 2016, bringing the total to 91.9 million, Leichtman Research Group reported today. Cable companies accounted for all of the gains, adding 553,293 subscribers for a new total of 57 million. The phone companies lost 360,783 subscribers, bringing them down to 34.9 million. Phone companies' losses more than doubled since Q2 2015, when they lost about 150,000 subscribers. [...] Comcast and Charter, the two biggest ISPs, led the way in subscriber gains. Comcast added 220,000 broadband subscribers to boost its total to 24 million, while Charter (the new owner of Time Warner Cable) added 277,000 subscribers for a new total of 21.8 million. AT&T lost 123,000 subscribers, lowering its total to 15.6 million. Verizon lost 83,000, leaving it with 7 million Internet customers. CenturyLink and Frontier lost 66,000 and 77,000, respectively.

David Kravets, writing for Ars Technica: Reddit says it won't give Atlantic Records the IP address of a Reddit user who posted a link on the site of a single by Twenty One Pilots a week before the song's planned release. The song, "Heathens," was originally uploaded on June 15 to the file-sharing site Dropfile. That same day, the file landed on Reddit. According to a lawsuit (PDF) in New York State Supreme Court, the file was posted to the Twenty One Pilots subreddit with the title âoe[Leak] New Song -- 'Heathens'. The Poster submitted the link under the username "twentyoneheathens," according to Atlantic. Atlantic and its subsidiary label, Fueled by Ramen, want the IP address of the Reddit leaker. The company said the file fell victim to "widespread distribution" on the Internet, so the company released the single June 16, a week ahead of schedule; the label also said the early release hindered a planned rollout on Spotify, iTunes, and other platforms. Atlantic says the leaker must be an Atlantic employee who was contractually obligated not to leak the track, which is featured in the movie Suicide Squad that debuted earlier this month. Reddit, however, said that Atlantic "has failed to show that its claims are meritorious." Reddit claims Atlantic has embarked on "an impermissible fishing expedition."

Xavier Niel is the billionaire founder of France's second-largest ISP. In February he bought a former campus from DeVry University, and tried building something better. Slashdot reader bheerssen writes: 42 US is a free coding school near Facebook's headquarters in Fremont, California. The courses are boot camp like experiences that do not offer traditional degrees, but hope to provide programming skills and experience to students for free.
Ars Technica calls it "a radical education experiment" -- even the dorms are free -- and the school's COO describes their ambition to become a place "where individuals from all different kinds of backgrounds, all different kinds of financial backgrounds, can come and have access to this kind of education so that then we can have new kinds of ideas." Students between the ages of 18 and 30 are screened through an online logic test, according to the article, then tossed into a month-long "sink or swim" program that begins with C. "Students spend 12 or more hours per day, six to seven days per week. If they do well, students are invited back to a three- to five-year program with increasing levels of specialty."

An anonymous reader writes: A 27-year-old Irishman who American prosecutors believe was a top administrator on Silk Road named "Libertas" has been approved for extradition to the United States. According to the Irish Times, a High Court judge ordered Gary Davis to be handed over to American authorities on Friday. In December 2013, federal prosecutors in New York unveiled charges against Davis and two other Silk Road staffers, Andrew Michael Jones ("Inigo") and Peter Phillip Nash ("Samesamebutdifferent"). They were all charged with narcotics trafficking conspiracy, computer hacking conspiracy, and money laundering conspiracy. After a few years of operation, Silk Road itself was shuttered when its creator, Ross Ulbricht, was arrested in San Francisco in October 2013. Ulbricht was convicted at a high-profile trial and was sentenced to life in prison in May 2015.

An anonymous reader quotes a report from Ars Technica: The 4th Circuit Court of Appeals ruled Friday in favor of the American government's seizure of a large number of Megaupload founder Kim Dotcom's overseas assets. Seized items include millions of dollars in various seized bank accounts in Hong Kong and New Zealand, multiple cars, four jet skis, the Dotcom mansion, several luxury cars, two 108-inch TVs, three 82-inch TVs, a $10,000 watch, and a photograph by Olaf Mueller worth over $100,000. After years of delay, in December 2015, Dotcom was finally ordered to be extradited to the United States to face criminal charges. But his appeal is set to be heard before the High Court in Auckland on August 29. In its court filings, prosecutors argued that because Dotcom had not appeared to face the charges against him in the United States, he is therefore susceptible to "fugitive disentitlement." That legal theory posits that if a defendant has fled the country to evade prosecution, he or she cannot make a claim to the assets that the government wants to seize under civil forfeiture. But as the Dotcom legal team claimed, the U.S. can neither use its legal system to seize assets abroad nor can Dotcom be considered a fugitive if he has never set foot in the United States. However, the 4th Circuit disagreed: "Because the statute must apply to people with no reason to come to the United States other than to face charges, a "sole" or "principal" purpose test cannot stand. The principal reason such a person remains outside the United States will typically be that they live elsewhere. A criminal indictment gives such a person a reason to make the journey, and the statute is aimed at those who resist nevertheless." Civil forfeiture in the United States allows law enforcement to seize one's assets if they are believed to be illegally acquired -- even without filing any criminal charges.

An anonymous reader writes from a report via Ars Technica: No Man's Sky, an indie "video game that promises 18 quintillion planets" from a "small development team," has launched today for Windows PC gamers via Steam or GOG. Unfortunately, the "worldwide simultaneous launch on all kinds of PCs" is off to a rocky start -- as evidenced by the "mostly negative" Steam reviews. Many gamers have complained about frame rate hitches and total system crashes. Ars Technica reports: "Even users with high-end solutions like the GTX 1080 or two GTX 980Ti cards in SLI mode are reporting major stutters -- on a game that runs on a comparatively so-so PS4 console with a mostly consistent 30 FPS refresh. The game's PC version defaults to a 30 FPS cap, which can be disabled in the normal options menus. But with this setting turned on, the game can't help but hitch down to an apparent 20 FPS on a regular basis, not to mention throw up frequent display hitches of half a second at a time. Removing that frame rate cap can get play up to a smooth 60 frames per second, and we enjoyed more consistent frame rates without the cap. But even those frame rates can bounce down to 30 or less at random intervals. The game also suffers from freezing hitches, even without apparent spikes in visible geometry like creatures or spaceships." Ars also mentions that the on-screen prompts don't update the button remapping accordingly. There's been some frustration among PC gamers who have had to learn the hard way that the game's floating-menu interface was built with joysticks in mind. Mouse scroll wheels don't seem to work to scroll through text and between menus, and players are required to hold-to-confirm every menu interaction in the game. What's more is that alt-tabbing out of the game is a "guaranteed crash." For those looking for more information about the game, The Atlantic has a captivating report describing the game as if it were like reading a book.

An anonymous reader writes: The Google Play Store is the latest Google product to drop integration with Google+. The Play Store has dropped Google+ votes from apps and nixed the Google+ account requirement from app reviews, reports Ars Technica. "There was an entire Google+ focused 'People' section on the Play Store that showed apps and ratings from people you follow on Google+. The Play Store also allowed users to '+1' apps on the Play Store, which served as a vote of approval from people you follow. Both features are being stripped out of Google Play, starting earlier this week. The other feature being removed is the requirement to have a Google+ account to leave a Play Store review on apps, games, and media. Several users have reported to Android Police that they can now leave reviews using their regular Google account, where before they were nagged to create a Google+ account."

Security researchers have found a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet -- otherwise known as "air-gap" computers -- to prevent the leakage of sensitive information it stores, reports ArsTechnica. From the article: The method has been dubbed "DiskFiltration" by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive's actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.

An anonymous reader writes: Bleeping Computer, a longstanding popular discussion forum that helps people rid their computers of malware, has now countersued Enigma Software Group (ESG), which makes an antivirus software known as SpyHunter. Bleeping now claims that ESG has been violating Bleeping's trademarks by registering new domain names that include "bleepingcomputer" and posting some of the company's webpage's source code on other websites without its authorization, among other allegations. ESG had sued Bleeping for libel earlier this year over a series of messages that it claims disparaged SpyHunter and the company as a whole.From the filing:Enigma's lawsuit is plainly nothing more than an attempt to bully and censor Bleeping Computer, and to deter anyone who might criticize it -- one more attempt in Enigma's long pattern of threats, intimidation and litigation. Worse, however, is that all the while, Enigma has been engaged in aggressive, secretive, and cowardly attacks against Bleeping Computer, including ripping off Bleeping Computer's content and pretending it was authored by Enigma, repeatedly misusing Bleeping's registered trademark to trade upon its goodwill, and publishing blatantly false claims about Bleeping. As the following allegations demonstrate, Enigma conducts its business in a manner that is illegal, unethical and simply immoral, thereby demonstrating that Quietman7's mildly critical statements about Enigma's product, that so enraged Enigma and lead to this lawsuit, pale in comparison to the egregious misconduct Enigma perpetrates on a regular basis.

An anonymous reader writes: Bleeping Computer, a longstanding popular discussion forum that helps people rid their computers of malware, has now countersued Enigma Software Group (ESG), which makes an antivirus software known as SpyHunter. Bleeping now claims that ESG has been violating Bleeping's trademarks by registering new domain names that include "bleepingcomputer" and posting some of the company's webpage's source code on other websites without its authorization, among other allegations. ESG had sued Bleeping for libel earlier this year over a series of messages that it claims disparaged SpyHunter and the company as a whole.From the filing:Enigma's lawsuit is plainly nothing more than an attempt to bully and censor Bleeping Computer, and to deter anyone who might criticize it -- one more attempt in Enigma's long pattern of threats, intimidation and litigation. Worse, however, is that all the while, Enigma has been engaged in aggressive, secretive, and cowardly attacks against Bleeping Computer, including ripping off Bleeping Computer's content and pretending it was authored by Enigma, repeatedly misusing Bleeping's registered trademark to trade upon its goodwill, and publishing blatantly false claims about Bleeping. As the following allegations demonstrate, Enigma conducts its business in a manner that is illegal, unethical and simply immoral, thereby demonstrating that Quietman7's mildly critical statements about Enigma's product, that so enraged Enigma and lead to this lawsuit, pale in comparison to the egregious misconduct Enigma perpetrates on a regular basis.

Volkswagen isn't having the best of times. Tens of millions of vehicles sold by Volkswagen AG over the past 20 years are vulnerable to theft because keyless entry systems can be hacked using cheap technical devices, reports Wired (alternate source). Security experts of the University of Birmingham were able to clone VW remote keyless entry controls by eavesdropping nearby when drivers press their key fobs to open or lock up their cars. ArsTechnica reports: The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles. Alone, the value won't do anything, but when combined with the unique value encoded on an individual vehicle's remote key fob -- obtained with a little electronic eavesdropping, say -- you have a functional clone that will lock or unlock that car. VW has apparently acknowledged the vulnerability, and Greenberg (writer at Wired) notes that the company uses a number of different shared values, stored on different components. The second affects many more makes, "including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot," according to Greenberg. It exploits a much older cryptographic scheme used in key fobs called HiTag2. Again it requires some eavesdropping to capture a series of codes sent out by a remote key fob. Once a few codes had been gathered, they were able to crack the encryption scheme in under a minute.

Volkswagen isn't having the best of times. Tens of millions of vehicles sold by Volkswagen AG over the past 20 years are vulnerable to theft because keyless entry systems can be hacked using cheap technical devices, reports Wired (alternate source). Security experts of the University of Birmingham were able to clone VW remote keyless entry controls by eavesdropping nearby when drivers press their key fobs to open or lock up their cars. ArsTechnica reports: The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles. Alone, the value won't do anything, but when combined with the unique value encoded on an individual vehicle's remote key fob -- obtained with a little electronic eavesdropping, say -- you have a functional clone that will lock or unlock that car. VW has apparently acknowledged the vulnerability, and Greenberg (writer at Wired) notes that the company uses a number of different shared values, stored on different components. The second affects many more makes, "including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot," according to Greenberg. It exploits a much older cryptographic scheme used in key fobs called HiTag2. Again it requires some eavesdropping to capture a series of codes sent out by a remote key fob. Once a few codes had been gathered, they were able to crack the encryption scheme in under a minute.

Ever since James and Theresa Arnold moved into their rented 623-acre farm in Butler County, Kansas, in March 2011, they have seen "countless" law enforcement officials and individuals turning up at their farm day and night looking for links to alleged theft and other supposed crime. We covered this story on Slashdot a few months ago. All of these people are arriving because of a rounding error on a GPS location, which wrongly points people to their farm. ArsTechnica adds:In their lawsuit filed against MaxMind, the IP mapping firm, the Arnolds allege: "The following events appeared to originate at the residence and brought trespassers and/or law enforcement to the plaintiffs' home at all hours of the night and day: stolen cars, fraud related to tax returns and bitcoin, stolen credit cards, suicide calls, private investigators, stolen social media accounts, fund raising events, and numerous other events." James Arnold has even been "reported as holding girls at the residence for the purpose of making pornographic films."

Jacob Kastrenakes, writing for The Verge: The Federal Communications Commission's plan to let cities build their own broadband networks hit a major roadblock today, as a federal appellate court ruled that the commission was overstepping its authority. The United States Court of Appeals for the Sixth Circuit said today that the FCC is not able to, essentially, remove state laws that prevent the construction of municipal broadband networks, as it attempted to do in Wilson, North Carolina and Chattanooga, Tennessee last year. Both Wilson and Chattanooga had petitioned the FCC for permission to build out their own broadband networks -- a measure some cities are turning to in order to increase competition among internet providers, who often hold regional monopolies and more or less refuse to compete. State laws, however, prevented them from doing so; that's the case in 19 states in total, all of which could have been affected by future FCC orders had the court ruled in its favor.Ars Technica has more details.

Dan Goodin, reporting for Ars Technica: Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren't encrypted, inject malicious code or content into the parties' communications. The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that's intended to prevent certain classes of hacking attacks. In fact, the protocol is designed in a way that it can easily open Internet users to so-called blind off-path attacks, in which hackers anywhere on the Internet can detect when any two parties are communicating over an active transmission control protocol connection. Attackers can go on to exploit the flaw to shut down the connection, inject malicious code or content into unencrypted data streams, and possibly degrade privacy guarantees provided by the Tor anonymity network. At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.

Despite things getting better with adoption -- however slow -- of Google Fiber in several regions of the United States, the broadband market has gotten slightly less competitive since 2013, says a new report from the FCC. The report adds that, as a result, Americans still have little choice of high-speed broadband providers (PDF). From an ArsTechnica report: At the FCC's 25Mbps download/3Mbps upload broadband standard, there are no ISPs at all in 30 percent of developed census blocks and only one offering service that fast in 48 percent of the blocks. About 55 percent of census blocks have no 100Mbps/10Mbps providers, and only about 10 percent have multiple options at that speed. At the 10Mbps/1Mbps threshold -- which captures slower DSL technology in addition to cable and fiber -- about 90 percent of census blocks have at least two providers. These numbers exclude satellite, which is available nearly everywhere but has high latency and often low data caps. Even these numbers overstate the amount of competition, because an ISP might offer service to only part of a census block. The percentage of households with choice is thus even lower.

An anonymous reader writes from a report via Ars Technica: Soylent has ventured in a new direction with its latest beverage: breakfast. Called Coffiest, the new offering has the same ingredient makeup, nutritional mix, and 47/33/20 percent fat/carb/protein calorie distribution as the 2.0 premixed version, but it also adds coffee flavoring, 150mg of caffeine per serving, and 75mg of the nootropic L-Theanine. According to Soylent founder Rob Rhinehart, a bottle of Coffiest supplies the drinker with about 400 kilocalories and about 20 percent of the daily recommended values for "all essential vitamins and minerals." "A lot of people are skipping breakfast," Rhinehart told Ars in a phone interview. "We wanted to provide a convenient and also really tasty option for them to enjoy in the morning." Additionally, the company will also be releasing a nutrition bar, called the Soylent Bar. This one will deliver 250 kilocalories per bar, and has a macronutrient breakdown of 38/43/19 percent fat/carb/protein. "Coffee flavor is extremely complex," Rhinehart told Ars. "The direction I gave was a little bit of a more darker, richer roast it's a little darker coffee. A little bit of cocoa powder, just a barely perceptible amount, but it rounds out the flavor nicely." "It was a huge challenge to develop a coffee flavor that would survive processing," he continued. "You can't take any risks with health or safety, so we have to eliminate any sources of contamination from the product and that involves heat. So we had some great food scientists and flavor scientists work out a flavor system that combines natural coffee extracts with an artificial flavor system. And it turned out pretty great." As for the toots, neither Coffiest nor the Soylent Bar will cause consumers to erupt with "horse-killing farts," a complaint made by many of Soylent's customers as well as Ars Technica writer Lee Hutchinson. For those interested in Soylent's latest concoction, Coffiest is available for purchase today at the Soylent site for about $40 for a pack of 12 servings (or $37.05 with a recurring subscription). The Soylent Bar will launch later for about $2 per bar. You can view Coffiest's nutrition facts here.

The National Advertising Division (NDA) said on Monday that Comcast should stop claiming that its Xfinity service delivers the "fastest Internet in America," adding that the carrier should also discontinue some ads where it claims to offer the "fastest in-home Wi-Fi." ArsTechnica reports: For its fastest Internet claim, Comcast relied on crowdsourced data from the Ookla Speedtest application. An "award" provided by Ookla to Comcast relied only on the top 10 percent of each ISP's download results. "Although Xfinity offers a variety of speeds at a range of prices and tiers, Comcast's advertising does not limit its claims to a particular tier," the NAD's announcement said. "NAD determined that the claims at issue in both print and broadcast advertising reasonably conveyed a message of overall superiority -- that regardless of which speed tier purchased by a consumer, in a head-to-head comparison, Xfinity would deliver faster speeds." Though one methodology might be reliable for one purpose, "it may not be sufficient substantiation for advertising claims made in a different context," the NAD said. Ookla's methodology "wasn't a good fit for the purposes of substantiating Comcast's overall superior speed performance claim that 'Xfinity delivers the fastest Internet in America,'" the NAD also said.

A malware dubbed ProjectSauron went undetected for five years at a string of organizations, according to security researchers at Kaspersky Lab and Symantec. The malware may have been designed by a state-sponsored group. Researchers say that Project Sauron can disguise itself as benign files and does not operate in predictable ways, making it very tough to detect. Ars Technica reports: Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus. Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don't help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.

An anonymous reader quotes a report from Ars Technica: A recent extension of UK copyright for industrially manufactured artistic works represents "a direct assault on the 3D printing revolution," says Pirate Party founder Rick Falkvinge. The UK government last month extended copyright for designs from 25 years to the life of the designer plus 70 years. In practice, this is likely to mean a copyright term of over 100 years for furniture and other designed objects. Writing on the Private Internet Access site, Falkvinge says that the copyright extension will have important consequences for makers in the UK and EU: "This change means that people will be prohibited from using 3D printing and other maker technologies to manufacture such objects, and that for a full century." Falkvinge points out a crucial difference between the previous UK protection for designs, which was based on what are called "design rights" plus a short copyright term, and the situation now, which involves design rights and a much-longer copyright term. With design rights, "you're absolutely and one hundred percent free to make copies of it for your own use with your own tools and materials," Falkvinge writes. "When something is under copyright, you are not. Therefore, this move is a direct assault on the 3D printing revolution." "Moving furniture design from a [design right] to copyright law means that people can and will indeed be prosecuted for manufacturing their own furniture using their own tools," Falkvinge claims.

John Timmer, writing for Ars Technica: Toward the end of last year, the people behind the Large Hadron Collider announced that they might have found signs of a new particle. Their evidence came from an analysis of the first high-energy data obtained after the LHC's two general-purpose detectors underwent an extensive upgrade. While the possible new particle didn't produce a signal that reached statistical significance, it did show up in both detectors, raising the hope that the LHC was finally on to some new physics. This week, those hopes have officially been dashed. Physicists used a conference to release their analysis of the flood of data that came out of this year's run. According to their data, the area of the apparent signal is filled by nothing but statistical noise. The search for new particles in data from the LHC starts with a calculation of the sorts of things we should expect to see at a given energy. The Standard Model, which describes particles and forces, can be used to make predictions of the frequency at which specific particles will pop out of collisions, as well as what those particles will decay into. So, for example, the Standard Model might indicate that two electrons should appear in five percent of the collisions that occur at a specific energy. Looking for new particles involves looking for deviations from those predictions.

John Timmer, writing for Ars Technica: Toward the end of last year, the people behind the Large Hadron Collider announced that they might have found signs of a new particle. Their evidence came from an analysis of the first high-energy data obtained after the LHC's two general-purpose detectors underwent an extensive upgrade. While the possible new particle didn't produce a signal that reached statistical significance, it did show up in both detectors, raising the hope that the LHC was finally on to some new physics. This week, those hopes have officially been dashed. Physicists used a conference to release their analysis of the flood of data that came out of this year's run. According to their data, the area of the apparent signal is filled by nothing but statistical noise. The search for new particles in data from the LHC starts with a calculation of the sorts of things we should expect to see at a given energy. The Standard Model, which describes particles and forces, can be used to make predictions of the frequency at which specific particles will pop out of collisions, as well as what those particles will decay into. So, for example, the Standard Model might indicate that two electrons should appear in five percent of the collisions that occur at a specific energy. Looking for new particles involves looking for deviations from those predictions.

An anonymous reader quotes a report from Ars Technica: With the Windows 10 Anniversary Update, aka Windows 10 version 1607, released earlier this week, it's time to look forward to what's next. Windows 10 has multiple release tracks to address the needs of its various customer types. The mainstream consumer release, the one that received the Anniversary Update on Tuesday, is dubbed the Current Branch (CB). The Current Branch for Business (CBB) trails the CB by several months, giving it greater time to bed in and receive another few rounds of bug fixing. Currently the CBB is using last year's November Update, version 1511. In about four months, Microsoft plans to bump CBB up to version 1607, putting both CB and CBB on the same major version. [The Long Term Servicing Branch, an Enterprise-only version that will receive security and critical issue support for 10 years, will also be updated.] Going forward, however, the differences between both current branch variants (CB and CBB) and LTSB will become more marked. Microsoft is not planning another major update this year. There will be no equivalent to last year's 1511 release, but Microsoft will have two next year. These are believed to be codenamed Redstone 2 (rs2) and Redstone 3 (rs3), with this week's 1607 release being Redstone 1 (rs1). Current expectation is that rs2 will have a heavy mobile focus and be shipped simultaneously with new Surface branded hardware.

An anonymous reader quotes a report from Ars Technica: With the Windows 10 Anniversary Update, aka Windows 10 version 1607, released earlier this week, it's time to look forward to what's next. Windows 10 has multiple release tracks to address the needs of its various customer types. The mainstream consumer release, the one that received the Anniversary Update on Tuesday, is dubbed the Current Branch (CB). The Current Branch for Business (CBB) trails the CB by several months, giving it greater time to bed in and receive another few rounds of bug fixing. Currently the CBB is using last year's November Update, version 1511. In about four months, Microsoft plans to bump CBB up to version 1607, putting both CB and CBB on the same major version. [The Long Term Servicing Branch, an Enterprise-only version that will receive security and critical issue support for 10 years, will also be updated.] Going forward, however, the differences between both current branch variants (CB and CBB) and LTSB will become more marked. Microsoft is not planning another major update this year. There will be no equivalent to last year's 1511 release, but Microsoft will have two next year. These are believed to be codenamed Redstone 2 (rs2) and Redstone 3 (rs3), with this week's 1607 release being Redstone 1 (rs1). Current expectation is that rs2 will have a heavy mobile focus and be shipped simultaneously with new Surface branded hardware.

In what can be seen as a turning point for BlackBerry, the Canadian iconic company has filed a patent lawsuit against internet telephony firm Avaya. BlackBerry claims Avaya has infringed eight of its U.S. patents, and that BlackBerry should be paid for its history of innovation going back nearly 20 years. "BlackBerry revolutionized the mobile industry," the company's lawyers said. "BlackBerry... has invented a broad array of new technologies that cover everything from enhanced security and cryptographic techniques, to mobile device user interfaces, to communication servers, and many other areas." From an article on Iam Media: The move comes just over a year since Blackberry announced itself as a major player in the monetisation space with an agreement signed with Cisco, in which the Canadian company not only secured a cross-licensing deal but also "a license fee from Cisco." Another royalty-bearing deal was done with an unnamed company around the same time. Since then, the company has also signed two more deals with Canon and International Game Technology, both of which look to contain a royalties element to them; while in January it emerged that late last year Blackberry had sold a portfolio of patents to investment firm Centerbridge Partners for as much as $50 million. Blackberry CEO John Chen has made clear that he sees the company's patent assets as a key element in his plans. "We have today about 44,000 patents. The good thing about this is that we also have one of the youngest patent portfolios in the entire industry, so monetization of our patents is an important aspect of our turnaround," he told delegates at a summit in Waterloo, Ontario, last September. He was at it again in May during an earnings call with analysts when he stated: "Many people have wanted to buy the patents... But I'm not really in a patent-selling mode, I'm in a patent licensing mode."

Dan Goodin, writing for Ars Technica: New data shows that the majority of robot-enabled scam phone calls came from fewer than 40 call centers, a finding that offers hope the growing menace of robocalls can be stopped. The calls use computers and the Internet to dial thousands of phone numbers every minute and promote fraudulent schemes that promise to lower credit card interest rates, offer loans, and sell home security products, to name just a few of the scams. Over the past decade, robocall complaints have mushroomed, with the Federal Trade Commission often receiving hundreds of thousands of complaints each month. In 2013, the consumer watchdog agency awarded $50,000 to three groups who devised blocking systems that had the potential to help end the scourge. Three years later, however, the robocall problem seems as intractable as ever. On Thursday at the Black Hat security conference in Las Vegas, a researcher said that slightly more than half of more than 1 million robocalls tracked were sent by just 38 telephony infrastructures. The relatively small number of actors offers hope that the phenomenon can be rooted out, by either automatically blocking the call centers or finding ways for law enforcement groups to identify and prosecute the operators. "We know that the majority of robocalls only come from 38 different infrastructures," Aude Marzuoli, research scientist at a company called Pindrop Labs, told Ars. "It's not as if there are thousands of people out there doing this. If you can catch this small number of bad actors we can" stop the problem."

An anonymous reader writes: The United States Copyright Office has sided with cable companies in their fight against a Federal Communications Commission plan to boost competition in the TV set-top box market. The FCC proposal would force pay-TV providers to make channels and on-demand content available to third parties, who could then build their own devices and apps that could replace rented set-top boxes. Comcast and other cable companies complain that this will open the door to copyright violations, and US Register of Copyrights Maria Pallante agrees with them. The Copyright Office provided advice to the FCC at the FCC's request, and Pallante yesterday detailed the concerns her office raised in a letter to members of Congress who asked her to weigh in. "In its most basic form, the rule contemplated by the FCC would seem to take a valuable good -- bundled video programming created through private effort and agreement under the protections of the Copyright Act -- and deliver it to third parties who are not in privity with the copyright owners, but who may nevertheless exploit the content for profit," Pallante wrote. "Under the Proposed Rule, this would be accomplished without compensation to the creators or licensees of the copyrighted programming, and without requiring the third party to adhere to agreed-upon license terms." There are already "third-party set-top box devices, mainly produced overseas, that are used to view pirated content delivered over the Internet," and the FCC's plan could expand the market to include devices "designed to exploit the more readily available [cable TV] programming streams without adhering to the prescribed security measures," Pallante wrote. Cable companies are willing to pledge industry-wide commitment, but have expressed no desires of leaving control over the UI.

An anonymous reader writes: The United States Copyright Office has sided with cable companies in their fight against a Federal Communications Commission plan to boost competition in the TV set-top box market. The FCC proposal would force pay-TV providers to make channels and on-demand content available to third parties, who could then build their own devices and apps that could replace rented set-top boxes. Comcast and other cable companies complain that this will open the door to copyright violations, and US Register of Copyrights Maria Pallante agrees with them. The Copyright Office provided advice to the FCC at the FCC's request, and Pallante yesterday detailed the concerns her office raised in a letter to members of Congress who asked her to weigh in. "In its most basic form, the rule contemplated by the FCC would seem to take a valuable good -- bundled video programming created through private effort and agreement under the protections of the Copyright Act -- and deliver it to third parties who are not in privity with the copyright owners, but who may nevertheless exploit the content for profit," Pallante wrote. "Under the Proposed Rule, this would be accomplished without compensation to the creators or licensees of the copyrighted programming, and without requiring the third party to adhere to agreed-upon license terms." There are already "third-party set-top box devices, mainly produced overseas, that are used to view pirated content delivered over the Internet," and the FCC's plan could expand the market to include devices "designed to exploit the more readily available [cable TV] programming streams without adhering to the prescribed security measures," Pallante wrote. Cable companies are willing to pledge industry-wide commitment, but have expressed no desires of leaving control over the UI.

An anonymous reader writes: Next week over 20 million Australians will take part in a mandatory government census. While such data-gathering exercises are usually uncontroversial, some significant changes to the process of collecting the 2016 data -- and in particular the way in which personally-identifying information will be retained for long periods (possibly indefinintely) -- have left many privacy advocates and others calling for a mass boycott. The Australian government's response has been to try to calm fears by promising that it will secure the census data, keep personally identifying data separate from statistical data, and only use each in a responsible way. It has, at the same time reminded Australian citizens that the fines for non-participation in the census have recently been radically increased (now $1800 for failure to submit a form; or $180/day for late submissions).Further reading: Australians threaten to take leave of their census.

Security researchers at KU Leuven have discovered an attack technique, dubbed HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), which can exploit an encrypted website using only a JavaScript file hidden in a maliciously crafted ad or page. ArsTechnica reports: Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas. "HEIST makes a number of attacks much easier to execute," Tom Van Goethem, one of the researchers who devised the technique, told Ars. "Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk." Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses -- say, @gmail.com, in the case of an e-mail address -- in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.

Security researchers at KU Leuven have discovered an attack technique, dubbed HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), which can exploit an encrypted website using only a JavaScript file hidden in a maliciously crafted ad or page. ArsTechnica reports: Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas. "HEIST makes a number of attacks much easier to execute," Tom Van Goethem, one of the researchers who devised the technique, told Ars. "Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk." Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses -- say, @gmail.com, in the case of an e-mail address -- in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.

Security researchers at KU Leuven have discovered an attack technique, dubbed HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), which can exploit an encrypted website using only a JavaScript file hidden in a maliciously crafted ad or page. ArsTechnica reports: Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas. "HEIST makes a number of attacks much easier to execute," Tom Van Goethem, one of the researchers who devised the technique, told Ars. "Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk." Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses -- say, @gmail.com, in the case of an e-mail address -- in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.

An anonymous reader writes from a report via Ars Technica: IBM has created the world's first artificial nanoscale stochastic phase-change neurons and has already created and used a population of 500 of them to process a signal in a similar manner as the brain. Ars Technica reports: "Like a biological neuron, IBM's artificial neuron has inputs (dendrites), a neuronal membrane (lipid bilayer) around the spike generator (soma, nucleus), and an output (axon). There's also a back-propagation link from the spike generator back to the inputs, to reinforce the strength of some input spikes. The key difference is in the neuronal membrane. In IBM's neuron, the membrane is replaced with a small square of germanium-antimony-tellurium (GeSbTe or GST). GST, which happens to be the main active ingredient in rewritable optical discs, is a phase-change material. This means it can happily exist in two different phases (in this case crystalline and amorphous), and easily switch between the two, usually by applying heat (by way of laser or electricity). A phase-change material has very different physical properties depending on which phase it's in: in the case of GST, its amorphous phase is an electrical insulator, while the crystalline phase conducts. With the artificial neurons, the square of GST begins life in its amorphous phase. Then, as spikes arrive from the inputs, the GST slowly begins to crystallize. Eventually, the GST crystallizes enough that it becomes conductive -- and voila, electricity flows across the membrane and creates a spike. After an arbitrary refractory period (a resting period where something isn't responsive to stimuli), the GST is reset back to its amorphous phase and the process begins again." The research has been published via the journal Nature.

Though changing passwords often might seem like a good security practice, in reality, that isn't the case, says Carnegie Mellon University professor Lorrie Cranor. Earlier this year, when the Federal Trade Commission tweeted that people should "encourage" their loved ones to "change passwords often," Cranor wasted no time challenging it. From ArsTechnica's story: The reasoning behind the advice [of changing password often] is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days. "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it. The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill.

Violating a company rule is not -- and should not be -- a computer crime, that was the ruling of the Oregon Supreme Court in State v. Nascimento file. The Oregon's highest court ruled that while a convenience store clerk was guilty of stealing lottery tickets through the store's computer system, she did not violate the state's anti-hacking law while doing so. ArsTechnica shares more details: The Electronic Frontier Foundation, which appeared on Caryn Nascimento's behalf during the case as an amicus curae (friend of the court), announced the narrow victory on Tuesday. According to the Supreme Court's decision, the case dates back to 2007, when Nascimento began working at Tiger Mart, a small convenience store in Madras, Oregon, about 120 miles southeast of Portland. In late 2008 and early 2009, a company vice president began investigating what appeared to be cash shortages at that store, sometimes about $1,000 per day. After reviewing video recordings that correlated with Nascimento's work schedule, this executive began to suspect that she was buying lottery tickets but not paying for them. Eventually, Nascimento was charged not only with aggravated first-degree theft but also of violating the state's computer crime law, which includes language that "any person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits computer crime." She was convicted on both charges at trial. On appeal before the Oregon Supreme Court, Nascimento's lawyers argued that while their client may have violated a company policy to not print lottery tickets that she did not receive payment for, she was, in fact, authorized to access the lottery printing computer.

An anonymous reader writes: On June 29, Microsoft announced that Windows 10 was running on 350 million devices -- 50 million more devices than the previous milestone announced by Microsoft on May 5. While the company is expected to update the number of devices running the latest OS when it releases the Windows 10 Anniversary Update on August 2nd, NetMarketShare has decided to conduct some research on its own. According to its report, Windows 10 currently runs on a 21.13% desktop OS share. Meanwhile, Windows 7 continues to dominate the market with a 47.01% share, with Windows 8 and Windows 8.1 representing less than 10% of the PC market, and Windows XP representing 10.34%. While the market share of Windows 10 is all but certain to rise, it likely won't rise as fast as it did between May and June or June and July for example, as Windows 10 is no longer offered as a free upgrade for PCs running Windows 7 or Windows 8. Microsoft has even backtracked on its original statement that Windows 10 will hit one billion devices by mid-2018, saying last month that Windows 10 likely won't in fact make that deadline.

An anonymous reader writes: Earlier today, the FCC reached a settlement with TP-Link over Wi-Fi router interference. Most of the agreement was routine, addressing compliance with radio emission rules.

But the FCC also did something unprecedented. It required TP-Link to support open source firmware on its routers. You might recall that, last year, the FCC caused a ruckus when it mistakenly suggested it was banning open source router firmware. In fact, the FCC only required that router vendors implement protections for specific radio emission parameters. But the FCC didn't work with router vendors in advance to maintain open source compatibility, resulting in certain vendors (including TP-Link) trying to lock down their routers.

The FCC eventually issued a clarification, but the damage was done. Only recently have a couple router vendors (Linksys and Asus) affirmed that they will continue to support open source firmware.

Today's settlement is a milestone for the FCC. The agency is finally doing something, with deeds and not just words, to demonstrate its support for the open source community. It would be better if the agency hadn't created this mess, but they deserve serious credit for working so hard to fix it.

An anonymous reader writes from a report via Ars Technica: Harry Brignell has posted a 30-minute video documenting dark patterns, deliberately confusing or deceptive user interfaces (not exclusive to the internet) that trick users into setting up recurring payments, purchasing items added to a shopping cart, or spamming all contacts through pre-checked forms on Facebook games for example. Basically, they're tactics used by online services to get users to do things they wouldn't normally do. Yael Grauer has written an in-depth report on Ars Technica about dark patterns, where he discusses Brignull's work with UX designers and business executives: "Klein [Principal at Users Known and author of UX for Lean Startups] believes many of the worst dark patterns are pushed by businesses, not by designers. 'It's often pro-business at the expense of the users, and the designers often see themselves as the defender or advocate of the user,' she explained. And although Brignull has never been explicitly asked to design dark patterns himself, he said he has been in situations where using them would be an easy solution -- like when a client or boss says they really need a large list of people who have opted in to marketing e-mails. 'The first and easiest trick to have an opt-in is to have a pre-ticked checkbox, but then you can just get rid of that entirely and hide it in the terms of conditions and say that by registering you're going to be opted in to our e-mails,' Brignull said. 'Then you have a 100-percent sign-up rate and you've exceeded your goals. I kind of understand why people do it. If you're only thinking about the numbers and you're just trying to juice the stats, then it's not surprising in the slightest.' 'There's this logical positivist mindset that the only things that have value are those things that can be measured and can empirically be shown to be true, and while that has its merits it also takes us down a pretty dark place,' said digital product designer Cennydd Bowles, who is researching ethical design. 'We start to look at ethics as pure utilitarianism, whatever benefits the most people. Yikes, it has problems.'" Brignull's website has a number of examples of deliberately confusing or deceptive user interfaces.

Jon Brodkin, reporting for Ars Technica: AT&T overcharged two Florida school districts for phone service and should have to pay about $170,000 to the U.S. government to settle the allegations, the Federal Communications Commission said yesterday. AT&T disputes the charges and will contest the decision. The FCC issued a Notice of Apparently Liability (NAL) to AT&T, an initial step toward enforcing the proposed punishment. The alleged overcharges relate to the FCC's E-Rate program, which funds telecommunications for schools and libraries and is paid for by Americans through surcharges on phone bills. The FCC said AT&T should have to repay $63,760 it improperly received from the FCC in subsidies for phone service provided to Orange and Dixie Counties and pay an additional fine of $106,425. AT&T prices charged to the districts were almost 400 percent higher than they should have been, according to the FCC. AT&T violated the FCC's "lowest corresponding price rule" designed to ensure that schools and libraries "get the best rates available by prohibiting E-Rate service providers from charging them more than the lowest price paid by other similarly situated customers for similar telecommunications services," the FCC said. Instead of charging the lowest available price, "AT&T charged the school districts prices for telephone service that were magnitudes higher than many other customers in Florida," the FCC said. Between 2012 and 2015, the school districts paid "some of the highest prices in the state... for basic telephone services."