Slashdot Mirror

An anonymous reader quotes a report from Softpedia: Windows 10 build 14352, a preview version of the upcoming Anniversary Update (also known as Redstone), comes with an eagerly awaited change that Microsoft hasn't yet announced publicly. The 260-character path length limit in Windows can be removed with the help of a new policy, thus allowing you to run operations with files regardless of their path or file name. While this new rule is not enabled by default, admins can turn it on by following these instructions. Launch the Registry Editor by clicking the Start menu and typing "regedit.exe," and then navigate to the following path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{48981759-12F2-42A6-A048-028B3973495F}Machine\System\CurrentControlSet\Policies. Look for an entry called "LongPathsEnabled," and if it does not exist, simply right-click Policies, select New DWORD (32-bit), name it "LongPathsEnabled" (without the quotes), enter value 1, and you're good to go. The description of the preview reads, "Enabling NTFS long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 char limit per node. Enabling this setting will cause the long paths to be accessible within the process." While the Windows 10 preview build 1452 has been made available last week, according to Windows Central, a Microsoft team member says that the company could released Windows 10 Mobile build 14352 for Insiders on Tuesday, May 31.

An anonymous reader writes from a report issued by Softpedia on May 27: Microsoft and several other security researchers have detected the first ransomware versions that appears to have self-propagation features, being able to spread to other machines on its own by copying itself to shared network drives or portable storage devices automatically. Called ZCryptor, this ransomware seems to enjoy quite the attention from crooks, who are actively distributing today via Flash malvertising and boobytrapped Office files that infect the victim if he enables macro support when opening the file. This just seems to be the latest addition to the ransomware family, one which recently received the ability to launch DDoS attacks while locking the user's computer.

Three cryptocurrency experts published a scientific paper Friday detailing seven attacks that could influence how the Decentralized Autonomous Organization (DAO) allocates its Ether funds. An anonymous Slashdot reader writes, "Coincidentally or not, they released their work with one day before funding for the DAO closed, and not surprisingly, Ether's price went down, devaluing the DAO from $150 million to $132 million."

From Softpedia: DAO is a crowdfunded project that works on the Ethereum network, a new crypto-currency network that deals with crypto-currency named Ether, which many experts say is better than Bitcoin's blockchain... Investors can submit funding proposals, on which the DAO users vote by submitting some of their tokens and a YES/NO vote. In the end, based on the tokens and YES/NO votes, the DAO's computer program decides on the outcome.
Softpedia reports that the paper released Friday also suggests a series of mitigations to a design they say will "incentivize investors to behave strategically; that is, at odds with truthful voting on their preferences."

Two days after Fiverr, a marketplace for digital services, removed user listings from its website that advertised DDoS-for-hire services, the company's website suffered a six-hour long DDOS attack. Softpedia reports: The incident took place on the morning of May 27 (European timezones), and the service admitted its problems on its Twitter account. At the time of writing, Fiverr has been back up and functioning normally for more than two hours. Fiverr's problems stem from an Incapsula probe that found DDoS-for-hire ads on its marketplace, available for $5. Incapsula reported the suspicious listings to Fiverr, who investigated the issue and removed the ads. Fiverr first removed all listings advertising blatantly illegal DDoS services, but later also removed the ads offering to "test" a website for DDoS "protection" measures.

The Department of Defense has promised to finally stop managing the U.S. nuclear arsenal with floppy disks "by the end of 2017". But an anonymous reader shares Softpedia's report about another startling revelation this week from the Government Accountability Office: Another agency that plans to upgrade is the US Department of Veterans Affairs, which uses COBOL, a programming language from the '50s to manage a system for employee time and attendance. Unfortunately for the VA, there were funds only to upgrade that COBOL system, because the agency still uses the antiquated programming language to run another system that tracks claims filed by veterans for benefits, eligibility, and dates of death. This latter system won't be updated this year. Another serious COBOL user is the Department of Homeland Security, who employs it to track hiring operations, alongside a 2008 IBM z10 mainframe and a Web component that uses a Windows 2012 server running Java.
Personnel files are serious business. A 2015 leak of the secret service's confidential personnel files for a Utah Congressman (who was leading a probe into high-profile security breaches and other missteps) led the Department of Homeland Security to discipline 41 secret service agents.

jones_supa writes: Softpedia reports: "Microsoft has recently announced a new round of job layoffs at its Mobile unit in Finland, as it moves forward with its restructuring and reorganization plan following the acquisition of Nokia's Devices and Services unit. The Finnish government has criticized Microsoft for turning to more job cuts in the country, pointing out that the company has a huge responsibility to help those who are being let go. Microsoft's latest job cut round included 1,850 people, 1,350 of which are said to be working in Finland. 'I am disappointed because of the (initial) promises made by Microsoft,' Finance Minister Alexander Stubb was quoted as saying by Reuters. 'One example is that the data center did not materialize despite the company's promise.'" He refers to Microsoft's promise in 2013 to invest $250 million in a data center located in Finland that was specifically meant to provide services to European customers. All of these worries are not unfounded as the employment situation in Finland is still quite terrible, and the decline of Nokia's former phone business certainly exacerbates the situation.

An anonymous reader writes: A smaller group of Anonymous, called Anonymous Analytics, reached the conclusion that DDoSing is stupid and never fixes anything, so they decided to use their hacking skills and stock market knowledge to make a difference in another way. For the past years, the group has been compiling market reports on U.S. and Chinese companies and publishing their results. Their reports have been noticed by the stock market, who recently started to react to their findings. The most obvious case was of Chinese lottery machine maker REXLot. The hackers discovered that REXLot inflated its revenue and the amount of cash on its balance sheet, based on the amount of interest earned. "The group published its findings on June 24, 2015, and REXLot stock price plummeted from 0.485 Hong Kong dollar per share to 0.12, before trading was suspended [for ten months]. REXLot rejoined the market on April 18, 2016, this year, but even after submitting a 53-page report, the company stock fell again by 50 percent," reports Softpedia. Anonymous Analytics then published two more reports on the company, urging the market to sell, and two days later, Reuters reported that REXLot did not have enough cash to make due bond payments, which meant the company had to sell assets to repay bonds. Other companies on which the group published market reports include Qihoo 360 and Western Union.

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.

An anonymous reader writes: CentOS team is pleased to announce the immediate availability of CentOS Linux 6.8 and install media for i386 and x86_64 Architectures. Release Notes for 6.8 are available here. Softpedia writes: "CentOS Linux 6.8 arrives today with major changes, among which we can mention the latest Linux 2.6.32 kernel release from upstream with support for storing up to 300TB of data on XFS filesystems. The VPN endpoint solution implemented in the NetworkManager network connection manager utility is now provided on the libreswan library instead of the Openswan IPsec implementation used in previous release of the OS, and it looks like the SSLv2 protocol has been disabled by default for the SSSD (System Security Services Daemon), which also comes with support for smart cards now." In addition, the new release comes with updated applications, including the LibreOffice 4.3.7 office suite and Squid 3.4 caching and forwarding web proxy, many of which are supporting the Transport Layer Security (TLS) 1.2 protocol, including Git, YUM, Postfix, OpenLDAP, stunnel, and vsftpd. The dmidecode open-source tool now supports SMBIOS 3.0.0, you can now pull kickstart files from HTTPS (Secure HTTP) sources, the NTDp (Network Time Protocol daemon) package has an alternative solution as chrony, SSLv3 has been disabled by default, and there's improved support for Hyper-V.

An anonymous reader writes: "It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands," writes Softpedia. "This type of attack is known as clipboard hijacking, and in most scenarios, is useless, except when the user copies something inside their terminal." Security researcher Dylan Ayrey published a new version of this attack last week, which uses only JavaScript as the attack medium, giving the attack more versatility and making it now easier to carry out. The attack is called Pastejacking and it uses Javascript to theoretically allow attackers to add their malicious code to the entire page to run commands behind a user's back when they paste anything inside the console. "The attack can be deadly if combined with tech support or phishing emails," writes Softpedia. "Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them."

An anonymous reader writes: A group of hackers have created a ransomware strain that specifically targets Drupal sites. Infection occurs thanks to an automated bot which scans Drupal sites and then uses an SQL injection (CVE-2014-3704) to change the site admin's password. The bot also dumps any emails it finds on the server, and then overwrites the site's main page to show a typical ransomware note. Over 400 sites have been infected until now, but nobody has paid the ransom yet.

This case yet again proves why "Web ransomware" will never work because even the worst Web hosting service provides automatic backups from where they could retrieve a clean version of their site.

An anonymous reader writes: Ransomware developers have found another method of monetizing their operations by adding a DDoS component to their malicious payloads. So instead of just encrypting your files and locking your screen, new ransomware versions seen this week also started adding a DDoS bot that quietly blasts spoofed network traffic at various IPs on the Internet.
Softpedia points out that "Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years."

An anonymous reader writes: Ransomware developers have found another method of monetizing their operations by adding a DDoS component to their malicious payloads. So instead of just encrypting your files and locking your screen, new ransomware versions seen this week also started adding a DDoS bot that quietly blasts spoofed network traffic at various IPs on the Internet.
Softpedia points out that "Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years."

An anonymous reader writes: "Intelligent Environments, the company that brought us emoji passwords, has launched another original product, a banking platform integrated with IoT devices working on the classic 'If This, Then That' principle," writes Softpedia. "Called Interact IoT, the platform will allow developers to create smart products that interact with your bank account. Intelligent Environments launched the platform yesterday with two integrations, one for the Pavlok wristband and one for Google's Nest thermostat." Bank account owners can set a threshold for their account, which if they go under they'll receive an electric shock from their Pavlok wristband or Interact IoT will turn down their Nest thermostat to save money. More integrations are under work. Which ones would you like to see? "Both Pavlok and Nest Thermostat are opt-in services, so customers can decide whether to switch them on or not," said David Webber, Managing Director at Intelligent Environments. "However, with the Pavlok integration users have told us they love it. They think it's much better to get a little shock now, instead of a nasty one later."

An anonymous reader writes: Two Princeton academics conducted a massive research into how websites track users using various techniques. The results of the study, which they claim to be the biggest to date, shows that Google, through multiple domains, is tracking users on around 80 percent of all Top 1 Million domains. Researchers say that Google-owned domains account for the top 5 most popular trackers and 12 of the top 20 tracker domains. Additionally, besides tracking scripts, HTML5 canvas fingerprinting and WebRTC local IP discover, researchers discovered a new user fingerprinting technique that uses the AudioContext API. Third-party trackers use it to send low-frequency sounds to a user's PC and measure how the PC processes the data, creating an unique fingerprint based on the user's hardware and software capabilities. A demo page for this technique is available. Of course, this sort of thing is nothing new and occurs all across the web and beyond. MIT and Oxford published a study this week that revealed that Twitter location tags on only a few tweets can reveal details about the account's owner, such as his/her real world address, hobbies and medical history. Another recently released study by Stanford shows that phone call metadata can also be used to infer personal details about a phone owner.

An anonymous reader writes: The Iraqi government has ordered ISPs to shut down Internet access in the entire country to prevent exam cheating for Iraq's official exams for secondary and high schools. This is the second year in a row when Iraq does this, after the same thing happened in 2015. Companies like Akamai and Dyn also noted the government's poor decision on Twitter. It appears that Iraqi officials never heard of signal jammers and video cameras to combat exam cheating. The country's Internet went dark May 14-16th, between 05:00 AM and 08:00 AM GMT. An Iraqi ISP leaked on Facebook the content of an email it received from state officials.

An anonymous reader writes: "Michael Mancil Brown, 37, of Franklin, Tennessee, faces up to thirty years in prison, a fine up to $250,000, and orders of restitution to victims, because of a daring stunt he pulled off in 2012 that involved fake hacking the PricewaterhouseCoopers consulting firm, and US presidential candidate Mitt Romney. Back in 2012, Brown had the bright idea to write a letter alleging to have hacked PricewaterhouseCoopers (PwC) servers and stolen tax documents prior to 2010 for Mitt Romney and his wife, Ann," writes Softpedia. The "hacker" asked for $1 million in Bitcoin, and after publishing details about his fake hack online, he almost received it from a "third-party," but not before the FBI arrested him and then uncovered his lie. Last Friday, Brown was found guilty and then convicted of six counts of wire fraud and six counts of using facilities of interstate commerce to commit extortion.

An anonymous coward writes: Just like clockwork, the Linux 4.6 kernel was officially released today. Details on the kernel changes for Linux 4.6 can be found via Phoronix and KernelNewbies.org. NVIDIA GeForce GTX 900 Maxwell support and Dell XPS 13 Skylake support are among the many hardware changes for 4.6. For Linux 4.7 there are already several new features to look forward to from new DRM display drivers to a new CPU scaling governor expected.
prisoninmate also writes: Linus Torvalds announced the final release of the anticipated Linux 4.6 kernel, which, after seven Release Candidate builds introduces features like "the OrangeFS distributed file system, support for the USB 3.1 SuperSpeed Plus (SSP) protocol, offering transfer speeds of up to 10Gbps, improvements to the reliability of the Out Of Memory task killer, as well as support for Intel Memory protection keys," [according to Softpedia].

"Moreover, Linux kernel 4.6 ships with Kernel Connection Multiplexor, a new component designed for accelerating application layer protocols, 802.1AE MAC-level encryption (MACsec) support, online inode checker for the OCFS2 file system, support for the BATMAN V protocol, and support for the pNFS SCSI layout."

Softpedia reports that "At the end of April, members of the Anonymous hacker collective announced the launch of the OnionIRC, an internet relay chat network where the group says it aims to teach people about hacking and hacktivism." [Chat logs are available through the @OnionIRC Twitter account.] Classes cover topics like open-source intelligence and how to use nmap and bash, but "The teachers and the main people behind this campaign have been focused more on promoting the principles of hacktivism than anything else...classes on the idea of Anonymous itself, hacktivism in general, and civil disobedience." An anonymous Slashdot reader writes: The group's actual hacking activity has died down in the past years, with less "hacks" and more DDoS attacks, which most of the times are carried out by attention-seeking members. Because of this, the group's older members created the OnionIRC as a way to recruit and train new members.
Meanwhile, Softpedia reports that an Anonymous group is now targeting the mayor of Denver for dismantling homeless shelters, by bringing new attention to unconfirmed rumors that he once visited a prostitute.

Softpedia reports that "At the end of April, members of the Anonymous hacker collective announced the launch of the OnionIRC, an internet relay chat network where the group says it aims to teach people about hacking and hacktivism." [Chat logs are available through the @OnionIRC Twitter account.] Classes cover topics like open-source intelligence and how to use nmap and bash, but "The teachers and the main people behind this campaign have been focused more on promoting the principles of hacktivism than anything else...classes on the idea of Anonymous itself, hacktivism in general, and civil disobedience." An anonymous Slashdot reader writes: The group's actual hacking activity has died down in the past years, with less "hacks" and more DDoS attacks, which most of the times are carried out by attention-seeking members. Because of this, the group's older members created the OnionIRC as a way to recruit and train new members.
Meanwhile, Softpedia reports that an Anonymous group is now targeting the mayor of Denver for dismantling homeless shelters, by bringing new attention to unconfirmed rumors that he once visited a prostitute.

prisoninmate quotes a report from Softpedia: It took the Debian developers many years to finally be able to ship a working version of ZFS for Linux on Debian GNU/Linux. For those not in the known, ZFS on Linux is the official OpenZFS implementation for Linux, which promises to offer native ZFS filesystem support for any Linux kernel-based operating system, currently supporting Arch Linux, Ubuntu, Fedora, Gentoo, Red Hat Enterprise Linux, CentOS, openSUSE, and now Debian. And it looks like their ZFS for Linux implementation borrows a lot of patches from Ubuntu, at least according to the changelog for zfs-linux 0.6.5.6-2, the version that is now available in the unstable channel for Debian users to install and test.

An anonymous reader quotes a report from Softpedia: In a Google Groups thread named "Intent to implement: HTML5 by Default," the Google developers announced initial plans to implement a new feature in the Chromium core that will disable the playback of Flash content by default, and use HTML5 instead, if available. The feature is scheduled to ship with Chromium builds in Q4 2016, according to the current timeline. To avoid "overprompting," a whitelist will allow ten major websites to continue to show Flash content by default without pestering users with "Allow domain.com to run Flash Player" prompts. The whitelist will be in effect one year only. The list includes the domains of YouTube, Facebook, Yahoo, VK, Live, Yandex, OK.ru, Twitch, Amazon, and Mail.ru, the biggest sites running Flash content today. Previews of the settings and prompts UI are also available.

Reader prisoninmate writes: Following on last year's bold announcement that they will attempt to migrate from proprietary Microsoft Office products to an open-source alternative like LibreOffice, Italy's Ministry of Defense now expects to save up to 29 million Euro with this move. We said it before, and we'll say it again, this is the smartest choice a government institution can do. And to back up this statement, the Italian Ministry of Defense announced that they expect to save between 26 and 29 million Euro over the next few years by migrating to the LibreOffice open-source software for productivity and adopting the Open Document Format (ODF).

An anonymous reader writes: Two weeks ago, Qatar's National Bank suffered a massive data breach at the hands of Turkish hackers. That data included details about Qatar's royal family and Al Jazeera reporters...

Now it appears that the same hacker group has dumped data from a UAE bank. The data appears to be the same data stolen by a hacker last year, who tried to blackmail the bank for $3 million. An analysis of the data can be found here.

An anonymous reader quotes this report from Distrowatch: Linux Mint 18 will no longer provide separate, codec-free installation media for OEM and magazine distribution. Instead, the distribution will ship without multimedia support while making it easy for users to acquire media codecs during the initial installation of the operating system. "OEM installation disks and NoCodec images will no longer be released. Instead, similar to other distributions, images will ship without codecs and will support both traditional and OEM installations. This will reduce our release cycle to 4 separate events and the production and testing of 12 ISO images. Multimedia codecs can be installed easily: From the welcome screen, by clicking on "Multimedia Codecs", or from the main menu, by clicking on "Menu"->"Sound and Video"->"Install Multimedia Codecs", or during the installation process, by clicking a checkbox option." Additional information on the upcoming release of Linux Mint 18 can be found in the project's monthly newsletter.
Softpedia points out that they're using Ubuntu 16.04 LTS as the package base, meaning "more hardware devices and components are now supported."

An anonymous reader writes: Google Chrome, Firefox and Safari are actively blocking direct access to The Pirate Bay. Kickass Torrents suffered such a similar incident last month, because of the intermediary confirmation screen that appeared every time users navigated away from the site.

The reason why these three browsers block access to The Pirate Bay is unknown, but it could be related to a malvertising campaign that has plagued the site for more than two weeks. Two weeks ago, the malvertising campaign intensified right when season six of Game of Thrones premiered.
Meanwhile, HBO is contacting sites asking them to remove Game of Thrones torrents, and sending thousands of copyright infringement warnings to ISPs, urging them to remind pirates that they can stream HBO content legally after purchasing a subscription to HBO.

An anonymous reader writes: Microsoft's user identity management systems, made up by Microsoft Account (formerly Live ID, for home users) and Azure Active Directory (for its cloud/corporate services), see over 13 billion user logins per day, with 1.3 billion for AAD. The company says that over 10 million (per day) of these login attempts are cyber-attacks, which the company is able to detect. This information comes via Microsoft's most recent Security Intelligence Report, which also reveals details about a new cyber-espionage group named Platinum and that hackers are still using the same vulnerability (CVE-2010-2568) even today, which was used in the Stuxnet attacks. According to Pew Research Center, there's an increasingly growing fear among Americans about cyberattacks. In fact, it's the second most feared entity to them, the first being ISIS.

prisoninmate writes: Today is the last day of the Ubuntu Online Summit 2016, and the Ubuntu developers discussed the future of the Ubuntu Desktop for Ubuntu 16.10 (Yakkety Yak) and beyond. It looks like Snaps (Snappy) and Unity 8 with Mir are slowly conquering the Ubuntu Desktop, at least according to Canonical's Will Cooke, Ubuntu Desktop Manager. Work has already begun on pushing these new and modern technologies to the Ubuntu Desktop, as Ubuntu 16.04 LTS has just received support for installing Snaps from the Ubuntu Snappy Store. Canonical's Will Cooke has mentioned the fact that the Unity 7 desktop enters its twilight years, which means that it gets fewer features and it's being reduced to only critical and OEM work. This is because Unity 8 desktop is getting all the attention now, and it will become the default desktop session somewhere after Ubuntu 16.10 (Yakkety Yak).

prisoninmate writes: Today is the last day of the Ubuntu Online Summit 2016, and the Ubuntu developers discussed the future of the Ubuntu Desktop for Ubuntu 16.10 (Yakkety Yak) and beyond. It looks like Snaps (Snappy) and Unity 8 with Mir are slowly conquering the Ubuntu Desktop, at least according to Canonical's Will Cooke, Ubuntu Desktop Manager. Work has already begun on pushing these new and modern technologies to the Ubuntu Desktop, as Ubuntu 16.04 LTS has just received support for installing Snaps from the Ubuntu Snappy Store. Canonical's Will Cooke has mentioned the fact that the Unity 7 desktop enters its twilight years, which means that it gets fewer features and it's being reduced to only critical and OEM work. This is because Unity 8 desktop is getting all the attention now, and it will become the default desktop session somewhere after Ubuntu 16.10 (Yakkety Yak).

An anonymous reader quotes a report from Softpedia: The device in question is Merge Hemo, a complex medical equipment used to supervise heart catheterization procedures, during which doctors insert a catheter inside blood veins and arteries in order to diagnose various types of heart diseases. According to one such report filed by Merge Healthcare in February, Merge Hemo suffered a mysterious crash right in the middle of a heart procedure when the screen went black and doctors had to reboot their computer. Merge investigated the issue and later reported to the FDA that the problem occurred because of the antivirus software running on the doctors' computer. The antivirus was configured to scan for viruses every hour, and the scan started right in the middle of the procedure. Merge says the antivirus froze access to crucial data acquired during the heart catheterization. Unable to access real-time data, the app crashed spectacularly.

An anonymous reader writes from a report on Softpedia: Political tensions relating to the U.S. presidential race are creating turmoil inside the Anonymous hacker collective, muddling waters even more in a group that's known for its lack of leadership and a common goal. The most recent Anonymous infighting relates to the actions of the group's most famous news portal known as AnonHQ, who's been showing downright public support for Bernie Sanders, while being extremely busy at bashing Trump, Cruz, and more recently issuing video threats against Clinton. Ever since Anonymous' official news source has started showing public support for Sanders, many of the group's divisions have publicly disavowed it and have even gone so far as launching constant waves of DDoS attacks at what once used to be the hacker's official news portal. Last month, when a former Anonymous member decided to dox himself, he said in interviews that the group had been infiltrated by government agents.

An anonymous reader quotes a report from Softpedia: A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner. The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL. Some of the big brands that own .as domains include Opera, Flickr, Twitter, McDonald's, British Gas, Bose, Adidas, the University of Texas, and many link shortening services. This flawed system has been online since the mid-1990s. The researcher contacted ASNIC after discovering the flaw at the end of January 2016, but email exchanges with the domain registry were scarce and confusing, with the registry issuing a statement today denying the incident and calling the allegations "inaccurate, misleading and sexed-up to the max," after previously acknowledging and fixing the security flaws.

prisoninmate quotes a report from Softpedia: According to Matthew Garrett, a renowned CoreOS security developer, and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, it is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. The fact of the matter is that X11's old design is well-known for being insecure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software, in this case anything you type on the Mozilla Firefox web browser. As more developers will provide snaps for their apps, Canonical needs to do something about the security of snaps in Ubuntu when using X11 or switch to the Mir display server. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server. Canonical has officially released Ubuntu 16.04 LTS, which is now available to download for those interested.

Reader prisoninmate writes: The latest, and hopefully, the greatest version of Ubuntu is now available to download. On the sidelines, Mozilla today announced the availability of future releases of its popular Firefox web browser in the snap package format for Ubuntu 16.04 LTS. Earlier today, Canonical unleashed the final release of the highly anticipated Ubuntu 16.04 LTS (Xenial Xerus) operating system, bringing users a great set of new features and improvements. Also today, it looks like Canonical has renewed its partnership with Mozilla to offer Firefox as the default web browser on Ubuntu 16.04 LTS and upcoming releases of the Linux kernel-based operating systems. As part of the new partnership, Mozilla is committed to distributing future versions of Firefox as a snap package. Having Firefox distributed in the snap format means that you'll have 0-day releases in Ubuntu 16.04. Yes, just like Windows and Mac OS X, users are enjoying their 0-day releases of Mozilla Firefox and don't have to wait for package maintainers of a particular GNU/Linux distribution to update the software in the main repositories. For Mozilla, having Firefox as a snap package means that they'll be able to continually optimize it for Ubuntu.

An anonymous reader writes: The European Commission is listening to suggestions regarding EU laws on privacy and electronic communications (e-Privacy), among which is also the EU Cookie Directive that has made the lives of EU Internet users a living hell. The EU Commission has started an open consultation on this topic and is inviting users and businesses to provide their opinion. From the consultation's text, which is nothing more than a survey, one could argue that the EU isn't intent on removing the directive at all, but only making small adjustments. In its current implementation, most companies ask users if they're OK with storing cookies on their PCs and then collecting their data. One of the questions the Commission asked and is currently looking for an answer is whether companies should be allowed to deny users access to a website if they don't want to accept using cookies. The EU wants Internet companies to build alternative (usable) websites for people that don't want to use cookies at all, and so respect their decision for privacy.

An anonymous reader writes: According to Softpedia, "Security researchers from SurfWatch Labs have shut down a secret plan to hack and infect hundreds or possibly thousands of forums and websites hosted on the infrastructure of Invision Power Services, makers of the IP.Board forum platform." The man behind this plan was a hacker known as AlphaLeon, maker of the Thanatos malware-as-a-service platform. AlphaLeon hacked IP.Board's customer hosting platform, and was planning to place an exploit kit that would infect the visitors to these websites with his Thanatos trojan, in order to grow his botnet. Some of the companies using IP.Board-hosted forums include Evernote, the NHL, the Warner Music Group, and Bethesda Softworks (Elder Scrolls, Fallout, Wolfenstein, Doom games).

An anonymous reader writes: According to Softpedia, "Security researchers from SurfWatch Labs have shut down a secret plan to hack and infect hundreds or possibly thousands of forums and websites hosted on the infrastructure of Invision Power Services, makers of the IP.Board forum platform." The man behind this plan was a hacker known as AlphaLeon, maker of the Thanatos malware-as-a-service platform. AlphaLeon hacked IP.Board's customer hosting platform, and was planning to place an exploit kit that would infect the visitors to these websites with his Thanatos trojan, in order to grow his botnet. Some of the companies using IP.Board-hosted forums include Evernote, the NHL, the Warner Music Group, and Bethesda Softworks (Elder Scrolls, Fallout, Wolfenstein, Doom games).

An anonymous reader writes: Recent Mac versions come bundled with a very old version of Git (2.6.4) that is vulnerable to two security flaws that allow attackers to execute code on the device when the user forks a Git repo holding "malicious" code. The problem is that users can't upgrade this Git repo, they can't change its runtime permissions, nor can they remove it because Apple blocks even root users from twiddling with some system-level programs. "If you rely on machines like this, I am truly sorry. I feel for you," the researcher wrote on her blog. "I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them."

An anonymous reader writes: FinFisher, the hacker that broke into Italian firm Hacking Team, has published a step-by-step account of how he carried out the attacks, what tools he used, and what he learned from scouting HackingTeam's network. Published on PasteBin, the attack's timeline reveals he entered their network through a zero-day exploit in an (unnamed) embedded device, accessed a MongoDB database that had no password, discovered backups in the database, found a BES admin password in the backups, and eventually got admin access to the Windows Domain Server. From here, it was easy to reach into their email server and steal all the company's emails, and later access Git repos and steal the source code of their surveillance software.

An anonymous reader writes: Vice reported at the end of March that the FBI and the U.S. Department of Justice are fighting tooth and nail to keep a Tor Browser exploit hidden from the public eye. Computer experts were quick to point out that this Tor Browser exploit, technically speaking, is a Firefox exploit, since Tor's browser is based on Firefox's ESR platform. Taking into account that Firefox follows open-source philosophy and reveals all security flaws reported, the effort which the FBI puts into restricting access to its exploit leads to only one conclusion, and that is that the FBI is hoarding a Firefox zero-day, currently unpatched in the browser's core -- something it hopes to use once again.

An anonymous reader writes: Back in February iOS users noted that setting your phone/tablet's date to January 1, 1970 would permanently brick their devices. After Apple fixed the issue in iOS 9.3.1, two security researchers have now uploaded a video on YouTube showing how to exploit this bug from a remote location, with no access to the user's phone. The setup involves attackers putting up a Wi-Fi network on which they're running a rogue NTP server. This server tells iOS devices syncing their time that it's December 31, 1969, 23:59:00. Twenty minutes later, if the battery didn't catch fire (which is possible with this new exploit), the iPad or iPhone device is permanently and irreversibly bricked.

An anonymous reader writes: At this year's F8 developer conference, Facebook announced a new tool called Account Kit, which can be used by app developers to support phone number-based login systems. Every time the user wants to login, they have to enter their phone number. Facebook will then send them a verification code via SMS, which they have to enter on the site. The system was already tested live, and Facebook expects it to be widely adopted, allowing sites to offer users accounts that don't require them to memorize a new password. Each developer has a 100,000 free confirmation SMS messages per month quota. Facebook claims to support SMS login operations for over 230 countries and regions, and in 40 different languages.

An anonymous reader writes: Researchers found a new ransomware yesterday called Jigsaw which will first lock your files and ask for a 0.4 Bitcoin ($150 USD) payment. If users don't pay, every hour the ransomware deletes your files. If the user restarts their PC, the ransomware also deletes 1,000 more files. The good news is there's a free Decrypter available to unlock the ransomware. The Decrypter was built by Michael Gillespie, who announced yesterday on Softpedia the ID Ransomware service, which tells infected victims what kind of ransomware infection they have by allowing them to upload an encrypted file and the ransom note.

An anonymous reader writes: Researchers found a new ransomware yesterday called Jigsaw which will first lock your files and ask for a 0.4 Bitcoin ($150 USD) payment. If users don't pay, every hour the ransomware deletes your files. If the user restarts their PC, the ransomware also deletes 1,000 more files. The good news is there's a free Decrypter available to unlock the ransomware. The Decrypter was built by Michael Gillespie, who announced yesterday on Softpedia the ID Ransomware service, which tells infected victims what kind of ransomware infection they have by allowing them to upload an encrypted file and the ransom note.

An anonymous reader writes: Two Google developers have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages. The API, called WebUSB, allows device manufacturers to provide special "registry and landing pages" where they can host JavaScript SDKs for their USB-capable devices. Site owners can load these SDKs as iframes inside their websites, and allow a site to access and relay commands (via the iframe to the browser's WebUSB API) to the actual device. To protect privacy and security, the WebUSB API also comes with a CORS-like system that prompts users for access to their devices to avoid abuse and Web-based fingerprinting. The system is also backward compatible with devices created before the standard's approval (if it gets approved).

An anonymous reader writes: On April 6, a hacking outfit going by the name of Cyber Justice Team leaked data from multiple Syrian government and private websites. The leak includes the password file from the breached server, along with MySQL host permissions, admin passwords, and a link to the 10GB compressed file, uploaded to the file sharing site MEGA. While some of the data seems to be from older data breaches, some of it is also new. This is one of the biggest leaks of Syrian government data, a regime that has remained protected against such threats due to an aggressive cyber-policy. The government has been known to secretly back the Syrian Electronic Army hacker group, who the US government recently indicted (3 members at least).

An anonymous reader writes "Malware operators have bribed employees of a gaming company to bundle malware with their mobile apps." Because the app-maker reportedly had a good-faith agreement with China's biggest antivirus company, the apps were apparently whitelisted without a thorough check, according to Softpedia. They cite a report from Check Point which describes how attackers would later pretend to be shoppers on a popular Chinese site where pictures of the desired items are sent to sellers. "The seller would open the picture on a PC and become infected," writes Check Point, "because the Trojan would not be detected," and a subsequent request for a refund would deliver the login credentials for the seller's payment account.

"This example illustrates how important it is to avoid third-party stores and to instead at least rely on stores with more reliable security," argues Check Point. "But even still, stores like the App Store and Google Play aren't immune to threats."

prisoninmate quotes a report from Softpedia: UbuntuBSD maintainer and lead developer Jon Boden is now looking for a way for his operating system to contribute to the Ubuntu community and, eventually, become an official Ubuntu flavor. Just two weeks ago, [Softpedia] introduced the ubuntuBSD project, whose main design goal is to bring users an operating system powered by the FreeBSD kernel while offering them the familiarity of the Ubuntu Linux OS. Right now, ubuntuBSD is in heavy development, with a fourth Beta build out the door, and it looks like the developer already seeks official status and wants to contribute all of his work to the main Ubuntu channels. [Canonical has yet to respond.]

prisoninmate writes: To celebrate the launch of Ubuntu 16.04 LTS, due for release later this month, on April 21, Canonical put together an interesting infographic, showing the world how popular Ubuntu is. From the infographic, it looks like there are over 60 million Ubuntu images launched by Docker users, 14 million Vagrant images of Ubuntu 14.04 LTS from HashiCorp, 20 million launches of Ubuntu instances during 2015 in public and private clouds, as well as bare metal, and 2 million new Ubuntu Cloud instances launched in November 2015. Ubuntu is used on the International Space Station, on the servers of popular online services like Netflix, Snapchat, Pinterest, Reddit, Dropbox, PayPal, Wikipedia, and Instagram, in Google, Tesla, George Hotz, and Uber cars. It is also employed at Bloomberg, Weta Digital and Walmart, at the Brigham Young University to control the Mars Rover, and it is even behind the largest supercomputer in the world.

An anonymous reader writes: A trio of security researchers have devised a new automated attack that can break the CAPTCHA systems employed by Google and Facebook. On Google's reCAPTCHA system, researchers recorded a 70.78 percent success rate over 2,235 CAPTCHAs. Average CAPTCHA solving time was 19.2 seconds. They achieved a better success rate on Facebook's system, where they had a success rate of 83.5 percent on over 200 CAPTCHAs, but this was mainly because of higher quality images, and photos were selected from different topics, and were also easier to recognize and classify. For attackers, the whole automated system would cost only $110 a day, per IP address, and would allow them to crack around 63,000 CAPTCHAs in 24 hours from one IP address without being detected and getting banned.