An anonymous reader quotes the AP: Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.

New submitter stikves writes: The Raspberry foundation has launched an incremental update to the Raspberry Pi 3 model B: Raspberry Pi 3 Model B+ . In addition to slight increase (200MHz) in CPU speed, and upgraded networking (802.11ac and Gigabit, albeit over USB2), one big advantage is the better thermal management which allows sustained performance over longer load periods. Further reading: TechRepublic, and Linux Journal.

PC Magazine reports: A new way to amplify DDoS attacks has been spotted harassing Google, Amazon, Pornhub and even the National Rifle Association's main website after striking Github last week. The attacks, which exploit vulnerable "memcached servers," have been trying to hose down scores of new targets with a flood of internet traffic, according to Chinese security firm Qihoo 360... Github was the first high-profile victim and suffered a 1.35 Tbps assault -- or what was then the biggest DDoS attack on record. But days later, an unnamed U.S. service provider fended off a separate assault, which measured at 1.7 Tbps. Unfortunately, the amplified DDoS attacks haven't stopped. They've gone on to strike over 7,000 unique IP addresses in the last seven days, Qihoo 360 said in a blog post... Gaming sites including Rockstargames.com, Minecraft.net, and Playstation.net have been among those hit...

The security community is also steadily addressing the linchpin to all the assaults: the vulnerable memcached servers. About 100,000 of these online storage systems were publicly exposed over a week ago. But the server owners have since patched or firewalled about 60,000 of them, Radware security researcher Daniel Smith said. That leaves 40,000 servers open to exploitation. Smith points to how the coding behind the attack technique has started to circulate online through free tools and scripts.
Meanwhile, Slashdot reader darthcamaro shares an article about "the so-call 'kill switch'" that some vendors have been debating: "The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," John Graham-Cumming, CTO of CloudFlare said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become "a serious distraction" for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as "what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management." Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: "More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore." That is, sysadmins are ready to apply patches -- when a patch exists. "I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers," explains an IT pro named Nick... Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. "Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I've heard referred to as 'speculative reboots'..."

The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.
The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."

According to court documents filed today, a former Google engineer is suing the company for discrimination, harassment, retaliation, and wrongful termination. "Tim Chevalier, a software developer and former site-reliability engineer at Google, claims that Google fired him when he responded with internal posts and memes to racist and sexist encounters within the company and the general response to the now-infamous James Damore memo," reports The Verge. From the report: Chevalier said in a statement to The Verge, "It is a cruel irony that Google attempted to justify firing me by claiming that my social networking posts showed bias against my harassers." Chevalier, who is also disabled and transgender, alleges that his internal posts that defended women of color and marginalized people led directly to his termination in November 2017. He had worked at Google for a little under two years. Notably, Chevalier's posts had been quoted in Damore's lawsuit against Google -- in which Damore sued the company for discrimination against conservative white men -- as evidence Google permitted liberals to speak out at the company unpunished. Chevalier's lawsuit alleges that his firing is, in fact, a form of punishment. The lawsuit was filed in San Francisco County Superior Court and Chevalier is seeking damages for lost wages, emotional distress, punitive damages, and injunctive relief against those alleged harmful acts. Google did not immediately respond to a request for comment.

An anonymous reader shares an excerpt from a report via TechCrunch, written by Devin Coldewey: Google just announced a plan to "modernize" email with its Accelerated Mobile Pages platform, allowing "engaging, interactive, and actionable email experiences." Does that sound like a terrible idea to anyone else? It sure sounds like a terrible idea to me, and not only that, but an idea borne out of competitive pressure and existing leverage rather than user needs. Not good, Google. Send to trash. See, email belongs to a special class. Nobody really likes it, but it's the way nobody really likes sidewalks, or electrical outlets, or forks. It not that there's something wrong with them. It's that they're mature, useful items that do exactly what they need to do. They've transcended the world of likes and dislikes. Email too is simple. It's a known quantity in practically every company, household, and device. The implementation has changed over the decades, but the basic idea has remained the same since the very first email systems in the '60s and '70s, certainly since its widespread standardization in the '90s and shift to web platforms in the '00s. The parallels to snail mail are deliberate (it's a payload with an address on it) and simplicity has always been part of its design (interoperability and privacy came later). No company owns it. It works reliably and as intended on every platform, every operating system, every device. That's a rarity today and a hell of a valuable one.

More important are two things: the moat and the motive. The moat is the one between communications and applications. Communications say things, and applications interact with things. There are crossover areas, but something like email is designed and overwhelmingly used to say things, while websites and apps are overwhelmingly designed and used to interact with things. The moat between communication and action is important because it makes it very clear what certain tools are capable of, which in turn lets them be trusted and used properly. We know that all an email can ever do is say something to you (tracking pixels and read receipts notwithstanding). It doesn't download anything on its own, it doesn't run any apps or scripts, attachments are discrete items, unless they're images in the HTML, which is itself optional. Ultimately the whole package is always just going to be a big , static chunk of text sent to you, with the occasional file riding shotgun. Open it a year or ten from now and it's the same email. And that proscription goes both ways. No matter what you try to do with email, you can only ever say something with it -- with another email. If you want to do something, you leave the email behind and do it on the other side of the moat.

An anonymous reader quotes a report from Ars Technica: President Trump's new 10-year plan for "rebuilding infrastructure in America" doesn't contain any funding specifically earmarked for improving Internet access. Instead, the plan sets aside a pool of funding for numerous types of infrastructure projects, and broadband is one of the eligible categories. The plan's $50 billion Rural Infrastructure Program lists broadband as one of five broad categories of eligible projects.

Eighty percent of the program's $50 billion would be "provided to the governor of each state." Governors would take the lead in deciding how the money would be spent in their states. The other 20 percent would pay for grants that could be used for any of the above project categories. Separately, broadband would be eligible for funding from a proposed $20 billion Transformative Projects Program, along with transportation, clean water, drinking water, energy, and commercial space. Trump's plan would also add rural broadband facilities to the list of eligible categories for Private Activity Bonds, which allow private projects to "benefit from the lower financing costs of tax-exempt municipal bonds." The plan would also let carriers install small cells and Wi-Fi attachments without going through the same environmental and historical preservation reviews required for large towers.

The next major update to Windows 10 will bring Progressive Web Apps (PWAs) to the Microsoft Store. PWAs are websites (or web apps) which are implemented as native apps, and delivered just like a normal app through Windows 10's store. According to TechRadar, "The big advantages are that no platform-specific code is required, allowing devs to make apps that run across different platforms, and that PWAs are hosted on the developer's server, so can be updated directly from there (without having to push updates to the app store)." The other benefit for Microsoft is that they will be getting a bunch of new apps in Windows 10's store. From the report: As Microsoft explains in a blog post, these new web apps are built on a raft of nifty technologies -- including Service Worker, Fetch networking, Push notifications and more -- all of which will be enabled when EdgeHTML 17 (the next version of the rendering engine that powers the Edge browser) goes live in Windows 10 in the next big update. PWAs can be grabbed from the Microsoft Store as an AppX file, and will run in their own sandboxed container, without needing the browser to be open at all. As far as the user is concerned, they'll be just like any other app downloaded from the store. Microsoft says it is already experimenting with crawling and indexing PWAs from the web to pick out the quality offerings, which it will draft into the Microsoft Store. The firm has already combed through some 1.5 million web apps to pick out a small selection of PWAs for initial testing. As well as discovering apps via web crawling, developers will also be able to submit their offerings directly to Microsoft for approval.

Long-time Slashdot reader HEMI426 writes: Long ago, Apple used to produce rack servers, and a special flavor of OS X for that hardware with extra, server-friendly features. After Apple got out of the rack server game, OS X Server soldiered on, with the occasional change in cost or distribution method.

The next stop on the long, slow death march of OS X Server is here. With a recent post to their knowledgebase, Apple states that almost all of the services not necessary for the management of networked Macs and other iDevices are being deprecated. These services will be hidden for new installs, and dropped in the future.
Apple writes that "those depending on them should consider alternatives, including hosted services."

An anonymous reader quotes CSO: "The strategy around Zero Trust boils down to don't trust anyone. We're talking about, 'Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized,'" says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass... The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn't pose a threat and therefore was cleared for access. Security and technology experts say the castle-and-moat approach isn't working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance...

Experts say that today's enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don't have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users -- employees, partners, customers -- accessing applications from a range of devices from multiple locations and even potentially from around the globe... The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise... Zero Trust draws on technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.
"Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments," says the chief product officer at an IAM/PIM solutions supplier.

"Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment."

An anonymous reader quotes a report from Engadget: Later this year, you'll be able to buy ebooks and audiobooks straight from Walmart's website. The big box retailer has teamed up with Japanese e-commerce titan Rakuten to launch a business that can take on Amazon's Kindle offerings. Walmart will give its customers in the U.S. an easy way to access to Kobo's library -- Kobo is Rakuten's digital book division -- and its six million titles from tens of thousands of publishers. The company will also start selling Kobo eReaders, which will set you back at least $120, online and in stores sometime this year. Walmart said Kobo's titles will be fully integrated into its website, so the ebook and audiobook versions of the title you're searching for will appear alongside the listing of its physical book. However, you won't be able to access the digital files through random apps. You'll have to use the co-branded apps for iOS, Android and desktop that Walmart and Kobo will release in the future, though you'll of course be able access ebooks through a Kobo e-reader.

An anonymous reader writes: The Spectre and Meltdown mess continues with Dell now recommending their customers to not install the BIOS updates that are supposed to resolve the Spectre (Variant 2) vulnerabilities. These updates have been causing numerous problems for users including performance issues, boot issues, reboot issues, and general system stability. Due to this, Dell EMC has updated its knowledgebase article with a statement advising customers to not install the BIOS update and to potentially rollback to the previous BIOS if their computers are exhibiting "unpredictable system behavior". ZDNet reports that HP too has issued a similar advisory. The computer manufacturer pulled its softpaqs BIOS updates with Intel's patches from its website, and said it would be releasing a BIOS update with a previous version of Intel's microcode on Thursday.

An anonymous reader writes: Lenovo engineers have discovered a backdoor in the firmware of RackSwitch and BladeCenter networking switches. The company released firmware updates last week. The Chinese company said it found the backdoor after an internal security audit of firmware for products added to its portfolio following the acquisitions of other companies. Lenovo says the backdoor affects only RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System).

The backdoor was added to ENOS in 2004 when ENOS was maintained by Nortel's Blade Server Switch Business Unit (BSSBU). Lenovo claims Nortel appears to have authorized the addition of the backdoor "at the request of a BSSBU OEM customer." In a security advisory regarding this issue, Lenovo refers to the backdoor under the name of "HP backdoor." The backdoor code appears to have remained in the firmware even after Nortel spun BSSBU off in 2006 as BLADE Network Technologies (BNT). The backdoor also remained in the code even after IBM acquired BNT in 2010. Lenovo bought IBM's BNT portfolio in 2014.

Microsoft is trying to fight back against perceptions that Cortana may be its next consumer-centric technology to face the chopping block. Yesterday, the company issued a press release touting recent wins for Cortana. Among these are the officially unveiled Johnson Controls' Cortana-powered thermostat (which goes on sale for $319 starting in March). ZDNet reports the "other recent Cortana device partners": Allwinner: This company has the Tech R16 Quad Core IoT solution (a reference design for device partners).
Synaptics: This ODM (original design manufacturer) and far-field voice processing vendor produces reference designs for consumer IoT, smart speakers, PC, and more that integrate Cortana.
TONLY: Another reference design vendor working with Microsoft on Cortana devices that make use of Skype.
Qualcomm: In addition to partnering with Microsoft on Windows-on-ARM "Always Connected" PCs, Qualcomm is building reference designs on its Smart Audio and Mesh Networking platforms that use Cortana. "In addition to our currently supported home automation partners, we are announcing new partnerships with Ecobee, Geeni, Honeywell Lyric, IFTTT, LIFX, TP-Link Kasa, and Honeywell Total Connect Comfort. Cortana currently supports lights, outlets, switches, and thermostats across all providers," the spokesperson said.

From an anonymous reader: "The web is dying, but mesh networks could save it," writes open source hacker Andre Staltz. He warns that Facebook, Google, and Amazon plan to "grow beyond browsers, creating new virtual contexts where data is created and shared," and predicts the next wave of walled gardens will be a "social internet" bypassing the web altogether. "The Web may die like most other technologies do, simply by becoming less attractive than newer technologies."

He wants to build a mobile mesh web that works with or without internet access to reach the four billion people currently offline, adding that all the tools we need are already in our hands: smartphones, peer-to-peer protocols, and mesh networks. His vision? "Novel peer-to-peer protocols such as IPFS and Dat help replace HTTP and make the web a content-centered cyberspace... Browsers can be made to work like that, and although it's a small tweak to how the web works, it has massive effects on social structures in cyberspace... Now that we have experience with some of the intricacies of the social web, we can reinvent it to put people first without intermediate companies... We can actually beat the tech giants at this game by simply giving local and regional connectivity to people in developing countries. With mobile apps that are built mesh-first, the smartphones would make up self-organizing self-healing mobile ad-hoc networks... In internet-less regions, there is potential for scaling quickly, and through that, we can spawn a new industry around peer-to-peer wireless mesh networks."

He cites mega-projects "to rescue the web from the internet", which include progress on peer-to-peer and mesh networking protocols, followed by adoption on smartphones (and then a new wave of apps) -- plus a migration of existing web content to the new protocols, "to fix the overutilization of the wirenet and the underutilization of airnets, bringing balance to the wire-versus-air dichotomy, providing choice in how data should travel in each case...But it can only happen if the web takes a courageous step towards its next level."

In the wake of damaging reports of a chaotic Trump administration detailed in a new book from Michael Wolff, the White House is instituting new policies on the use of personal cellphones in the West Wing. CBS News reports: White House Press Secretary Sarah Huckabee Sanders released the following statement on the policy change: "The security and integrity of the technology systems at the White House is a top priority for the Trump administration and therefore starting next week the use of all personal devices for both guests and staff will no longer be allowed in the West Wing. Staff will be able to conduct business on their government-issued devices and continue working hard on behalf of the American people."

Wolff reportedly gained access to the White House where he conducted numerous interviews with staffers on the inner-workings of the Trump campaign and West Wing operations. Sanders told reporters Wednesday that there were about "a dozen" interactions between Wolff and White House officials, which she said took place at Bannon's request. The White House swiftly slammed the book and those who cooperated with Wolff.

Asus' new AiMesh system lets you repurpose your existing Asus routers as part of a mesh network, potentially saving you lots of money since you won't have to replace your whole network with a bunch of new devices. The Verge reports: For now, the mesh support is coming to a few routers today in beta, including the ASUS RT-AC68U, RT-AC1900P, RT-AC86U, RT-AC5300, and the ROG Rapture GT-AC5300, with additional support planned for the RT-AC88U and RT-AC3100 later this year. The setup looks pretty simple, too. Once your main router is set up and updated to the latest firmware, just take your other routers that are going to be the mesh nodes, plug them in near the main router, and run a factory reset, after which they'll automatically pop up in the Asus Router app to add to your mesh.

An anonymous reader quotes a report from TechCrunch: The feature is arriving later this month on the iRobot app, making it possible for WiFi-enabled Roombas to create a map of indoor signals. The map exists alongside the existing Clean Map feature, letting users toggle between the two, like they would, say, satellite and standard imagery in Google Maps. The maps themselves won't go into too much detail -- no upload and download speeds like you see on many mobile speed test apps. Instead, the information will show up as decibel readings. Really, it's intended as a handy way of showing off where you might want to toss a range extender, to help get rid of dead spots. All of Roomba's vacuums, save for the lowest-end model, will support the feature. The beta program launches January 23rd and appears to only be available for U.S. users.

An anonymous reader writes: A long-time Unix sys-admin is suggesting 18 different New Year's resolutions for Linux systems adminstrators. And #1 is to automate more of your boring stuff. "There are several good reasons to turn tedious tasks into scripts. The first is to make them less annoying. The second is to make them less error-prone. And the last is to make them easier to turn over to new team members who haven't been around long enough to be bored. Add a small dose of meaningful comments to your scripts and you have a better chance of passing on some of your wisdom about how things should be done."

Along with that, they suggest learning a new scripting language. "It's easy to keep using the same tools you've been using for decades (I should know), but you might have more fun and more relevance in the long run if you teach yourself a new scripting language. If you've got bash and Perl down pat, consider adding Python or Ruby or some other new language to your mix of skills."

Other suggestions include trying a new distro -- many of which can now be run in "live mode" on a USB drive -- and investigating the security procedures of cloud services (described in the article as "trusting an outside organization with our data").

"And don't forget... There are now only 20 years until 2038 -- The Unix/Linux clockpocalypse."

An anonymous reader writes: "There are indications that telecommunications operators and traditional ISPs in the country are frustrating adoption of Internet Protocol version six (IPv6) by other networks," reports Nigeria's Guardian newspaper, citing Nigeria CommunicationsWeek. The magazine found 32 networks with IPv6 addresses -- but only three which are using them. And the newspaper cites "a network engineer with a university who does not want to be named" frustrated that their ISP's network isn't IPv6-compatible, so the university can't use its own IPv6 address. "Mohammed Rudman, chairman, IPv6 Council Nigeria, said that most telecommunications operators and internet service providers in the country have not adopted IPv6 which raises the issue of compatibility with other networks."
Firefox has a fast-fallback-to-IPv4 option, which you can disable in about:config (as well as an option to disable IPv6 altogether). But "the Chrome browser supports IPv6 natively and doesn't allow users to decide which protocol to use," reports TechGlimpse.com.

How does your browser perform? Long-time Slashdot reader ourlovecanlastforeve shared a link to Test-IPv6.com, which detects whether "when given the choice, your browser decided it would prefer to use IPv4 instead of IPv6."