Peder

Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.

Read more of this story at Slashdot.

Slashdot reader ttsiod is an embedded software engineer at the European Space Agency, and shares this story about his quest to "dominate" his new tablet: Just like it's predecessor, I wanted to run a Debian chroot inside it -- that would allow me to apt-get install and run things like Privoxy, SSH SOCKS/VPN tunnels, Flask mini-servers, etc; and in general allow me to stay in control. But there was no open-source way to do this... and I could never trust "one-click roots" that communicate with servers in China... It took me weeks to reverse engineer my tablet -- and finally succeed in becoming root. The journey was quite interesting, and included both hardware and software tinkering. I learned a lot while doing it -- and wanted to share the experience with my fellow Slashdotters... He writes that "I trust Debian. Far more than I trust the Android ecosystem," and describes everything from how he probed the boot process and created his own boot image to hunting for a way "to tell SELinux to get off my lawn".

Read more of this story at Slashdot.

BrianFagioli writes: While there is no proof that anything nefarious is afoot, it does feel like maybe the Windows-maker is hijacking the Linux movement a bit by serving distros in its store. I hope there is no "embrace, extend, and extinguish" shenanigans going on. Just yesterday, we reported that Kali Linux was in the Microsoft Store for Windows 10. That was big news, but it was not particularly significant in the grand scheme, as Kali is not very well known. Today, there is some undeniably huge news -- Debian is joining SUSE, Ubuntu, and Kali in the Microsoft Store. Should the Linux community be worried? My concern lately is that Microsoft could eventually try to make the concept of running a Linux distro natively a thing of the past. Whether or not that is the company's intention is unknown. The Windows maker gives no reason to suspect evil plans, other than past negative comments about Linux and open source. For instance, former Microsoft CEO Steve Ballmer once called Linux "cancer" -- seriously.

Read more of this story at Slashdot.

Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems. From a report: Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https -- that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

Read more of this story at Slashdot.

wiredmikey quotes SecurityWeek: Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks... On Wednesday, antivirus testing firm AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies... Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available proof of concept code. Andreas Marx, CEO of AV-TEST, believes different groups are working on the PoC exploits to determine if they can be used for some purpose. "Most likely, malicious purposes at some point," he said.

Read more of this story at Slashdot.

BrianFagioli writes: While Microsoft has long been viewed as an enemy of the Linux community -- and it still is by some -- the company has actually transformed into an open source champion. One of Microsoft's biggest Linux contributions, however, is Skype -- the wildly popular communication software. By offering that program to desktop Linux users, Microsoft enables them to easily communicate with friends and family that aren't on Linux, thanks to its cross-platform support. Today, Microsoft further embraces Linux by releasing Skype as a Snap. This comes after two other very popular apps became available in Snap form -- Spotify and Slack. "Skype is used by millions of users globally to make free video and voice calls, send files, video and instant messages and to share both special occasions and everyday moments with the people who matter most. Skype has turned to snaps to ensure its users on Linux, are automatically delivered to its latest versionupon release. And with snaps' roll-back feature, whereby applications can revert back to the previous working version in the event of a bug, Skype's developers can ensure a seamless user experience," says Canonical.

Read more of this story at Slashdot.

Catalin Cimpanu, writing for BleepingComputer: Attackers can use sound waves to interfere with a hard drive's normal mode of operation, creating a temporary or permanent denial of state (DoS) that could be used to prevent CCTV systems from recording video footage or freeze computers dealing with critical operations. The basic principle behind this attack is that sound waves introduce mechanical vibrations into an HDD's data-storage platters. If the sound is played at a specific frequency, it creates a resonance effect that amplifies the vibration effect. Because hard drives store vasts amounts of information inside small areas of each platter, they are programmed to stop all read/write operations during the time a platter vibrates so to avoid scratching storage disks and permanently damaging an HDD. Last week, scientists from the Princeton and Purdue universities published new research into the topic, expanding on the previous findings with the results of additional practical tests. The research team used a specially crafted test rig to blast audio waves at a hard drive from different angles, recording results to determine the sound frequency, attack time, distance from the hard drive, and sound wave angle at which the HDD stopped working.

Read more of this story at Slashdot.

Quartz has published a video on YouTube about two entrepreneurs who have figured out how to heat their homes for free by mining bitcoin. The "miner" -- that is, the machine mining the bitcoins -- warms up liquid that is then transferred to the underfloor heating system. The cottage has two miners, which bring in about $430 per month from processing bitcoin transactions -- all while keeping the 20 square meter space warm.

Read more of this story at Slashdot.

Andy Greenberg, writing for Wired:At today's Ekoparty security conference, security firm Duo plans to present research on how it delved into the guts of tens of thousands of computers to measure the real-world state of Apple's so-called extensible firmware interface, or EFI. This is the firmware that runs before your PC's operating system boots and has the potential to corrupt practically everything else that happens on your machine. Duo found that even Macs with perfectly updated operating systems often have much older EFI code, due to either Apple's neglecting to push out EFI updates to those machines or failing to warn users when their firmware update hits a technical glitch and silently fails. For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.

Read more of this story at Slashdot.

Researchers caught the bacteria Mycoplasma hyorhinis hiding out among cancer cells, thwarting chemotherapy drugs intended to treat the tumors they reside in. The findings have been published this week in Science. Ars Technica reports: Drug resistance among cancers is a "foremost challenge," according to the study's authors, led by Ravid Straussman at the Weizmann Institute of Science. Yet the new data suggest that certain types of drug-resistant cancers could be defeated with a simple dollop of antibiotics alongside a chemotherapy regimen. Dr. Straussman and his colleagues got a hunch to look for the bacteria after noticing that, when they grew certain types of human cancer cells together in lab, the cells all became more resistant to a chemotherapy drug called gemcitabine. This is a drug used to treat pancreatic, lung, breast, and bladder cancers and is often sold under the brand name Gemzar. The researchers suspected that some of the cells may secrete a drug-busting molecule. So they tried filtering the cell cultures to see if they could catch it. Instead, they found that the cell cultures lost their resistance after their liquid broth passed through a pretty large filter -- 0.45 micrometers. This would catch large particles -- like bacteria -- but not small molecules, as the researchers were expecting. Looking closer, the researchers noticed that some of their cancer cells were contaminated with M. hyorhinis. And these bacteria could metabolize gemcitabine, rendering the drug useless. When the researchers transplanted treatable cancer cells into the flanks of mice -- some with and some without M. hyorhinis -- the bacteria-toting tumors were resistant to gemcitabine treatment.

Read more of this story at Slashdot.

Adam Nossiter, David E. Sanger, and Nicole Perlroth, reporting for the New York Times: Everyone saw the hackers coming. The National Security Agency in Washington picked up the signs. So did Emmanuel Macron's bare-bones technology team. And mindful of what happened in the American presidential campaign, the team created dozens of false email accounts, complete with phony documents, to confuse the attackers (Editor's note: the link could be paywalled; alternative source). The Russians, for their part, were rushed and a bit sloppy, leaving a trail of evidence that was not enough to prove for certain they were working for the government of President Vladimir V. Putin but which strongly suggested they were part of his broader "information warfare" campaign. The story told by American officials, cyberexperts and Mr. Macron's own campaign aides of how a hacking attack intended to disrupt the most consequential election in France in decades ended up a dud was a useful reminder that as effective as cyberattacks can be in disabling Iranian nuclear plants, or Ukrainian power grids, they are no silver bullet. The kind of information warfare favored by Russia can be defeated by early warning and rapid exposure.

Read more of this story at Slashdot.

An anonymous reader writes from a report via Bleeping Computer: Two malware families battling for turf are most likely the cause of an outage suffered by Californian ISP Sierra Tel at the beginning of the month, on April 10. The attack, which the company claimed was a "malicious hacking event," was the work of BrickerBot, an IoT malware family that bricks unsecured IoT and networking devices. "BrickerBot was active on the Sierra Tel network at the time their customers reported issues," Janit0r told Bleeping Computer in an email, "but their modems had also just been mass-infected with malware, so it's possible some of the network problems were caused by this concomitant activity." The crook, going by Janit0r, tried to pin some of the blame on Mirai, but all the clues point to BrickerBot, as Sierra Tel had to replace bricked modems altogether, or ask customers to bring in their modems at their offices to have them reset and reinstalled. Mirai brought down over 900,000 Deutsche Telekom modems last year, but that outage was fixed within hours with a firmware update. All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

Read more of this story at Slashdot.

Motherboard carries a report that with equipment valued at about $3,000, a group of Israeli researchers have been able to extract cryptographic keys from a laptop that is not only separated by a physical wall, but protected by an air gap. This, they say, "is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC." From the article: The method is a so-called side-channel attack: an attack that doesn't tackle an encryption implementation head on, such as through brute force or by exploiting a weakness in the underlying algorithm, but through some other means. In this case, the attack relies on the electromagnetic outputs of the laptop that are emitted during the decryption process, which can then be used to work out the target's key. Specifically, the researchers obtained the private key from a laptop running GnuPG, a popular implementation of OpenPGP. (The developers of GnuPG have since released countermeasures to the method. Tromer said that the changes make GnuPG âoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.â)

Read more of this story at Slashdot.

Andrey_Karpov writes: Svyatoslav Razmyslov from PVS-Studio Team published an article on the check of the FreeBSD kernel. PVS-Studio developers are known for analyzing various projects to show the abilities of their product, and do some advertisement, of course. Perhaps, this is one of the most acceptable and useful ways of promoting a proprietary application. They have already checked more than 200 projects and detected 9355 bugs. At least that's the number of bugs in the error base of their company. So now it was FreeBSD kernel's turn. The source code was taken from GitHub 'master' branch. Svyatoslav states that PVS-Studio detected more than 1000 suspicious code fragments that are most likely bugs or inaccurate code. He described 40 of them in the article. The list of warnings was given to the FreeBSD developer team and they have already started editing the code. A couple of words for programmers who are still not familiar with PVS-Studio. PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++ and C#. It performs static code analysis and generates a report that helps a programmer find and fix the errors in the code. You can see a more detailed description of the tool on the company website and download a trial version.

Read more of this story at Slashdot.

prisoninmate writes: Canonical has been working on expanding the capabilities of Ubuntu Touch for a long time now, and it appears the company will reportedly unveil the first dedicated Ubuntu tablet device this year, during the upcoming Mobile World Congress 2016 event. Canonical has been working on implementing support for X11 apps on its Ubuntu mobile operating system, allowing users to run any graphical software that is currently in the Ubuntu repositories, such as GIMP or Firefox.

Read more of this story at Slashdot.

msm1267 writes: A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today. The vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, the company added. An attacker would require local access to exploit the vulnerability on a Linux server. A malicious mobile app would get the job done on an Android device. The vulnerability is a reference leak that lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications. Here's Perception Point's explanation of the problem.

Read more of this story at Slashdot.

An anonymous reader writes: In November, Google open sourced TensorFlow, its machine learning platform. Now, the company is following up by teaching people how to use it. They've launched a free course at Udacity that "provides you with all the basic tools and vocabulary to get started with deep learning, and walks you through how to use it to address some of the most common machine learning problems." A series of lectures explains how to set up your data, build training models, and extend those models. It also touches on image recognition and how to use recurrent neural networks. The signup page notes that this is considered an intermediate-to-advanced level course, so you'll probably need some basic machine learning knowledge to get the most out of it.

Read more of this story at Slashdot.

An anonymous reader writes: A new bug in Outlook allows attackers only to send you an email, and without clicking or downloading attachments, a user's computer can be compromised. The bug [PDF] is because Outlook allows Flash objects to be previewed without a sandbox. Flash files are demon spawns and attackers can put exploits in malicious files, which when previewed or viewed inside an Outlook application will automatically execute their payload.

Read more of this story at Slashdot.

From the good women and men over at the EFF: Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a "man in the middle" attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites. Now it appears that Dell has done the same thing, shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link. Did you buy a Dell computer during your Black Friday shopping thing over there in the US? Might want to look it over before handing it your loved one. Alternatively, just buy a Mac and don't deal with this nonsense.

Oppo has been putting a customized version of Android on its phones for years, but now it's letting you strip most of those customizations away. It released a nearly stock version of Android today that's basically just Android Lollipop with a few pieces of Oppo software, including its camera app, audio tools, and gesture support. The new release, which it's calling Project Spectrum, is able to be installed on its Find 7 and Find 7a phones and will be coming to other Oppo phones in the near future. Sometime early next year, Oppo plans to release an updated version for Android Marshmallow. More and more manufacturers seem to be getting the message: users want stock Android, because stock Android is better than whatever crap OEMs can come up with. A good development, obviously, but it still doesn't address Android'd biggest weakness: updates.

An anonymous reader writes: Wayland 1.9 and the reference Weston compositor have been ported to DragonFlyBSD. Significant changes were made to get Wayland/Weston running, and you must either already be running an X.Org Server or be using the Linux-ported Radeon and Intel kernel mode-setting drivers, plus jump through a few setup steps.

Read more of this story at Slashdot.

schwit1 writes: A new technique called transcutaneous stimulation has allowed five men with complete motor paralysis regain the ability to move their legs voluntarily and produce step-like movements. The treatment requires no surgery and adds to prior work to help paralyzed people gain voluntary movement through electrical stimulation (one completed in 2011, the other in 2014). Gizmag reports: "The new treatment uses a technique called transcutaneous electrical nerve stimulation, which involves strategically placing electrodes on the skin of the lower back. While receiving stimulation, the men's legs were supported by braces that hung from the ceiling. At first their legs only moved involuntarily, if at all. But they soon found they could voluntarily extend the distance their legs moved during stimulation. They doubled their range of voluntary motion after four treatment sessions."

Read more of this story at Slashdot.

On the heels of the recent 6.0.2 [ed. note: and I posted it again because I'm dumb] build of the Apple IIgs System Disk set, comes the next revision. Many loose ends have been tied up and documentation has been updated with changes described in detail. This release has been packaged as six 800K disk images in BXY format (Shrinkit Compatible Binary II Encoded), .PO format, and as a versatile 32MB ‘Live Installer in .PO format that boots to Finder for immediate access to all portions of the System Software and installing without the need of mounting multiple images or swapping floppies. This image can also be installed to a 32MB partition, CD ROM, etc. An absolutely amazing initiative, and so far, it seems like it's sticking. Awesome.

msm1267 writes: Two Belgian security researchers from the University of Leuven have driven new nails into the coffin of the RC4 encryption algorithm. A published paper, expected to be delivered at the upcoming USENIX Security Symposium next month in Washington, D.C., describes new attacks against RC4 that allow an attacker to capture a victim's cookie and decrypt it in a much shorter amount of time than was previously possible. The paper "All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS," written by Mathy Vanhoef and Frank Piessens, explains the discovery of new biases in the algorithm that led to attacks breaking encryption on websites running TLS with RC4, as well as the WPA-TKIP, the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Read more of this story at Slashdot.

sciencehabit writes: A new blood test can find almost every virus you ever caught—in a single drop of blood. Called VirScan, the test surveys the antibodies present in the bloodstream to reveal a history of the viruses you've been infected with throughout your life. Besides diagnosing current illnesses, the new test could be an important tool in developing vaccines and studying links between viruses and chronic disease.

Read more of this story at Slashdot.

DeviceGuru writes: Russia-based Eltechs announced its ExaGear Desktop virtual machine last August, enabling Linux/ARMv7 SBCs and mini-PCs to run x86 software. That meant that users of the quad-core, Cortex-A7-based Raspberry Pi 2 Model B, could use it as well, although the software was not yet optimized for it. Now Eltechs has extended extended ExaGear to support earlier ARMv6 versions of the Raspberry Pi. The company also optimized the emulator for the Pi 2 allowing, for example, Pi 2 users to use automatically forwarding startup scripts.

Read more of this story at Slashdot.

Okian Warrior writes: Billionaire Elon Musk will announce next week that Tesla will begin offering battery-based energy storage for residential and commercial customers. The batteries power up overnight when energy companies typically charge less for electricity, then are used during the day to power a home. In a pilot project, Tesla has already begun offering home batteries to SolarCity (SCTY) customers, a solar power company for which Musk serves as chairman. Currently 330 U.S. households are running on Tesla's batteries in California. The batteries start at about $13,000, though California's Pacific Gas and Electric Co. (PCG) offers customers a 50% rebate. The batteries are three-feet high by 2.5-feet wide, and need to be installed at least a foot and a half off the ground. They can be controlled with a Web app and a smartphone app.

Read more of this story at Slashdot.

An anonymous reader writes A currently unpatched bug in ASUS wireless routers has been discovered whereby users inside a network can gain full administrative control, according to recent research conducted by security firm Accuvant. Although the flaw does not allow access to external hackers, anyone within the network can take administrative control and reroute users to malicious websites, as well as holding the ability to install malicious software. The vulnerability stems from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr runs with root privileges and contains an unauthenticated command execution vulnerability, in turn permitting anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router. In relevant part: The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” said Drake. Here are the technical details at GitHub.

Read more of this story at Slashdot.

Camille van Gestel and co-founder Maurits Groen started solar-centric manufacturer WakaWaka with an explicit aim other than making money, though he's certainly not opposed to making some along the way. So it's not a non-profit, but van Gestel calls WakaWaka, which was named in a roundabout way after the Shakira song, a "purpose-driven company," with that purpose being -- no exaggeration needed -- to cast light on the world. They're doing just that, with the aid of recycled materials, low-power LEDs, and efficient solar cells. As a result, one of the portable light products that the group has created has become one of the most valued possessions among people displaced by the war in Syria, and more are lighting up villages in Haiti and elsewhere. I talked with Van Gestel at this year's CES, where the company's picked up a pair of CES Innovation Awards, and he has some advice for people who'd like to turn their technical skills to philanthropic endeavors, especially ones that involve hardware or technical infrastructure. Some of it can be summed up as "Spread the wealth, but don't do it for free." Between ongoing feedback gathered from users, a buy-one-give-one style distribution system, and requiring participation by recipients, he says WakaWaka has been able to reach people with their solar lighting products in a way that's much more valuable than just dumping hardware on them, and along the way has gotten a lot of feedback from the buyers whose purchases subsidize the company's non-profit activities. (Alternate Video Link.)

Read more of this story at Slashdot.

jones_supa writes: Dave Jones from Red Hat has written a wrap-up of the strange bug that has made some machines running Linux to freeze. (Previous discussion.) Right down to his final week at Red Hat before Dave gave all his hardware back, Linus Torvalds managed to reproduce similar symptoms, by scribbling directly to the HPET timer. He came up with a hack that at least made the kernel survive for him. When Dave tried the same patch, the machine ran for three days before he interrupted it, which was a promising result. The question remains, what was scribbling over the HPET in his case? The only two plausible scenarios Dave could think of were that Trinity generated 0xFED000F0 as a random address and passed that to a syscall which wrote to it, or a hardware bug. That's where the story ends for now. Linus' hacky workaround didn't get committed, but him and John Stultz continue to back and forth on hardening the clock management code in the face of screwed up hardware, so maybe soon we'll see something real get committed on that area.

Read more of this story at Slashdot.