Slashdot Mirror

New submitter bnortman (922608) was the first to write in with word of "a new research paper discussing a new form of user fingerprinting and tracking for the web using the HTML 5 <canvas> ." globaljustin adds more from an article at Pro Publica: Canvas fingerprinting works by instructing the visitor's Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user's device a number that uniquely identifies it. ... The researchers found canvas fingerprinting computer code ... on 5 percent of the top 100,000 websites. Most of the code was on websites that use the AddThis social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. ... Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace cookies ...

New submitter deepdive writes "I have a basic question: What is the privacy/security health of the Linux kernel (and indeed other FOSS OSes) given all the recent stories about the NSA going in and deliberately subverting various parts of the privacy/security sub-systems? Basically, can one still sleep soundly thinking that the most recent latest/greatest Ubuntu/OpenSUSE/what-have-you distro she/he downloaded is still pretty safe?"

Oracle Goddess writes "In what appears to be a carefully planned suicide, Rupert Murdoch announced that his media giant News Corporation Ltd intends to charge for all its news websites in a bid to lift revenues, as the transition towards online media permanently changes the advertising landscape. 'The digital revolution has opened many new and inexpensive methods of distribution, but it has not made content free. Accordingly we intend to charge for all our news websites,' Murdoch said."

Anonymous writes "Here's a step-by-step look at building a PC with the new Antec Skeleton PC chassis. It's obviously not for everybody, but at least Antec is trying out something relatively new for hard-core users. Not sure if you'd need an air spray can to keep the dust off all the components, though ..."

An anonymous reader writes "The FreeBSD Project has begun the switch of its source code management system from CVS to Subversion. At this point in time, FreeBSD's developers are making changes to the base system in the Subversion repository. We have a replication system in place that exports our work to the legacy CVS tree on a continuous basis. People who are using our extensive CVS based distribution network (including anoncvs, CVSup, cvsweb, ftp) will not be interrupted by our work-in-progress. We are committed to maintaining the existing CVS based distribution system for at least the support lifetime of all existing 'stable' branches. Security and errata patches will continue to be made available in their usual CVS locations."

Dean Wilson writes "When it comes to software development the Pragmatic Programmers are widely recognised as masters of their trade, but with the release of their award-winning Starter Kit Series they've begun to gain a reputation for writing, editing and finding book authors that are as talented as they are. Pragmatic Version Control Using Subversion by Mike Mason is an excellent example. The book itself is an introduction to using Subversion (focusing on the command-line tools), but while it clearly covers all the essentials: basic commands, tagging, branching, etc. it also delves into some of the related, but often overlooked areas of version control. When it comes to version control systems, CVS has long been the workhorse of the Open Source and Free Software movements -- but with the release of Subversion, it's time to put the old nag to rest; and this book tells you what you need to do it." Read on for the rest of Wilson's review. Pragmatic Version Control Using Subversion author Mike Mason pages 224 publisher The Pragmatic Programmers rating 8 reviewer Dean Wilson ISBN 0974514063 summary An excellent guide to version control with Subversion for developers and sysadmins

Chapters on repository layouts, integrating third party code (into your source tree and products) and conflict resolution all help raise this book from just being a single application tutorial into a best practices guide that you'll come back to long after you've gained confidence with Subversion itself.

Pragmatic Version Control Using Subversion is very similar to Pragmatic Version Control Using CVS, but this is in no way a criticism! The previous book was the best introduction to CVS that I've read, and this related volume manages to retain the winning formula while adding useful sections, such as CVS hints, to help people migrating across.

While the book has a broad appeal, the ideal audience are those developers who know they should be doing version control but have heard it's too complex, have been burnt by previous mistakes, or just don't know where to start. Seasoned developers will also find this book useful, but in different ways. For instance, using it as an easy to scan and follow reference, handing it down to less experienced colleagues, or even just for quickly bringing themselves up to speed when moving from CVS to Subversion.

Considering the book's slim size (or quick download, if you purchase the PDF version) it packs in surprisingly wide coverage of the important topics. The first two chapters provide an overview and sell the benefits of using a version control system. They cover what should and shouldn't be under version control, and clearly explain the terminology required to understand both the technology in general and the book's later chapters.

Chapters 3, 4, and 5 get you working from your own Subversion repository and introduce the essential commands. They show how to create, add and import your projects in a clear, easy-to-understand way. Once you have some files to work with, they take you through a well-paced tour of the simple operations; checking out, committing and accessing the files in different ways.

Following these, Chapter 6, "Common Subversion Commands," shows some of the more complex but essential tasks you'll want to perform in Subversion; setting properties, looking at changes and their associated history and how to handle merge conflicts. These are all presented in short sections that provide enough information to be useful on a day-to- day basis while not leaving beginners bogged down in the minutiae.

Jumping ahead slightly, we leave the part of the book that everybody using Subversion should read and move onto the more powerful, and complex, functionality such as "Using Tags and Branches" (Chapter 8) and the more abstract topics of "Organising Your Repository" (Chapter 7) and dealing with "Third Party Code" (Chapter 10).

Chapter 8 stands alone in the second half of the book due to its coverage of a very technical subject; chapters 7, 9 and 10 are more abstract. Tagging and branching are one of the more notorious areas of version control, but this book -- much like the CVS book before it -- manages to explain not only when and how to use both tags and branches, but also provides enough guidance to allow the reader to 'smell' when something's wrong and adding them would make it worse.

Chapters 7, 9 and 10 logically combine to cover the issues surrounding setting up your own project, including the project's structure, the integration of third party code, external projects, and binary libraries such as Nunit or Java mock libraries. Considering the amount of maintenance coding (as opposed to new projects) that happens in the world, these chapters might not be immediately useful to a fair chunk of the readership. I don't think they should be removed, though -- better to leave them in and show best practices and experience-driven common sense than remove them and let people make the same mistakes over and over again.

It's worth noting that the appendices are a lot more useful than the filler material typically found lurking at the back of a book -- they cover a couple of topics that don't fit elsewhere and help round out both the book's coverage and appeal.

Appendix A is more relevant to system administrators than developers. It shows how to install Subversion on the server. It then gives a brief introduction to configuring, serving (using either the native svnserve, svn over SSH or via Apache) and adding basic security to your repositories. It finishes off with a short, but useful, digression into backing up your hard work.

This appendix provides a valuable, quick guide to getting a Subversion install in place. It's a good starting point for anyone who needs to actually run and maintain a Subversion server.

The remaining appendices vary in usefulness. Appendix B is a concise introduction to migrating a CVS repository to Subversion; this is something you either need desperately or won't care about. Most of Appendix C shows how to perform common tasks using the TortoiseSVN extension for Windows Explorer; this won't appeal to the Unix/Linux crowd but might help sway Windows developers away from the hell that is Visual Source Safe.

In short, whether you're new to version control in general or just Subversion itself, this book is highly recommended. Clear, concise and crammed full of useful, important and dare I say, pragmatic, advice and information. An excellent book in its own right and a worthy addition to the Starter Kit Series.

Dean Wilson is a System Administrator at Outcome Technologies. His personal site is unixdaemon.net. You can purchase Pragmatic Version Control Using Subversion from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page

An anonymous reader writes " Shortly after Linuxant has released their commercial DriverLoader, Pontus Fuchs has made an NDIS wrapper available under the GPL. Since some vendors refuse to release specifications or even a binary Linux-driver for their Wireless LAN cards he has decided to solve it himself by making a kernel module that can load Microsoft-Windows NDIS drivers. ndiswrapper has been tested with some BroadCom miniPCI cards and it seems to work on some laptops . With some more work it should be possible to support more cards. Hopefully this will be the case for the many owners of Linux laptops based on Intel's Centrino technology. Please contact Pontus if you are interested in helping out!"

Cap'n Grumpy writes "You know the score - you've just finished some coding, do a final cvs update before commiting, and all of a sudden all hell breaks loose. Your code now refuses to compile, or xunit starts flashing up red - test failures! One of the other members of your team has checked in something which breaks the build, and they just went out for lunch ... Argh! Did you know there is a solution to this problem? It is a system which makes it impossible for people to check in code which does not compile or test successfully. It allows coders to review others coding efforts code before it goes into the baseline, rather than after. It organises your checkins into logical change sets. It enforces continuous integration. It is linux based, and GPL'd. It's called Aegis."

nomadic writes: " Salon has a really interesting interview with recent ICANN board member-elect Karl Auerbach regarding his view of what ICANN should and should not become. Basically, he thinks it should be almost totally restructured, and I can't say I disagree with him. And whether you agree with his views or not, I think a lot of people here should appreciate the fact that someone with serious geek credentials made it to the board."

U.S. Senators Mark R. Warner (D-VA) and Deb Fischer (R-NE) have introduced a bill to ban online social media companies from tricking consumers into giving away the rights to their data. The Deceptive Experiences To Online Users Reduction (DETOUR) Act would ban companies "from manipulating adults into signing away their data, or manipulating children into staying on a platform compulsively," reports Motherboard. "The bill also requires platforms to ensure informed consent from users before green-lighting academic studies." From the report: The DETOUR Act would make it illegal to "design, modify, or manipulate a user interface" in order to obscure, subvert, or impair a user's ability to decide how their data is used. The interface refers to the "style, layout, and text" of a privacy policy. The rigor of default privacy regulations would also be subject to regulation under the DETOUR Act. The DETOUR Act would also ban features that encourage "compulsive usage" for children under 13 years old. This would directly target platforms like YouTube, which has auto-play for both its regular site and for its child-specific YouTube Kids app. A representative for Common Sense Media told Motherboard in a phone call that the organization provided feedback and input to the authors of the bill.

The law would also apply to "behavioral or psychological experiments or studies," such as the ones used by Cambridge Analytica in order to sort users by personality type. Per the bill, any such studies have to get informed consent first, and experimenters would need to make routine disclosures to participants and to the public every 90 days. If enacted, the DETOUR Act would require tech companies to make their own Independent Review Boards, which would be responsible for making sure they comply with the law. The act would also give the FTC one year to make infrastructure to would review tech companies and enforce violations of the law.

Google executives are conducting a secret internal assessment of work on a censored search engine for China. "A small group of top managers at the internet giant are conducting a 'performance review' of the controversial effort to build the search platform, known as Dragonfly, which was designed to blacklist information about human rights, democracy, religion, and peaceful protest," reports The Intercept. From the report: Performance reviews at Google are undertaken annually to evaluate employees' output and development. They are usually carried out in an open, peer review-style process: Workers grade each other's projects and the results are then assessed by management, who can reward employees with promotion if they are deemed ready to progress at the company. In the case of Dragonfly, however, the peer review aspect has been removed, subverting the normal procedure. In a move described as highly unusual by two Google sources, executives set up a separate group of closed "review committees," comprised of senior managers who had all previously been briefed about the China search engine.

The existence of the Dragonfly review committees has not been disclosed to rank-and-file Google employees, except for the few who have been evaluated by the committees because they worked on China search. Fewer than a dozen top managers at the company are said to be looped in on the review, which has involved studying documents and technical work related to Dragonfly. "Management has decided to commit to keeping this stuff secret," said a source with knowledge of the review. They are "holding any Dragonfly-specific documents out of [employees'] review tools, so that promotion is decided only by a committee that is read in on Dragonfly." Executives likely feared that following the normal, more open performance review process with Dragonfly would have allowed workers across the company to closely scrutinize it, according to two Google sources.

An anonymous reader quotes a report from TechCrunch: When the government comes for your data, tech companies can't always tell you. But thanks to a legal loophole, companies can say if they haven't had a visit yet. These so-called "warrant canaries" -- named for the poor canary down the mine that dies when there's gas that humans can't detect -- are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes. Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend. The networking and content delivery network giant said in a blog post this week that it's expanding the transparency reports to include more canaries.

To date, the company: has never turned over their SSL keys or customers' SSL keys to anyone; has never installed any law enforcement software or equipment anywhere on their network; has never terminated a customer or taken down content due to political pressure; and has never provided any law enforcement organization a feed of customers' content transiting their network. Now Cloudflare's warrant canaries will include: Cloudflare has never modified customer content at the request of law enforcement or another third party; Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party; and Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party. It has also expanded and replaced its first canary to confirm that the company "has never turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone." Cloudflare said that if it were ever asked to do any of the above, the company would "exhaust all legal remedies" to protect customer data, and remove the statements from its site. According to Cloudflare's latest transparency report out this week, the company responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. Cloudflare also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains. They received between 0-249 national security requests for the duration, but didn't process any wiretap or foreign government requests for the duration.

In October last year, Bloomberg Businessweek published an alarming story: Operatives working for China's People's Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro. While Bloomberg's story -- which has been challenged by numerous players -- may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents, reports The Intercept. From the report: U.S. spy agencies were warned about the threat in stark terms nearly a decade ago and even assessed that China was adept at corrupting the software bundled closest to a computer's hardware at the factory, threatening some of the U.S. government's most sensitive machines, according to documents provided by National Security Agency whistleblower Edward Snowden. The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies. The documents also disclose supply chain operations by German and French intelligence.

What's clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance -- and much work remains to be done to secure computing devices from this type of compromise. "An increasing number of actors are seeking the capability to target ... supply chains and other components of the U.S. information infrastructure," the intelligence community stated in a secret 2009 report. "Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations."

Tomorrow Facebook will encounter a slew of fresh complexities with the launch of Community Actions, its News Feed petition feature. From a report: Community Actions could unite neighbors to request change from their local and national elected officials and government agencies. But it could also provide vocal interest groups a bully pulpit from which to pressure politicians and bureaucrats with their fringe agendas. Community Actions embodies the central challenge facing Facebook. Every tool it designs for positive expression and connectivity can be subverted for polarization and misinformation. Facebook's membership has swelled into such a ripe target for exploitation that it draws out the worst of humanity. You can imagine misuses like "Crack down on [minority group]" that are offensive or even dangerous but some see as legitimate. The question is whether Facebook puts in the forethought and aftercare to safeguard its new tools with proper policy and moderation. Otherwise each new feature is another liability.

Community Actions start to roll out to the US tomorrow after several weeks of testing in a couple of markets. Users can add a title, description, and image to their Community Action, and tag relevant government agencies and officials who'll be notified. The goal is to make the Community Action go viral and get people to hit the "Support" button. Community Actions have their own discussion feed where people can leave comments, create fundraisers, and organize Facebook Events or Call Your Rep campaigns. Facebook displays the numbers of supporters behind a Community Action, but you'll only be able to see the names of those you're friends with or that are Pages or public figures.

The Model 3 will be entered into Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest. The prize for the winning security researchers: a Model 3. TechCrunch reports: Pwn2Own, which is in its 12th year and run by Trend Micro's Zero Day Initiative, is known as one of the industry's toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program. Pwn2Own's spring vulnerability research competition, Pwn2Own Vancouver, will be held March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. And, of course, Tesla . Pwn2Own is run in conjunction with the CanSec West conference. There will be "more than $900,000 worth of prizes available for attacks that subvert a variety of [the Model 3's] onboard systems," reports Ars Technica. "The biggest prize will be $250,000 for hacks that execute code on the car's getaway, autopilot, or VCSEC."

"A gateway is the central hub that interconnects the car's powertrain, chassis, and other components and processes the data they send. The autopilot is a driver assistant feature that helps control lane changing, parking, and other driving functions. Short for Vehicle Controller Secondary, VCSEC is responsible for security functions, including the alarm."

Seven Russian intelligence officers have been indicted by the Justice Department for computing hacking, wire fraud, money laundering, and identity theft -- all as part of an effort to distract from Russia's state-sponsored doping program. The defendants reportedly stole and disseminated the personal information of several prominent anti-doping officials and 250 athletes following the 2014 Sochi Olympics. The Verge reports: The indictment names all seven of the accused as members of the Russian Federation intelligence agency (or GRU) housed within the intelligence directorate of the Russian military. Three of the defendants were also charged as part of the Mueller investigation regarding hacking the Democratic National Convention in an attempt to compromise U.S. election infrastructure in 2016. The Justice Department claimed in its indictment that the GRU officials were working to undermine the advocacy of anti-doping organizations, officials, and athletes following the exposure of a Russian state-sponsored doping campaign in 2015. Login credentials were stolen through classic phishing techniques, which, in some cases, gave the hackers access to the medical profiles of some athletes. This information was then disseminated over social media by the hackers who disguised themselves as a hacktivist group called the Fancy Bears' Hack Team.

In the case of four-time Olympic gold medalist runner Mo Farah, the Fancy Bears' Hack Team had gained access to his "biological passport." This set of information tracks the blood data of athletes in order to monitor the potentiality of doping. The group then posted the contents of Farah's profile over social media, pointing to results that claimed he was "likely doping." By use of this method, the hackers were able to subvert media attention away from Russia's doping accusations and point the finger at other countries as well. The indictment claims that the hackers spoke to 186 different reporters in order to "amplify the exposure" of their message.

An anonymous reader quotes a report from Ars Technica: In addition to ditching its own net neutrality rules, the Federal Communications Commission also plans to tell state and local governments that they cannot impose local laws regulating broadband service. This detail was revealed by senior FCC officials in a phone briefing with reporters today, and it is a victory for broadband providers that asked for widespread preemption of state laws. FCC Chairman Ajit Pai's proposed order finds that state and local laws must be preempted if they conflict with the U.S. government's policy of deregulating broadband Internet service, FCC officials said. The FCC will vote on the order at its December 14 meeting. It isn't clear yet exactly how extensive the preemption will be. Preemption would clearly prevent states from imposing net neutrality laws similar to the ones being repealed by the FCC, but it could also prevent state laws related to the privacy of Internet users or other consumer protections. Pai's staff said that states and other localities do not have jurisdiction over broadband because it is an interstate service and that it would subvert federal policy for states and localities to impose their own rules.

chicksdaddy provides five (or more) "good" reasons why we should ignore the South Carolina election hacking story that was reported yesterday. According to yesterday's reports, South Carolina's voter-registration system was hit with nearly 150,000 hack attempts on election day. Slashdot reader chicksdaddy writes from an opinion piece via The Security Ledger: What should we make of the latest reports from WSJ, The Hill, etc. that South Carolina's election systems were bombarded with 150,000 hacking attempts? Not much, argues Security Ledger in a news analysis that argues there are lots of good reasons to ignore this story, if not the very real problem of election hacking. The stories were based on this report from The South Carolina Election Commission. The key phrase in that report is "attempts to penetrate," Security Ledger notes. Information security professionals would refer to that by more mundane terms like "port scans" or probes. These are kind of the "dog bites man" stories of the cyber beat -- common (here's one from 2012 US News & World Report) but ill informed. "The kinds of undifferentiated scans that the report is talking about are the internet equivalent of people driving slowly past your house." While some of those 150,000 attempts may well be attempts to hack South Carolina's elections systems, many are undifferentiated, while some may be legitimate, if misdirected. Whatever the case, they're background noise on the internet and hardly unique to South Carolina's voter registration systems. They're certainly not evidence of sophisticated, nation-state efforts to crack the U.S. election system by Russia, China or anyone else, Security Ledger argues. "The problem with lumping all these 'hacking attempts' in the same breath as you talk about sophisticated and targeted attacks on the Clinton Campaign, the DCCC, and successful penetration of some state election boards is that it dramatically distorts the nature and scope of the threat to the U.S. election system which -- again -- is very real." The election story is one "that demands thoughtful and pointed reporting that can explore (and explode) efforts by foreign actors to subvert the U.S. vote and thus its democracy," the piece goes on to argue. "That's especially true in an environment in which regulators and elected officials seem strangely incurious about such incidents and disinclined to investigate them."

An anonymous reader writes: "While the world was busy dealing with the WannaCry ransomware outbreak, last Friday, about the time when we were first seeing a surge in WannaCry attacks, WikiLeaks dumped new files part of the Vault 7 series," reports BleepingComputer. This time, the organization dumped user manuals for two hacking tools named AfterMidnight and Assassin. Both are malware frameworks, but of the two, the most interesting is AfterMidnight -- a backdoor trojan for stealing data from infected PCs. According to its leaked manual, AfterMidnight contains a module to "subvert" user software by killing processes and delaying the execution of user software. Examples in this manual show CIA operatives how to kill browsers every 30 seconds to keep targets focused on their work, how to delay the execution of PowerPoint software with 30 seconds just to mess with their targets, or how to lock up 50% of PC resources whenever the user starts certain software. Basically, the CIA created nagware.

UK ISP Virgin Media is expanding its public Wi-Fi network by co-opting customers' home routers as hotspots. Only the most recent router design (the SuperHub v3) will be recruited at first, and customers can opt-out from the program if they wish. Virgin says the change will have "no impact on customers" because affected homes will be allocated extra bandwidth. ArsTechnica offers more context: A little background: a couple of years ago, Virgin Media started trialling a public Wi-Fi service very similar to "BT Wi-Fi with FON," where residential BT customers have their routers turned into hotspots. For some reason the broad rollout of Virgin's service was delayed until now. There are some curious differences between BT and Virgin Media's approach, though. For starters, it seems only Virgin Media customers will have access to this nationwide Wi-Fi network; BT grants free access to BT customers, but non-customers can pay for access ($5 per hour). The owner of that subverted hotspot doesn't get any of the money, of course. Furthermore, while BT customers must share their ADSL or VDSL bandwidth with any public Wi-Fi users, Virgin Media promises that "your home network is completely separate from Virgin Media WiFi traffic, meaning the broadband connection you pay for is exclusively yours, and just as secure."