DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Google

Google Plans To Alter JavaScript Popups After Abuse From Tech Support Scammers (bleepingcomputer.com) 74

An anonymous reader writes: Chromium engineers are discussing plans to change how JavaScript popups work inside Chrome and other similar browsers. In a proposal published on the Google Developers portal, the Chromium team acknowledged that JavaScript popups are consistently used to harm users.

To combat this threat, Google engineers say they plan to make JavaScript modals, like the alert(), confirm(), and dialog() methods, only work on a per-tab basis, and not per-window. This change means that popups won't block users from switching and closing the tab, putting an end to any overly-aggresive tactics on the part of the website's owner(s).

There is no timeline on Google's decision to move JavaScript popups to a per-tab model, but Chromium engineers have been debating this issue since July 2016 as part of Project OldSpice. A similar change was made to Safari 9.1, released this week. Apple's decision came after crooks used a bug in Safari to block users on malicious pages using popups. Crooks then tried to extort payment, posing as ransomware.

United Kingdom

Britain Wants Tech Firms to Tackle Extremism (fortune.com) 109

Britain will tell Google, Facebook, Twitter, and Microsoft on Thursday to do more to stop extremists posting content on their platforms and using encrypted messaging services to plan attacks. From a report: Home Secretary Amber Rudd said on Sunday tech companies should stop offering a "secret place for terrorists to communicate," after British parliament attacker Khalid Masood was widely reported to have sent encrypted messages moments before he killed four people last week. Rudd has summoned the Internet companies to a meeting to urge them to do more to block extremist content from platforms like Facebook and Google's YouTube, but a government spokesman said encryption was also on the agenda. "The message is the government thinks there is more they can do in relation to taking down extremist and hate material and that is what they are going to be talking about this afternoon," the prime minister's spokesman said on Thursday.
Spam

Airline Fined For Sending 3.3 Million Unwanted Emails (bbc.com) 16

The airline Flybe has been fined 70,000 pound ($87,000) for sending more than 3.3 million marketing emails to people who had opted out of receiving them. From a report on BBC: The emails, sent in August 2016, advised people to amend out-of-date personal information and update their marketing preferences. They also gave people the chance to enter a prize draw. But the regulator said Flybe should have obtained people's consent before sending the emails. "Sending emails to determine whether people want to receive marketing, without the right consent, is still marketing, and it is against the law," said Steve Eckersley, head of enforcement at the Information Commissioner's Office. "In Flybe's case, the company deliberately contacted people who had already opted out of emails from them."
Government

Will VPNs Protect Your Privacy? It's Complicated 119

From a CNET report: A VPN redirects your internet traffic, disguising where your computer, phone or other device is when it makes contact with websites. It also encrypts information you send across the internet, making it unreadable to anyone who intercepts your traffic. That includes your internet service provider. Ha! Problem solved -- right? Well, sort of. The big catch is, now the VPN has your internet traffic and browsing history, instead of your ISP. What's to stop the VPN from selling your information to the highest bidder? Of course, there are reputable VPN services out there, but it's incumbent on you the user to "do your homework," Ajay Arora, CEO of cybersecurity company Vera said. In addition to making sure the VPN will actually keep your data private, you'll want to make sure there's nothing shady in the terms and conditions. Shady how? Well, in 2015, a group of security-minded coders discovered that free VPN service Hola was selling its users' bandwidth to the paying customers of its Luminati service. That meant some random person could have been using your internet connection to do something illegal. So, shady like that. "I would recommend you do some cursory level research in terms of reputation [and] how long they've been around," Arora said, "And when you sign up, read the fine print." From a report on Wired: Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady." Haschek found that the other 79 percent of surveyed proxy services forbid secure, HTTPS traffic.
The Internet

UW Professor: The Information War Is Real, and We're Losing It (seattletimes.com) 363

An anonymous reader writes: It started with the Boston marathon bombing, four years ago. University of Washington professor Kate Starbird was sifting through thousands of tweets sent in the aftermath and noticed something strange. Too strange for a university professor to take seriously. "There was a significant volume of social-media traffic that blamed the Navy SEALs for the bombing," Starbird told me the other day in her office. "It was real tinfoil-hat stuff. So we ignored it." Same thing after the mass shooting that killed nine at Umpqua Community College in Oregon: a burst of social-media activity calling the massacre a fake, a stage play by "crisis actors" for political purposes. "After every mass shooting, dozens of them, there would be these strange clusters of activity," Starbird says. "It was so fringe we kind of laughed at it. "That was a terrible mistake. We should have been studying it." Starbird argues in a new paper, set to be presented at a computational social-science conference in May, that these "strange clusters" of wild conspiracy talk, when mapped, point to an emerging alternative media ecosystem on the web of surprising power and reach. There are dozens of conspiracy-propagating websites such as beforeitsnews.com, nodisinfo.com and veteranstoday.com. Starbird cataloged 81 of them, linked through a huge community of interest connected by shared followers on Twitter, with many of the tweets replicated by automated bots. Starbird is in the UW's Department of Human Centered Design & Engineering -- the study of the ways people and technology interact. Her team analyzed 58 million tweets sent after mass shootings during a 10-month period. They searched for terms such as "false flag" and "crisis actor," web slang meaning a shooting is not what the government or the traditional media is reporting it to be. Then she analyzed the content of each site to try to answer the question: Just what is this alternative media ecosystem saying? Starbird is publishing her paper as a sort of warning. The information networks we've built are almost perfectly designed to exploit psychological vulnerabilities to rumor. "Your brain tells you 'Hey, I got this from three different sources,'" Starbird says. "But you don't realize it all traces back to the same place, and might have even reached you via bots posing as real people. If we think of this as a virus, I wouldn't know how to vaccinate for it." The report goes on to say that "Starbird says she's concluded, provocatively, that we may be headed toward 'the menace of unreality -- which is that nobody believes anything anymore.'"
Security

About 90% of Smart TVs Vulnerable To Remote Hacking Via Rogue TV Signals (bleepingcomputer.com) 70

An anonymous reader quotes a report from Bleeping Computer: A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting -- Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users. The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks. Scheel's method, which he recently presented at a security conference, is different because the attacker can execute it from a remote location, without user interaction, and runs in the TV's background processes, meaning users won't notice when an attacker compromises their TVs. The researcher told Bleeping Computer via email that he developed this technique without knowing about the CIA's Weeping Angel toolkit, which makes his work even more impressing. Furthermore, Scheel says that "about 90% of the TVs sold in the last years are potential victims of similar attacks," highlighting a major flaw in the infrastructure surrounding smart TVs all over the globe. At the center of Scheel's attack is Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable providers and smart TV makers that "harmonizes" classic broadcast, IPTV, and broadband delivery systems. TV transmission signal technologies like DVB-T, DVB-C, or IPTV all support HbbTV. Scheel says that anyone can set up a custom DVB-T transmitter with equipment priced between $50-$150, and start broadcasting a DVB-T signal.
IT

More Than Ever, Employees Want a Say in How Their Companies Are Run (qz.com) 225

Two readers share a report: While workers have traditionally looked to unions to address their grievances, a new generation is trusting in the power of petitions to force changes. At the Wall Street Journal, 160 reporters and editors, delivered a letter to their managers protesting the lack of women and minorities running the organization, Business Insider reported yesterday. "Nearly all the people at high levels at the paper deciding what we cover and how are white men," the letter read. IBM employees are circulating an online petition objecting to the tone of CEO Ginni Rometty's letter to US president Donald Trump, and calling on her affirm what they call the company's progressive values. [...] Other employee petitions call for Oracle to oppose US president Donald Trump's second travel ban, and to let men who work at US regional supermarket Publix grow beards. Employee petitions are now so popular there's a website, coworker.org, devoted to hosting them. In some cases, the campaigns work: Starbuck's relaxed its rules about visible tattoos and unnatural hair color for baristas after thousands signed petitions asking for a change. Sometimes, they fail disastrously. Interns at one (unnamed) company described in a blog about being fired en masse after signing a petition asking for a more relaxed dress code.
Android

What Killed Adobe Flash? (daringfireball.net) 218

An employee, who claims to have worked on the development of Flash, writes: Apparently, the world settled on the "One True Cause" for why Flash "died". Take for example this blogpost by John Gruber about FedEx... it ends with this consideration on Steve Jobs' "Thoughts on Flash": "If it had been an angry rant, it would have been easily dismissed without needing to be factually refuted -- "That's just Jobs being a prick again." The fact that it wasn't angry, and because it was all true, made it impossible to refute."

Impossible to refute. There's no doubt that this was the beginning of the end for Flash, right? Except that this is utterly wrong. I worked on Flash, and I worked on the thing that actually killed Flash. It is my strong belief, based on what I observed, that Steve Jobs' letter had little impact in the final decision -- it was really Adobe who decided to "kill" Flash. Yes, Flash was a bad rap for Adobe, and Steve's letter didn't help. But ultimately, what was probably decisive was the fact that developing Flash cost Adobe a ton of money.
John Gruber, responding to the blogpost: To be clear, I don't think Jobs's letter killed Flash. But I don't think Adobe did either. Eventually Adobe accepted Flash's demise. What killed Flash was Apple's decision not to support it on iOS, combined with iOS's immense popularity and the lucrative demographics of iOS users. If Jobs had never published "Thoughts on Flash", Flash would still be dead. The letter explained the decision, but the decision that mattered was never to support it on iOS in the first place. It's possible that Flash would have died even if Apple had decided to allow it on iOS. Android tried that, and the results were abysmal. Web page scrolling stuttered, and video playback through Flash Player halved battery life compared to non-Flash playback.
Oracle

Oracle Hires Global Specialists To Explore Feasibility of Buying Accenture 63

Paul Kunert writes in an exclusive report via The Register: Oracle has hired global specialists to explore the feasibility of buying multi-billion dollar consultancy Accenture, sources have told us. The database giant has engaged a team of consultants to conduct due diligence to "explore the synergies that could be created if they [Oracle] bought Accenture lock stock and barrel," one source claimed. On top of the financial considerations, the consultants are evaluating the pros and cons including the potential impact on Oracle's wider channel. "While these things have a habit of fizzling out there are some fairly serious players around the table," a contact added. Another claimed the process was at an early stage. "If buying Accenture was a 100 meter race, Oracle is at the 10 to 15 meter stage now." [T]his buy would be an immensely bold, complicated and pricey move: NYSE-listed Accenture has a market cap of $77.5 billion, and shareholders will expect a premium offer. A deal would dwarf Oracle's $10 billion buy of PeopleSoft, its $7.4 billion deal for Sun Microsystems, and more recently, the $9.3 billion splashed on Netsuite. In buying Accenture, Oracle would be taking a leaf out of the mid-noughties handbook - when HP fatefully bought EDS and IBM acquired PWC to carve out a brighter future.
Businesses

DJI Proposes New Electronic 'License Plate' For Drones (digitaltrends.com) 105

linuxwrangler writes: Chinese drone maker DJI proposed that drones be required to transmit a unique identifier to assist law enforcement to identify operators where necessary. Anyone with an appropriate receiver could receive the ID number, but the database linking the ID with the registered owner would only be available to government agencies. DJI likens this to a license plate on a car and offers it as a solution to a congressional mandate that the FAA develop methods to remotely identify drone operators. "The best solution is usually the simplest," DJI wrote in a white paper on the topic, which can be downloaded at this link. "The focus of the primary method for remote identification should be on a way for anyone concerned about a drone flight in close proximity to report an identifier number to the authorities, who would then have the tools to investigate the complaint without infringing on operator privacy. [...] No other technology is subject to mandatory industry-wide tracking and recording of its use, and we strongly urge against making UAS the first such technology. The case for such an Orwellian model has not been made. A networked system provides more information than needed, to people who don't require it, and exposes confidential business information in the process."
Government

Hong Kong Government Loses Laptops Containing Personal Data of 3.7 Million Voters (hongkongfp.com) 19

New submitter fatp writes: Hong Kong Free Press reports that the Registration and Electoral Office (REO) has lost two laptops containing the personal data of all 3.7 million voters after the chief executive election [on Sunday]. The REO said "the personal data was encrypted and there was no evidence that it had been leaked." Only 1,194 people had right to vote in the election.
Software

Ask Slashdot: What's the Best Working Environment For a Developer? 355

New submitter Dorgendubal writes: I work for a company with more than a thousand developers and I'm participating in activities aimed at improving the work experience of developers. Our developers receive an ultrabook that is rather powerful but not really adapted for development (no admin rights, small storage capacity, restrictive security rules, etc.). They also have access to VDIs (more flexibility) but often complain of performance issues during certain hours of the day. Overall, developers want to have maximum autonomy, free choice of their tools (OS, IDE, etc.) and access to internal development environments (PaaS, GIT repositories, continuous delivery tools, etc.) . We recently had a presentation of VMWare on desktop and application virtualization (Workstation & Horizon), which is supposedly the future of the desktops. It sounds interesting on paper but I remain skeptical.

What is the best working environment for a developer, offering flexibility, performance and some level of free choice, without compromising security, compliance, licensing (etc.) requirements? I would like you to share your experiences on BYOD, desktop virtualization, etc. and the level of satisfaction of the developers.
Databases

Facial Recognition Database Used By FBI Is Out of Control, House Committee Hears (theguardian.com) 90

The House oversight committee claims the FBI's facial recognition database is out of control, noting that "no federal law controls this technology" and "no court decision limits it." At last week's House oversight committee hearing, politicians and privacy campaigners presented several "damning facts" about the databases. "About 80% of photos in the FBI's network are non-criminal entries, including pictures from driver's licenses and passports," reports The Guardian. "The algorithms used to identify matches are inaccurate about 15% of the time, and are most likely to misidentify black people than white people." From the report: "Facial recognition technology is a powerful tool law enforcement can use to protect people, their property, our borders, and our nation," said the committee chair, Jason Chaffetz, adding that in the private sector it can be used to protect financial transactions and prevent fraud or identity theft. "But it can also be used by bad actors to harass or stalk individuals. It can be used in a way that chills free speech and free association by targeting people attending certain political meetings, protests, churches, or other types of places in the public." Furthermore, the rise of real-time face recognition technology that allows surveillance and body cameras to scan the faces of people walking down the street was, according to Chaffetz, "most concerning." "For those reasons and others, we must conduct proper oversight of this emerging technology," he said.
Microsoft

Microsoft Yanks Docs.com Search After Complaints of Exposed Sensitive Files (zdnet.com) 55

Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information. From a report on ZDNet: Users had complained over the weekend on Twitter that anyone could use the site's search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private. Among the files reviewed by ZDNet, and seen by others who tweeted about them, included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements -- some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses. The company removed the site's search feature late on Saturday, but others observed that the files were still cached in Google's search results, as well as Microsoft's own search engine, Bing.
Government

Laptop Ban on Planes Came After Plot To Put Explosives in iPad (theguardian.com) 278

Last week, United States and United Kingdom officials announced new restrictions for airline passengers from eight Middle Eastern countries, forbidding passengers to carry electronics larger than a smartphone into an airplane cabin. Now The Guardian reports, citing a security source, the ban was prompted in part by a plot involving explosives hidden in a fake iPad. From the report: The security source said both bans were not the result of a single specific incident but a combination of factors. One of those, according to the source, was the discovery of a plot to bring down a plane with explosives hidden in a fake iPad that appeared as good as the real thing. Other details of the plot, such as the date, the country involved and the group behind it, remain secret. Discovery of the plot confirmed the fears of the intelligence agencies that Islamist groups had found a novel way to smuggle explosives into the cabin area in carry-on luggage after failed attempts with shoe bombs and explosives hidden in underwear. An explosion in a cabin (where a terrorist can position the explosive against a door or window) can have much more impact than one in the hold (where the terrorist has no control over the position of the explosive, which could be in the middle of luggage, away from the skin of the aircraft), given passengers and crew could be sucked out of any subsequent hole.
Microsoft

Class Action Lawsuit Launched Over Forced Windows 10 Upgrades (courthousenews.com) 347

Slashdot reader AmiMoJo quotes The Register: Three people in Illinois have filed a lawsuit against Microsoft, claiming that its Windows 10 update destroyed their data and damaged their computers. The complaint, filed in Chicago's U.S. District Court on Thursday, charges that Microsoft Windows 10 [installer] is a defective product, and that its maker failed to provide adequate warning about the potential risks posed by Windows 10 installation -- specifically system stability and data loss... The attorneys representing the trio are seeking to have the case certified as a class action that includes every person in the U.S. who upgraded to Windows 10 from Windows 7 and suffered data loss or damage to software or hardware within 30 days of installation. They claim there are hundreds or thousands of affected individuals.
Microsoft responded that they'd offered free customer service and other support options for "the upgrade experience," adding "We believe the plaintiffs' claims are without merit." But the complaint argues Windows 10's installer "does not check the condition of the PC and whether or not the hard drive can withstand the stress of the Windows 10 installation," according to Courthouse News, which adds that the lead plaintiff "says her hard drive failed after Windows 10 installed without her express approval, and she had to buy a new computer."
Encryption

After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Past Contributors (openssl.org) 109

After nearly 20 years and 31,000 commits, OpenSSL wants to change to Apache License v2.0. They're now tracking down all 400 contributors to sign new license agreements, a process expected to take several months. Slashdot reader rich_salz shares links to OpenSSL's official announcement (and their agreement-collecting web site). "This re-licensing activity will make OpenSSL, already the world's most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software," said Mishi Choudhary, Legal Director of Software Freedom Law Center and counsel to OpenSSL. "OpenSSL's team has carefully prepared for this re-licensing, and their process will be an outstanding example of 'how to do it right.'"
Click through for some comments on the significance of this move from the Linux Foundation, Intel, and Oracle.
United Kingdom

London Terrorist Used WhatsApp, UK Calls For Backdoors (yahoo.com) 359

Wednesday 52-year-old Khalid Masood "drove a rented SUV into pedestrians on Westminster Bridge before smashing it into Parliament's gates and rushing onto the grounds, where he fatally stabbed a policeman and was shot by other officers," writes the Associated Press. An anonymous reader quotes their new report: Westminster Bridge attacker Khalid Masood sent a WhatsApp message that cannot be accessed because it was encrypted by the popular messaging service, a top British security official said Sunday. British press reports suggest Masood used the messaging service owned by Facebook just minutes before the Wednesday rampage that left three pedestrians and one police officer dead and dozens more wounded.... Home Secretary Amber Rudd used appearances on BBC and Sky News to urge WhatsApp and other encrypted services to make their platforms accessible to intelligence services and police trying to carrying out lawful eavesdropping. "We need to make sure that organizations like WhatsApp -- and there are plenty of others like that -- don't provide a secret place for terrorists to communicate with each other," she said...

Rudd also urged technology companies to do a better job at preventing the publication of material that promotes extremism. She plans to meet with firms Thursday about setting up an industry board that would take steps to make the web less useful to extremists.

Businesses

Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites (bleepingcomputer.com) 250

BleepingComputer reports: During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word 'PayPal' in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store... Lynch, who points out the abuse of Let's Encrypt's infrastructure, doesn't blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks... Phishers don't target these CAs because they're commercial services, but also because they know these organizations will refuse to issue certificates for certain hot terms, like "PayPal," for example. Back in 2015, Let's Encrypt made it clear in a blog post it doesn't intend to become the Internet's HTTPS watchdog.
Of course, some web browsers don't even check whether a certificate has been revoked. An anonymous reader writes: Browser makers are also to blame, along with "security experts" who tell people HTTPS is "secure," when they should point out HTTPS means "encrypted communication channel," and not necessarily that the destination website is secure.
Robotics

US Workers Face A Higher Risk Of Being Replaced By Robots (cnn.com) 281

There's a surprising prediction for the next 15 years from the world's second largest professional services firm. An anonymous reader quotes CNN: Millions of workers around the world are at risk of losing their jobs to robots -- but Americans should be particularly worried. Thirty-eight percent of jobs in the U.S. are at high risk of being replaced by robots and artificial intelligence over the next 15 years, according to a new report by PwC. Meanwhile, only 30% of jobs in the U.K. are similarly endangered. The same level of risk applies to only 21% of positions in Japan.
61% of America's financial service jobs "are at a high risk of being replaced by robots," according to the article, vs. just 32% of the finance jobs in the U.K. (Those U.S. finance jobs tend to be "domestic retail operations" like small-town bank tellers, whereas U.K. finance jobs concentrate more in international finance and investment banking.) The firm's chief economist sees a world where new jobs are more likely to go to higher-skilled workers, and he ultimately predicts "a restructuring of the jobs market... The gap between rich and poor could get even wider."

Slashdot Top Deals