Slashdot Mirror

prisoninmate writes: The Linux 4.7 kernel branch officially reached end of life, and it has already been marked as EOL on the kernel.org website, which means that the Linux kernel 4.7.10 maintenance update is the last one that will be released for this branch. It also means that you need to either update your system to the Linux 4.7.10 kernel release or move to a more recent kernel branch, such as Linux 4.8. In related news, Linux kernel 4.8.4 is now the latest stable and most advanced kernel version, which is already available for users of the Solus and Arch Linux operating systems, and it's coming soon to other GNU/Linux distributions powered by a kernel from the Linux 4.8 series. Users are urged to update their systems as soon as possible.

An anonymous reader writes: "A team of scientists from two U.S. universities has devised a method of bypassing ASLR (Address Space Layout Randomization) protection by taking advantage of the BTB (Branch Target Buffer), a component included in many modern CPU architectures, including Intel Haswell CPUs, the processor they used for tests in their research," reports Softpedia. The researchers discovered that by blasting the BTB with random data, they could run a successful collision attack that reveals the memory locations where apps execute code in the computer's memory -- the very thing that ASLR protection was meant to hide. While during their tests they used a Linux PC with a Intel Haswell CPU, researchers said the attack can be ported to other CPU architectures and operating systems where ASLR is deployed, such as Android, iOS, macOS, and Windows. From start to finish, the collision attack only takes 60 milliseconds, meaning it can be embedded with malware or any other digital forensics tool and run without needing hours of intense CPU processing. You can read the research paper, titled "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR," here.

Branding Brand recently conducted a post-recall study asking Samsung Galaxy Note 7 users which smartphones they would consider upgrading to. While 40 percent of them said they are ready to jump ship to a different manufacturer, 30 percent of respondents said they are likely going to be switching to the iPhone. However, according to one analyst, that number could be even higher. Softpedia reports: KGI analyst Ming-Chi Kuo said in a note to investors that approximately 50 percent of those who ordered a Note 7 are now very likely to go for an iPhone 7, as customer trust is collapsing in the Samsung ecosystem and all these buyers are no longer planning to stick with phones manufactured by the South Korean firm. Between 5 to 7 million Note 7 orders are likely to transfer to Apple, the analyst says, and the iPhone 7 Plus is expected to be the main model benefitting from this transition. Other Android phone manufacturers, including Huawei, are also likely to benefit from Samsung's fiasco, and Google itself could also record an increase in Pixel sales following the Note 7 demise. But Apple will certainly take the lion's share here, mostly thanks to the iPhone 7 Plus currently being positioned as a direct rival to the Note 7.

An anonymous reader writes from a report via Softpedia: Today, the Linux Foundation announced the creation of a new entity named the JS Foundation that will serve as an umbrella project and guiding force for various open-source utilities at the heart of the JavaScript ecosystem. The JS Foundation is actually the jQuery Foundation, which was expanded with the help of companies such as IBM and Samsung. With jQuery slowly bowing out to newer tools, the jQuery Foundation's members and their unmatched expertise will most likely be put to good use in managing the slew of new tools making up today's JavaScript landscape. The list of JS Foundation founding members includes Bocoup, IBM, Ripple, Samsung, Sauce Labs, Sense Tecnic Systems, SitePen, StackPath, University of Westminster and WebsiteSetup. In alphabetical order, the JS Foundation's initial projects are Appium, Chassis, Dojo Toolkit, ESLint, Esprima, Globalize, Grunt, Interledger.js, Intern, Jed, JerryScript, jQuery, jQuery Mobile, jQuery UI, Lodash, Mocha, Moment, Node-RED, PEP, QUnit, RequireJS, Sizzle, and webpack. "Using jQuery can constitute the use of a sledgehammer for putting small nails into an Ikea TV stand; however, as a piece of engineering, it really is a thing of beauty," says A. M. Douglas, British freelance web developer. "[T]he word 'jQuery' has become synonymous with 'JavaScript' for many. As of today, jQuery's days as a relevant tool are indeed numbered, but I think jQuery's source code will always have relevance, as it is a brilliant example to study for anybody seeking to learn and master JavaScript," Douglas also adds.

An anonymous reader writes from a report via Softpedia: Untrained and gullible Android users are now the target of an Android banking trojan that asks them to send a selfie holding their ID card. The trojan, considered the most sophisticated Android trojan known today, is named Acecard, and this most recent version has been detected only in Hong Kong and Singapore for now. The purpose of requiring a selfie of the victim holding his/her ID card is for the crook to prove himself when making fraudulent bank transactions, calling tech support posing as the victim, or for taking over social media accounts for Facebook or Twitter, which often require ID scans in the case of account takeover disputes. The report adds: "A previous version of the Acecard trojan hid inside a Black Jack game delivered via the official Google Play Store. In the most recent version of this threat, security experts from McAfee have found a new version of the Acecard trojan hidden inside all sorts of apps that pose as Adobe Flash Player, pornographic apps, or video codecs. All of these apps are distributed outside of the Play Store and constantly pester users with permission requirement screens until they get what they want, which is administrator rights. Once this step is achieved, the trojan lays in hiding until the user opens a specific app. McAfee experts found that when the user opens the Google Play app, the trojan springs a new social engineering trap."

An anonymous reader writes from a report via Softpedia: Untrained and gullible Android users are now the target of an Android banking trojan that asks them to send a selfie holding their ID card. The trojan, considered the most sophisticated Android trojan known today, is named Acecard, and this most recent version has been detected only in Hong Kong and Singapore for now. The purpose of requiring a selfie of the victim holding his/her ID card is for the crook to prove himself when making fraudulent bank transactions, calling tech support posing as the victim, or for taking over social media accounts for Facebook or Twitter, which often require ID scans in the case of account takeover disputes. The report adds: "A previous version of the Acecard trojan hid inside a Black Jack game delivered via the official Google Play Store. In the most recent version of this threat, security experts from McAfee have found a new version of the Acecard trojan hidden inside all sorts of apps that pose as Adobe Flash Player, pornographic apps, or video codecs. All of these apps are distributed outside of the Play Store and constantly pester users with permission requirement screens until they get what they want, which is administrator rights. Once this step is achieved, the trojan lays in hiding until the user opens a specific app. McAfee experts found that when the user opens the Google Play app, the trojan springs a new social engineering trap."

prisoninmate writes from Softpedia: Can you believe it's been 20 years since the KDE (Kool Desktop Environment) was announced on the 14th of October, 1996, by project founder Matthias Ettrich? Well, it has, and today we'd like to say a happy 20th birthday to KDE! "On October 14, KDE celebrates its 20th birthday. The project that started as a desktop environment for Unix systems, today is a community that incubates ideas and projects which go far beyond desktop technologies. Your support is very important for our community to remain active and strong," reads the timeline page prepared by the KDE project for this event. Feel free to share your KDE experiences in a comment below! You can read the announcement "that started the revolution of the modern Linux desktop," as well as view the timeline "prepared by the KDE team for this unique occasion."

An anonymous reader writes from a report via Softpedia: Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone. By sending the "reboot-ftm" command to Android devices that contain Foxconn firmware, an attacker would authenticate via USB, and boot the device, running as root with SELinux disabled. There isn't a list of affected devices available yet, but Jon Sawyer, the researchers that discovered this hidden command, provides instructions on how to detect if a phone is affected. "Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products," Sawyer says.

An anonymous reader writes: AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm, who spent more than a year trying to inform the company about 14 security bugs affecting the firmware of ALL its products. Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation and remote takeover. Search-Lab says their researchers is not the only one that spotted these issues. Currently, the term "AVTECH" is the second most popular search term on Shodan, where anyone can find more than 130,000 of these devices available online. Taking into account the recent attacks from IoT botnets, AVTECH is now on the same level of incompetence and indifference as other CCTV hardware makers such as AVer, Dahua, and TVT, all Chinese and Taiwanese companies. A list of confirmed affected firmware versions is available here, proof of concept exploitation code is available on GitHub, and an exploitation video is available here.

An anonymous reader writes: AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm, who spent more than a year trying to inform the company about 14 security bugs affecting the firmware of ALL its products. Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation and remote takeover. Search-Lab says their researchers is not the only one that spotted these issues. Currently, the term "AVTECH" is the second most popular search term on Shodan, where anyone can find more than 130,000 of these devices available online. Taking into account the recent attacks from IoT botnets, AVTECH is now on the same level of incompetence and indifference as other CCTV hardware makers such as AVer, Dahua, and TVT, all Chinese and Taiwanese companies. A list of confirmed affected firmware versions is available here, proof of concept exploitation code is available on GitHub, and an exploitation video is available here.

Reader prisoninmate writes: Fedora Project released of the Beta milestone of the upcoming Fedora 25 Linux operating system, due for release in mid-November. Powered by Linux kernel 4.8.1, the Fedora 25 Beta is shipping with the recently released GNOME 3.22 desktop environment, which is enabled by default on top of a Wayland 1.12 session for the Workstation Edition). Of course, you'll also find the latest software versions, including the LibreOffice 5.2.2 office suite, Flatpak 0.6.12, Mozilla Firefox 49.0 web browser, and LibVirt 2.2.0. Additionally, users will find the Mesa 12.0.3 3D Graphics Library for better and faster graphics support, OpenSSH 7.3p1 and OpenSSL 1.0.2j for improved security, Python 3.5.2, Samba 4.5.0, systemd 231, TigerVNC 1.7.0, and the latest Git snapshot of the upcoming X.Org Server 1.19.0 display server. Fedora 25 Beta Workstation is available for download now.

prisoninmate writes: Softpedia reports that there's a new project on GitHub, called alwsl, which promises to let you install the Arch Linux operating system on Windows 10's new WSL (Windows Subsystem for Linux) feature, which allows users to run native Linux command-line tools directly on the Windows operating system alongside their modern desktop and apps. For example, Canonical and Microsoft brought Bash on Ubuntu on Windows using the new WSL functionality. For now, the alwsl project, which is developed by a group of German developers that call themselves "Turbo Developers," offers a .bat file that you can use to install Arch Linux on a WSL (Windows Subsystem for Linux) host, but the software is in developer preview stage. The first stable release, alwsl 1.0 will be able not only to install Arch Linux on the Windows Subsystem for Linux host in Windows 10 editions that support it, but also to create and manage users and snapshots. Also, it looks like it will get rolling upgrades just like a normal Arch Linux installation gets. The final release is expected to launch on December 2016, and you can monitor its development progress on GitHub.

An anonymous reader writes from a report via Softpedia: A security bug in Google's V8 JavaScript engine is indirectly affecting around one in 16 Android devices, impacting smartphone models from all major vendors, such as LG, Samsung, Motorola, and Huawei. Despite this bug being public for more than a year, only in August 2016 have Chinese security researchers discovered that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed. Affected products included Google Chrome Mobile, Opera Mobile, apps that use the WebView component (Gmail, Facebook, Twitter, WeChat, etc.) and apps that deploy the Tencent X5.SDK (a bunch of Chinese apps). It is estimated that around one in 16 Android devices is vulnerable to this issue, nicknamed BadKernel. The flaw leads to a RCE on Android devices, allowing attackers to take full control over one's smartphone. Despite BadKernel being discovered in August 2016, because all research was only published in Chinese, most E.U. and U.S. users have no clue they might be affected. One of the best ways to protect yourself, as noted in the report, is to keep your apps and operating system updated. You can view this list via Trustlook's website to see if your device is affected. There's also a dedicated BadKernel security scanner you can download from the Play Store to check for the vulnerability.

prisoninmate writes from a report via Softpedia: KDE will celebrate 20 years of activity on October 14, 2016, and they've just released the first LTS (Long Term Support) version of the KDE Plasma desktop environment. Prominent new features of KDE Plasma 5.8 LTS include support for desktop widgets, a new system-wide search functionality that promises to let users easily search their KDE desktops for everything they want, including apps, music, videos, files, folders, etc., a new tool to get hot new stuff for your KDE Plasma desktop, such as wallpapers, widgets, desktop effects, or window styles, and infinite customization possibilities. Moreover, KDE Plasma 5.8 LTS comes with a unified look for the default Breeze theme so that, no matter what type of application you're using (Qt4, GTK2, GTK3, or Qt5), it will look the same, mobile phone notifications, along with the ability to use your smartphone as a PC remote, transfer files or mute music during calls, all with the new KDE Connect plasmoid. There's also Right-to-Left (RTL) language support, simplified global shortcuts, improvements to many applets, and much better Wayland support. KDE Plasma 5.8 LTS will receive nine point releases until 2018. "Today KDE releases its first Long Term Support edition of its flagship desktop software, Plasma," reads the announcement. "This marks the point where the developers and designers are happy to recommend Plasma for the widest possible audience be they enterprise or non-techy home users. If you tried a KDE desktop previously and have moved away, now is the time to re-assess, Plasma is simple by default, powerful when needed."

Tor users have long criticized CloudFlare for annoying CAPTCHAs, but it appears the CDN provider is finally working on a fix. An anonymous reader writes: CloudFlare is working on a new system called "Challenge Bypass Specification," which it wants to deploy as a Tor Browser extension and replace the CAPTCHAs Tor users see when trying to access a website protected by CloudFlare. This new system will have users solve one CAPTCHA at the beginning and after that, the browser extension will use nonces (one-time authentication tokens) to prove the user's real identity before accessing a CloudFlare-protected site.

Slashdot reader prisoninmate brings news from Softpedia: Today, Linus Torvalds proudly announced the release and availability for download of the Linux 4.8 kernel branch, which is now the latest stable and most advanced one. Linux kernel 4.8 has been in development for the past two months, during which it received no less than eight Release Candidate testing versions that early adopters were able to compile and install on their GNU/Linux operating system to test various hardware components or simply report bugs...

A lot of things have been fixed since last week's RC8 milestone, among which we can mention lots of updated drivers, in particular for GPU, networking, and Non-Volatile Dual In-line Memory Module (NVDIMM), a bunch of improvements to the ARM, MIPS, SPARC, and x86 hardware architectures, updates to the networking stack, as well as to a few filesystem, and some minor changes to cgroup and vm.
The kernel now supports the Raspberry Pi 3 SoC as well as the Microsoft Surface 3 touchscreen.

An anonymous reader writes: Mozilla announced today Project Mortar, an initiative to explore the possibility of deploying alternative technologies in Firefox to replace its internal implementations. The project's first two goals are to test two Chrome plugins within the Firefox codebase. These are PDFium, the Chrome plugin for viewing PDF files, and Pepper Flash, Google's custom implementation of Adobe Flash. The decision comes as Mozilla is trying to cut down development costs, after Firefox took a nose dive in market share this year. "In order to enable stronger focus on advancing the Web and to reduce the complexity and long term maintenance cost of Firefox, and as part of our strategy to remove generic plugin support, we are launching Project Mortar," said Johnny Stenback, Senior Director Of Engineering at Mozilla Corporation. "Project Mortar seeks to reduce the time Mozilla spends on technologies that are required to provide a complete web browsing experience, but are not a core piece of the Web platform," Stenback adds. "We will be looking for opportunities to replace such technologies with other existing alternatives, including implementations by other browser vendors."

Raspberry Pi Foundation's Simon Long has unveiled a new desktop environment for the Debian-based Raspbian GNU/Linux operating system for Raspberry Pi devices. From a Softpedia report (submitted by an anonymous reader):Until today, Raspbian shipped with the well-known and lightweight LXDE desktop environment, which looks pretty much the same as on any other Linux-based distribution out there that is built around LXDE (Lightweight X11 Desktop Environment). But Simon Long, a UX engineer working for Raspberry Pi Foundation, was hired to make it better, transform it into something that's more appealing to users. So after two years of work, he managed to create a whole new desktop environment for Raspbian, the flagship operating system for Raspberry Pi single-board computers developed and distributed by Raspberry Pi Foundation. Called PIXEL, the new Raspbian desktop offers a more eye-candy design with the panel on top (not on the bottom like on a default LXDE setup), new icons, new Applications Menu, and new theme. "It's actually surprisingly easy to hack about with the LXDE desktop once you get your head around what all the bits do, and since then I've been slowly chipping away at the bits that I felt would most benefit from tweaking," reveals Simon Long. "Stuff has slowly been becoming more and more like my original concept for the desktop; with the latest changes, I think the desktop has reached the point where it's a complete product in its own right and should have its own name."

An anonymous reader quotes a report from Softpedia: Ardit Ferizi, aka Th3Dir3ctorY, 20, a citizen of Kosovo, will spend 20 years in a U.S. prison for providing material support to ISIS hackers by handing over data for 1,351 U.S. government employees. Ferizi obtained the data by hacking into a U.S. retail company on June 13, 2015. The hacker then filtered the stolen information and put aside records related to government officials, which he later handed over to Junaid Hussain, the then leader of the Islamic State Hacking Division (ISHD). Hussain then uploaded this information online, asking fellow ISIS members to seek out these individuals and execute lone wolf attacks. Because of this leak, the U.S. Army targeted and killed Hussain in a drone strike in Syria in August 2015. Before helping ISIS, Ferizi had a prodigious hacking career as the leader of Kosova Hacker's Security (KHS) hacking crew. He was arrested on October 6, 2015, at the international airport in Kuala Lumpur, Malaysia, while trying to catch a flight back to Kosovo. Ferizi was in Kuala Lumpur studying computer science.

An anonymous reader quotes a report from Softpedia: Members of the World Wide Web Consortium (W3C) are getting ready to launch the HTML 5.1 specification and have already started work on the upcoming HTML 5.2 version since mid-August. The HTML 5.1 standard has been promoted from a "Release Candidate" to a "Proposed Recommendation," the last step before it becomes a "W3C Recommendation," and officially replaces HTML 5 as the current HTML standard. As a Proposed Recommendation, HTML 5.1 is practically locked against major changes, and outside small tweaks here and there, we are currently looking at a 99.99 percent version of the upcoming HTML 5.1 standard. The vote to promote HTML 5.1 from RC to PR was approved in unanimity, a clear sign that major browser makers have reached a general consensus on what the standard should look like, and what they should be implementing in their browsers in upcoming versions. You can read more on HTML 5.1 here, the changes and support table here, and the HTML 5.2 specification draft here.

Reader prisoninmate writes: Today, September 21, is a big day for Linux users, especially those who love the GNOME desktop environment, as the next major release is now officially available. Yes, that's right, we're talking about GNOME 3.22, dubbed Karlsruhe after the German host city of the annual GUADEC (GNOME Users And Developers European Conference) event, which took place last month between August 12-14, 2016. Prominent features of the GNOME 3.22 desktop environment include batch rename functionality and support for integration of compressed files built directly into the Nautilus file manager, a new Week View, support for alarms, and the ability to drag and drop events to the GNOME Calendar, as well as an updated GNOME Music app that supports handling of music libraries with thousands of tracks. There are lots of improvements for the GNOME Games app as well, as it now offers support for numerous retro gaming consoles. Among other improvements, we can mention Flatpak integration, photo sharing, revamped GNOME Software app with support for firmware updates, redesigned keyboard settings and a brand new GNOME Control Center panel, and a redesigned dconf Editor. A video overview of the new features of GNOME 3.22 is available on the official website.

This week saw the first stable release of Android-x86 6.0 (marshmallow-x86) -- and a new version of Remix OS for PC, a PC-optimized version of Android. Slashdot reader prisoninmate quotes Softpedia: Android-x86 6.0 has been in the works since early this year, and it received a total of two RC (Release Candidate) builds during its entire development cycle, one in June and another in August. After joining the Remix OS team, Chih-Wei Huang now has all the reasons to update and improve its Android-x86 system for the latest Android releases. Therefore, as you might have guessed already, Android-x86 6.0 is the first stable version of the project to be based on Google's Linux kernel-based Android 6.0 Marshmallow mobile operating system, and includes the most recent AOSP (Android Open Source Project) security updates too.

Under the hood, Android-x86 6.0 is using the long-term supported Linux 4.4.20 kernel with an updated graphics stack based on Mesa 12.0.2 3D Graphics Library, and offers support for Samsung's F2FS file system for SSD drives, better Wi-Fi support after resume and suspend, and initial HDMI audio support.

An anonymous reader writes: Over 500,000 people have downloaded an Android app called "Guide for Pokemon Go" that roots the devices in order to deliver ads and installs apps without the user's knowledge. Researchers that analyzed the malware said it contained multiple defenses that made reverse-engineering very difficult -- some of the most advanced they've seen -- which explains why it managed to fool Google's security scanner and end up on the official Play Store. The exploits contained in the app's rooting functions were able to root any Android released between 2012 and 2015. The trojan found inside the app was also found in nine other apps, affecting another 100,000 users. The crook behind this trojan was obviously riding various popularity waves, packing his malware in clones for whatever app or game is popular at one particular point in time.

After neglecting Linux's Skype client for years, Microsoft released a new app of Skype for Linux in July, giving comfort to millions of users. The app, however, had a fair share of bugs. Microsoft today has updated the app to iron out those bugs, and introduced a handful of interesting options. An anonymous reader writes: There were plenty of users who complained that Skype for Linux was reconnecting automatically when not using the app for a certain amount of time and Microsoft has already acknowledged the bug. This new version fixes the problem, so everything should work correctly after updating. Additionally, Skype for Linux 1.7 introduces a new grid layout of the group calls, but also fixes the standard behavior of unread messages. According to Microsoft, this means that "when opening chat with unread messages, the view will focus on the first unread message and as you scroll, messages will be marked as read."

An anonymous Slashdot reader quotes Softpedia: Mozilla has announced this week that it is delaying the release of Firefox 49 for one week to address two unexpected bugs. Firefox 49, which was set for release on Tuesday, September 13, will now launch the following Tuesday, on September 20... Firefox 49 is an important release in Mozilla's grand scheme of things when it comes to Firefox. This is the version when Mozilla will finish multi-process support rollout (a.k.a. e10s, or Electrolysis), and the version when Firefox launches the new WebExtensions API that replaces the old Add-ons API, making Firefox compatible with Chromium extensions.
Firefox's release manager explained the delays as "two blocking issues and the need for a bit more time to evaluate the results of their fixes/backouts" -- one of which apparently involves opening Giphy GIFS on Twitter.

Slashdot reader prisoninmate quotes an article on Softpedia: it looks like the Linux kernel maintainers decided that there's no need to maintain the Linux kernel 3.14 LTS series anymore, so earlier today, September 11, 2016, they decided to release that last maintenance update, version 3.14.79, and mark the series as EOL (End of Life). Famous Linux kernel maintainer Greg Kroah-Hartman was the one to make the big announcement, and he's urging users who want to still run a long-term supported kernel version to move to the Linux 4.4 LTS series, which is currently the most advanced LTS branch, or use the latest stable release, Linux kernel 4.7.3...

Linux kernel 3.14.79 is a very small update that changes a total of 12 files, with 45 insertions and 17 deletions, thus fixing a bug in the EXT4 file system, a networking issue related to the Reliable Datagram Sockets (RDS) protocol, and updating a few HID, s390, SCSI, networking drivers.

An anonymous Slashdot reader writes: A new malware family has infected over 70% of all Seagate Central NAS devices connected to the Internet. The malware, named Miner-C or PhotoMiner, uses these hard-drives as an intermediary point to infect connected PCs and install software that mines for the Monero cryptocurrency... The crooks made over $86,000 from Monero mining so far.

The hard drives are easy to infect because Seagate does not allow users to delete or deactivate a certain "shared" folder when the device is exposed to the Internet. Over 5,000 Seagate Central NAS devices are currently infected.
Researchers estimates the malware is now responsible for 2.5% of all mining activity for the Monero cryptocurrency, according to the article. "The quandary is that Seagate Central owners have no way to protect their device. Turning off the remote access NAS feature can prevent the infection, but also means they lose the ability to access the device from a remote location, one of the reasons they purchased the hard drive in the first place."

An anonymous reader writes from a report via Softpedia: David Levin, 31, of Estero, Florida will spend 20 days in prison after hacking two websites belonging to the Florida state elections department. Levin, a security researcher, tested the security of two Florida state election websites without permission, and then recorded a video and posted on YouTube. The problem is that the man appearing in the video next to Levin was a candidate for the role of state election supervisor, running for the same position against the incumbent Supervisor of Elections, Sharon Harrington. Harrington reported the video to authorities, who didn't appreciate the media stunt pulled by the two, and charged the security researcher with three counts of hacking-related charges. The researcher turned himself in in May and pleaded guilty to all charges. This week, he received a 20-day prison sentence and two years of probation. In court he admitted to the whole incident being a political stunt.

An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.

An anonymous reader writes: A coordinated DDoS attack hit Linode (VPS provider) over the weekend, which the company has described as "catastrophic." The attack targeted the company's Atlanta data center, and was timed for the extended Labor Day weekend when the company had fewer employees on hand to deal with the incident. At the start of the year, after suffering a two-week-long DDoS attack, Linode announced a data breach with attackers accessing some user accounts. The company reset passwords after it detected the intrusions. Linode engineers told customers they were "experiencing a catastrophic DDoS attack which is being spread across hundreds of different IP addresses in rapid succession, making mitigation extremely difficult." The report adds: "During all this time, connectivity to the service was down, affecting Linode customers such as Clojars, a repository of open source Clojure libraries that relies on the Linode infrastructure."

An anonymous reader quotes Softpedia: Anthony Di Iorio, founder of Jaxx, a crypto-currency wallet, claims that an Apple representative revealed to him the six crypto-currencies allowed on the App Store, during a private phone conversation... Di Iorio had this conversation with the Apple employee after the company removed his Jaxx iOS app from the store. The Apple employee told Di Iorio that they had to remove his app because it featured support for Dash, another blockchain technology, touted as an alternative to Bitcoin.

During the conversation, Di Iorio asked what crypto-currencies Apple approves of, so he'd know what to remove from Jaxx's iOS version and get his app back on the App Store. Di Iorio says that Apple is comfortable approving apps on its App Store that handle only six crypto-currencies: Bitcoin, Dogecoin, Litecoin, Ethereum, the DAO and Ripple. Reaction to Apple's list of approved crypto-currencies wasn't positive, at least on Twitter. Most users criticized Apple's decision to limit the list to only six, which they considered might thwart the evolution of other, lesser-known crypto-currencies.
Vitalik Buterin, who helped create Ethereum with Di lorio, tweeted "For the record: despite being a beneficiary of this instance of (private) regulatory protectionism, I oppose it."

prisoninmate writes: What's Kali Linux 2016.2? Well, it's an updated Live ISO image of the popular GNU/Linux distribution designed for ethical hackers and security professionals who want to harden the security of their networks, which contains the latest software versions and enhancements for those who want to deploy the OS on new systems. It's been quite some time since the last update to the official Kali Linux Live ISOs and new software releases are announced each day, which means that the packages included in the previous Kali Linux images are very old, and bugs and improvements are always implemented in the most recent versions of the respective security tools. Best of all, the new Kali Linux 2016.2 release comes in KDE, MATE, Xfce, LXDE, and Enlightenment E17 flavors.
Their blog also points out that Kali recently appeared in an episode of Mr. Robot.

An anonymous reader writes: The FBI seems to have solved the mysterious case of the 2011 kernel.org hack, when an unknown attacker breached kernel.org servers and attempted to install a rootkit in the kernel code. As years went by, the Linux Kernel Organization kept avoiding releasing an incident response surrounding the event, irking their community accustomed to more open communications from their leaders. The mystery seems to have been solved when yesterday a Florida man was arrested and charged with "hacking the Linux Kernel Organization" and installing a "rootkit and trojan software," just like in the 2011 kernel.org server breach. Donald Ryan Austin is his name. He was arrested during a routine traffic stop last Sunday, on August 28, 2016, and faces a maximum sentence of ten years in prison, a fine of $250,000, and any other restitution.

prisoninmate quotes a report from Softpedia: By following a rolling release model, TrueOS promises to be a cutting-edge and modern FreeBSD-based operating system for your personal computer, designed with security and simplicity in mind -- all while being stable enough to be deployed on servers. TrueOS will also make use of the security technologies from the OpenBSD project, and you can get your hands on the first Beta ISO images right now. The development team promises to offer you weekly ISO images of TrueOS, but you won't have to download anything anymore due to constant updates thanks to the rolling release model. TrueOS will use LibreSSL instead of OpenSSL, offer Linux DRM 4.7 compatibility for supporting for Intel Skylake, Haswell, and Broadwell graphics, and uses the pkg package manage system by default. "TrueOS combines the convenience of a rolling release distribution with the failsafe technology of boot environments, resulting in a system that is both current and reliable. TrueOS now tracks FreeBSD's 'Current' brand and merges features from select FreeBSD developer branches to enhance support for newer hardware and technologies," reads today's announcement.

An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.

An anonymous reader writes: The main question when picking a new phone is whether to choose an Android one or an iPhone. A new study coming from Blancco Technology Group sheds some light on which devices are the most reliable, based on reliability. The study entitled State of Mobile Device Performance and Health reveals the device failure rates by operating systems, manufacturers, models and regions, as well as the most common types of performance issues. The report reveals that in Q2 2016, iOS devices had a 58% failure rate, marking the first time that Apple's devices have a lower performance rate compared to Android. It seems that the iPhone 6 had the highest failure rate of 29%, followed by iPhone 6s and iPhone 6S Plus. Android smartphones had an overall failure rate of 35%, an improvement from 44% in Q1 2016. Samsung, Lenovo and LeTV were among the manufacturers with the weakest performance and higher failure rates. Samsung scored 26% in failure rate, while Motorola just 11%. The study also reveals that iOS devices fail more frequently in North America and Asia compared to Android. Specifically, the failure rate in North America is 59%, while in Asia 52%. The failures could be influenced by the fact that the quality of smartphones shipped around the world varies.

An anonymous reader writes from a report via Softpedia: A Wi-Fi router manufactured and sold only in China can easily run for the title of "most insecure router ever made." The BHU router, whose name translates to "Tiger Will Power," has a long list of security problems that include: four authentication bypass flaws (one of which is just hilarious); a built-in backdoor root account that gets created on every boot-up sequence; the fact that it opens the SSH port for external connections after every boot (somebody has to use that root backdoor account right?); a built-in proxy server that re-routes all traffic; an ad injection system that adds adverts to all the sites you visit; and a backup JS file embedded in the router firmware if the ad script fails to load from its server. For techies, there's a long technical write-up, which gets funnier and scarier at the same time as you read through it. "An attacker authenticating on the router can use a hardcoded session ID (SID) value of 700000000000000 to gain admin privileges," reports Softpedia. "If he misspells the SID and drops a zero, that's no problem. The BHU router will accept any value and still grant the user admin rights."

An anonymous reader writes: An internal group at the Tor Project is calling for a full 24-hour shutdown of the Tor network to protest the way the Tor Project dealt with the Jake Applebaum sexual misconduct accusations, and because of recent rumors it might be letting former government agents in its ranks. Two Tor members, also node operators, have shut down their servers as well, because of the same reason. They explained their motivations here and here.
"The protesters have made 16 demands," according to the article, six related to related to supposed infiltration of Tor by government agents, and 10 regarding the Appelbaum ruling and investigation -- including "asking all Tor employees that participated in this investigation to leave" and "the persons behind the JacobAppelbaum.net and the @JakeMustDie and @VictimsOfJake Twitter accounts to come forward and their identities made public."

An anonymous reader writes: A trojan that targeted Drupal sites on Linux servers last May that was incredibly simplistic and laughable in its attempt to install (and fail) web ransomware on compromised websites, has now received a major update and has become a top threat on the malware scene. That trojan, named Rex, has evolved in only three months into an all-around threat that can: (1) compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS; (2) install cryptocurrency mining in the background; (3) send spam; (4) use a complex P2P structure to manage its botnet; and (5) install a DDoS agent which crooks use to launch DDoS attacks.

Worse is that they use their DDoS capabilities to extort companies. The crooks send emails to server owners announcing them of 15-minute DDoS tests, as a forewarning of future attacks unless they pay a ransom. To scare victims, they pose as a known hacking group named Armada Collective. Other groups have used the same tactic, posing as Armada Collective, and extorting companies, according to CloudFlare.

After performing hours of analysis, a computer science professor says he's "not impressed" by the quality of the recently-leaked code that's supposedly from an NSA hacking tool. An anonymous Slashdot reader writes: The professor, who teaches Software Vulnerability Analysis and Advanced Computer Security at the University of Illinois, Chicago, gripes about the cryptography operations employed in the code of an exploit called BANANAGLEE, used against Fortinet firewalls. Some of his criticism include the words "ridiculous", "very bad", "crazy" and "boring memory leaks".

"I would expect relatively bug-free code. And I would expect minimal cryptographic competence. None of those were true of the code I examined which was quite surprising," the professor told Softpedia in an email.
If these were cyberweapons, "I'm pretty underwhelmed by their quality," professor Checkoway writes on his blog, adding that he found "sloppy and buggy code," no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text...

An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."

An anonymous reader writes: [Softpedia reports:] "Mozilla plans to include a webpage screenshot sharing feature to Firefox as part of the Test Pilot program, a spokesperson confirmed to Softpedia. The new feature is called Page Shot, and will initially roll out on Firefox Test Pilot in late-Q3 of this year. The Firefox Test Pilot program allows users to test experimental Firefox features using a special add-on. Based on user feedback, those features will end up as built-in Firefox features, or self-standing add-ons." The pageshot.net website is now offline as Mozilla prepares to launch the add-on via Test Pilot, but Softpedia has the screenshots. You can view the screenshots here.

An anonymous reader writes: [Softpedia reports:] "Mozilla plans to include a webpage screenshot sharing feature to Firefox as part of the Test Pilot program, a spokesperson confirmed to Softpedia. The new feature is called Page Shot, and will initially roll out on Firefox Test Pilot in late-Q3 of this year. The Firefox Test Pilot program allows users to test experimental Firefox features using a special add-on. Based on user feedback, those features will end up as built-in Firefox features, or self-standing add-ons." The pageshot.net website is now offline as Mozilla prepares to launch the add-on via Test Pilot, but Softpedia has the screenshots. You can view the screenshots here.

Reader prisoninmate writes: Immediately after announcing the availability of the first point release for the Linux 4.7 kernel series, Greg Kroah-Hartman also informed the community about the launch of Linux kernel 4.6.7, which is the seventh maintenance update for the Linux 4.6 stable kernel branch, but it also looks like it's the last one for the series, which has now officially reached end of life. Therefore, if you're using a GNU/Linux operating system powered by a kernel from the Linux 4.6 branch, you are urged to move to Linux kernel 4.7 as soon as possible by installing the brand new Linux kernel 4.7.1 build.

Reader prisoninmate writes: Immediately after announcing the availability of the first point release for the Linux 4.7 kernel series, Greg Kroah-Hartman also informed the community about the launch of Linux kernel 4.6.7, which is the seventh maintenance update for the Linux 4.6 stable kernel branch, but it also looks like it's the last one for the series, which has now officially reached end of life. Therefore, if you're using a GNU/Linux operating system powered by a kernel from the Linux 4.6 branch, you are urged to move to Linux kernel 4.7 as soon as possible by installing the brand new Linux kernel 4.7.1 build.

An anonymous reader writes from a report via Softpedia: "Researcher Jerry Decime revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products," reports Softpedia. The flaw can be used to collect user credentials by tricking victims into re-authenticating, sending data to a third-party. Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo said this bug does not impact its software. Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.

An anonymous reader writes from a report via Softpedia: "In the most innovative, weirdest, and stupidest idea of the month, two researchers from the University of Colorado Boulder and the University of Michigan have created a crypto-currency that rewards people for participating in DDoS attacks," reports Softpedia. "Called DDoSCoin, this digital currency rewards a person (the miner) for using their computer as part of a DDoS attack. Just like Bitcoin, DDoSCoin uses cryptographic data to provide a proof-of-work. In DDoSCoin's case, this proof-of-work is extracted from the TLS connection a miner establishes with the website they're supposed to attack." This means that DDoSCoin can be used only with DDoS attacks on TLS-enabled websites. Participating in DDoS attacks gives miners DDoSCoin, which can then be converted in Bitcoin or fiat currency. Furthermore, anyone can request a DDoS attack via the PAY_TO_DDOS transaction. The research paper that proposes DDoSCoin is only a theoretical exercise, and a DDoSCoin crypto-currency does not currently exist in the real world. For now.

Reader prisoninmate writes: Renowned Linux kernel developer and maintainer Greg Kroah-Hartman said on Friday that the next LTS (Long-Term Support) kernel branch will be Linux 4.9. The development cycle of a new Linux kernel branch doesn't take more than a month and a half or a maximum of two months, depending if the respective series will receive seven or eight Release Candidate (RC) milestones, but LTS releases are picked by veteran kernel developers from time to time when older ones reach end of life (EOL). If Linux kernel 4.8 will be a normal release with a total of seven RCs and it'll be announced on day of September 25, then the development cycle of the Linux 4.9 kernel should start with the first Release Candidate development snapshot on October 9, 2016. But if Linux kernel 4.8 will have eight RCs, then we should see Linux kernel 4.9 LTS RC1 one week later, on October 16.

Marius Nestor, reporting for Softpedia News: Canonical, through Sergio Schvezov, has had the great pleasure of announcing the release and general availability of Snapcraft 2.14 Snap creator tool for the Ubuntu 16.04 LTS (Xenial Xerus) operating system. Coming hot on the heels of Snapcraft 2.13, the new 2.14 maintenance update is here to introduce a bunch of new plugins, namely rust, godeps, and dump. You can find more information about each one by running the "snapcraft help " command in a terminal window. Also new in the Snapcraft 2.14 release is support for alternate relocation mechanisms in the "make" plugin (for example, you can use DESTDIR alternatives), as well as many improvements to the "go" plugin, such as support for local sources, which are now preferred instead of fetching new ones, and proper handling of the source entry. The list of improvements implemented in Snapcraft 2.14 continues with support for building a kernel Snaps for multiple hardware architectures using a single snapcraft.yaml file, support for "oneshot" daemons, better wiki parser source management, as well as proper setting of "shebangs" and support for requirement files in the "python" plugin.

Marius Nestor, writing for Softpedia: After a few weeks from its official release, it finally happened, Linux kernel 4.7 has just landed in the stable software repositories of the popular, lightweight and highly customizable Arch Linux operating system. Linux kernel 4.7 is the most stable and advanced kernel branch, and only a few GNU/Linux distributions have adopted since its launch on July 24, 2016. It's still marked as "mainline" not "stable" or "longterm" on the kernel.org website, which means that it didn't receive a maintenance update at the moment of writing this article. As for its new features, Linux kernel 4.7 comes with an updated AMDGPU graphics driver with support for AMD Radeon RX 480 GPUs, LoadPin, a brand new security module that ensures all modules loaded by the kernel originate from the same filesystem, and support for upgrading firmware using the EFI "Capsule" mechanism. Linux kernel 4.7 also marks the sync_file fencing mechanism used in the Android mobile operating system as stable and ready for production, implements support for generating virtual USB Device Controllers in USB/IP, supports parallel directory lookups, and introduces the "schedutil" frequency governor, which is faster and more accurate than the current ones.