steveb3210 writes: Today, Ruby On Rails released version 5.0.0 of the platform. Major new features include ActionCable which brings support for WebSockets and a slimmed-down API-only mode From the official blog post:After six months of polish, four betas, and two release candidates, Rails 5.0 is finally done! It's taken hundreds of contributors and thousands of commits to get here, but what a destination: Rails 5.0 is without a doubt the best, most complete version of Rails yet. It's incredible that this community is still going so strong after so long. Thanks to everyone who helped get us here. [...] Note: As per our maintenance policy, the release of Rails 5.0 will mean that bug fixes will only apply to 5.0.x, regular security issues to 5.0.x and 4.2.x, and severe security issues also to 5.0.x and 4.2.x (but when 5.1 drops, to 5.1.x, 5.0.x, and 4.2.x). This means 4.1.x and below will essentially be unsupported! Ruby 2.2.2+ is now also the only supported version of Rails 5.0+.
Check out the brand new SourceForge HTML5 speed test! Test your internet connection now. Works on all devices. ×
Stan Schroeder, writing for Mashable:An anonymous hacker managed to obtain an enormous number of user credentials in June 2013 from fallen social networking giant MySpace -- some 427 million passwords, belonging to approx. 360 million users. In May 2016, a person started selling that database of passwords on the dark web. Now, the entire database is available online for free. Thomas White, security researcher also known by the moniker "Cthulhu," put the database up for download as a torrent file on his website, here. "The following contains the alleged data breach from Myspace dating back a few years. As always, I do not provide any guarantees with the file and I leave it down to you to use responsibly and for a productive purpose," he wrote. The file is 14.2 GB in size; downloading it might take some time. It is password-protected, but White made the password available on Twitter and his site.
Over the past few weeks, we have seen a number of CEOs -- including Google's Sundar Pichai, and Facebook's Mark Zuckerberg -- become victims of Twitter hacks. One must ask, what's wrong with Twitter that so many people -- including high-profile names -- keep getting hacked? BuzzFeed dives deep into the problem, and says it's how Twitter interacts with third-party apps that's at fault. From the article:Over the past several weeks, however, a three-person hacking team called OurMine has made clear that years after the problem first came to light, third-party authentication is still a security nightmare for Twitter. By gaining access to apps with third-party write access, OurMine has been able to post to the Twitter accounts of tech bigwigs like Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Uber CEO Travis Kalanick. In other words, whichever write-authorized app connected to your Twitter is least secure is exactly how secure your Twitter account is. [...] The public nature of Twitter, whose main point is to share information as quickly and widely as possible, has made these attacks a much bigger issue for Jack Dorsey's company than they are for Facebook. And there's very little Twitter can do to solve the problem that doesn't defeat the incentives for third-party writing privileges in the first place: Speed and functionality. Adding layers of security -- like an extra login -- to access Twitter through a third-party app defeats the purpose of speedy cross-platform sharing. And disabling third-party writing would anger developers and hurt engagement, a cost Twitter probably isn't willing to bear.
An anonymous reader writes: The notorious hacker most recently in the news for releasing Clinton Foundation documents has said on Thursday in a blog post that the stolen confidential files from the DNC was his "personal project." Guccifer 2.0, as he identifies himself as, added that security firms and the DNC may be trying to blame the attack on Russia, but "they can prove nothing! All I hear is blah-blah-blah, unfounded theories, and somebody's estimates," he wrote. He claims to be Romanian and says he acted alone, pouring water on the theory that he may be a "smokescreen" to divert attention away from the real culprits, that may have been expert hacking teams based in Russia. "I'd like to reveal a secret to all those cool IT-specialists: All the hackers in the world use almost the same tools," he said. "You can buy them or simply find them on the web." He broke into the network using a little-known vulnerability found in the DNC's software, he added. "The DNC used Windows on their server, so it made my work much easier," he said. "I installed my trojan-like virus on their PCs. I just modified the platform that I bought on the hacking forums for about $1.5k." Guccifer 2.0 also disputed the idea that the DNC breach was an intelligence gathering operation for Russia, saying it was hacktivism.
An anonymous reader writes: A file named "UpgradeSubscription.exe" is found buried in the System32 folder of Windows 10 build 14376, alongside 590 other .exe files. ZDNet reports the file has been part of other recent preview builds, but just recently uncovered. "In the file's properties, it's described as the Windows Upgrade to Subscription Tool, and its date and time stamp corresponds to other administrative tools in the same build," reports ZDNet. You can view the screenshot here. Microsoft responded to ZDNet saying: "The Windows Upgrade to Subscription tool, found in the latest Windows Insider builds, helps to manage certain volume licensing upgrades from Windows 10 Pro Anniversary Update to Windows 10 Enterprise. This binary file is not associated with the free consumer upgrade offering nor is it applicable to consumer Windows editions." When pressed for additional details, Microsoft responded with, "No further comment." While the file does nothing, it does appear to confirm that it's related to licensing, referencing a registry value called AllowWindowsSubscription. Build 14376 reveals a few references to servicing packages named Microsoft-Client-License-Platform-Upgrade-Subscription-Package. Last year, there was some talk about Windows 10 being the last version of Windows as Microsoft is pushing a "Windows as a service" vision. When news broke in April about Windows Phone's sharp revenue declines, PCWorld reported that CEO Satya Nadella's strategy is to grow Microsoft's revenues by convincing customers to adopt its paid subscription services.
Another day, another high-profile becoming victim of a hack attack. Somebody managed to find a way into Oculus CEO Brendan Iribe's Twitter account late Wednesday. The hacker, who appears to be a user who goes by the alias "lid" on Twitter changed Iribe's bio and cover photo, and made a couple of interesting "announcements" -- including him becoming the new CEO of Facebook-owned virtual reality company. TechCrunch reports:This is just the latest in a string of tech CEO's having their Twitter accounts compromised, this attack does not appear to be from the same hacker group responsible for the hacks on the accounts of Travis Kalanick, Sundar Pichai, Mark Zuckerberg and Dick Costolo. Late Wednesday night, Iribe's Twitter bio temporarily read, "hey its @Lid ... im not testing ya security im just havin a laugh." The hacker told me in a Twitter DM that he accessed the password via last month's MySpace breach, he also said that he also would've managed to access Iribe's email account had he not had two-factor authentication enabled.
An anonymous reader shares a Reuters report:Spanish officials raided Google's Madrid offices on Thursday in a probe related to its payment of taxes, a person familiar with the matter said, barely a month after the internet company had its headquarters in France searched on suspicion of tax evasion. A spokeswoman for Google said in a brief statement the company complied with fiscal legislation in Spain just as it did in all countries where it operated. The company was working with authorities to answer all questions, the spokeswoman added. Google is under pressure across Europe from politicians and the public upset at how multinationals exploit their presence around the world to minimize their tax bills.
An anonymous reader writes from a report via The Guardian: U.S. Republican congressional staff said in a report released Wednesday that previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology before trying to regulate it. The 25-page white paper is entitled Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight. However, it is notable for its criticism of other lawmakers who have tried to legislate their way out of the encryption debate. It also sets a new starting point for Congress as it mulls whether to legislate on encryption during the Clinton or Trump administration. "Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix," the committee staff wrote in their report. The committee calls for more dialogue on the topic and for more interviews with experts, even though they claim to have already held more than 100 such briefings, some of which are classified. The report says in the first line that public interest in encryption has surged once it was revealed that terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection." Congressman Ted Lieu is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.
An anonymous reader writes from a report via The Stack: A 2014 version of the World-Check database containing more than 2.2 million records of people with suspected terrorist, organized crime, and corruption links has been leaked online. The World-Check database is administered by Thomson-Reuters and is used by 4,500 institutions, 49 of the world's 50 largest banks and by over 300 government and intelligence agencies. The unregulated database is intended for use as "an early warning system for hidden risk" and combines records from hundreds of terror and crime suspects and watch-lists into a searchable resource. Most of the individuals in the database are unlikely to know that they are included, even though it may have a negative impact on their ability to use banking services and operate a business. A Reddit user named Chris Vickery says he obtained a copy of the database, saying he won't reveal how until "a later time." To access the database, customers must pay an annual subscription charge, that can reach up to $1 million, according to Vice, with potential subscribers then vetted before approval. Vickery says he understands that the "original location of the leak is still exposed to the public internet" and that "Thomas Reuters is working feverishly to get it secured." He told The Register that he alerted the company to the leak, but is still considering whether to publish the information contained in it.
Reader itwbennett writes: Security vendor FireEye said on Tuesday that malware that can spoof the user interfaces of Uber, WhatsApp and Google Play has been spreading through a phishing campaign over SMS. Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany, will create fake user interfaces on the phone as an 'overlay 's top of real apps. These interfaces ask for credit card information and then send the entered data to the hacker.
An anonymous reader shares a FirstPost article:Even as I write this the echo of gunfire continues at Ataturk International Airport. For reasons that defy logic, Istanbul's main airport has always been seen as a vulnerable target which only underscores the fact that all airports in the world are open to attack and fail-safe is not a viable option. At Ataturk, security is usually high, but the weak underbelly lies in vehicular traffic entering the airport being given cursory checks, pretty much like most airports which is why President Erdogan was able to say this sort of attack could have occurred anywhere. That is true. Airports are easy targets. That even though Turkey was aware of the chinks nothing much was done to up the security levels. If you take Delhi International as a prime example, the access to the terminal is scarcely blockaded and one can reach the entry points with ease, crossing a couple of indolent checkpoints and a roller fence. (Editor's note: the article has been written by an Indian author, and so he uses an Indian airport as an example.) Indian airports are as porous as a sponge. Most of our airports are red-starred which places them in the inadequate category. Add to that the fact that several thousand VIPs are given privileges that make a pudding out of security and it indicates how easy peasy it would be to amble up to the terminal entrance. The weakness primarily lies in the absence of X-Rays and deterrent technology on approach. You practically can check in and get to immigration before being cleared for hazardous material.
Google's Project Zero team has discovered a heap of critical vulnerabilities in Symantec and Norton security products. The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links. According to a Fortune report, the vulnerabilities affect millions of people who run the company's endpoint security and antivirus software -- all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand). Dan Goodin, reporting for Ars Technica:The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they're allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Tavis Ormandy, a researcher with Google's Project Zero, said a better design would be for unpackers to run in a security "sandbox," which isolates untrusted code from sensitive parts of an operating system.
HughPickens.com writes: What should a driverless car with one rider do if it is faced with the choice of swerving off the road into a tree or hitting a crowd of 10 pedestrians? The answer depends on whether you are the rider in the car or someone else is, writes Peter Dizikes at MIT News. According to recent research most people prefer autonomous vehicles to minimize casualties in situations of extreme danger -- except for the vehicles they would be riding in. "Most people want to live in in a world where cars will minimize casualties," says Iyad Rahwan. "But everybody wants their own car to protect them at all costs." The result is what the researchers call a "social dilemma," in which people could end up making conditions less safe for everyone by acting in their own self-interest. "If everybody does that, then we would end up in a tragedy whereby the cars will not minimize casualties," says Rahwan. Researchers conducted six surveys, using the online Mechanical Turk public-opinion tool, between June 2015 and November 2015. The results consistently showed that people will take a utilitarian approach to the ethics of autonomous vehicles, one emphasizing the sheer number of lives that could be saved. For instance, 76 percent of respondents believe it is more moral for an autonomous vehicle, should such a circumstance arise, to sacrifice one passenger rather than 10 pedestrians. But the surveys also revealed a lack of enthusiasm for buying or using a driverless car programmed to avoid pedestrians at the expense of its own passengers. "This is a challenge that should be on the mind of carmakers and regulators alike," the researchers write. "For the time being, there seems to be no easy way to design algorithms that would reconcile moral values and personal self-interest."
Taco Cowboy quotes a report from ABC Online: German engineers have created a camera no bigger than a grain of salt that could change the future of health imaging -- and clandestine surveillance. Using 3D printing, researchers from the University of Stuttgart built a three-lens camera, and fit it onto the end of an optical fiber the width of two hairs. Such technology could be used as minimally-intrusive endoscopes for exploring inside the human body, the engineers reported in the journal Nature Photonics. The compound lens of the camera is just 100 micrometers (0.1 millimeters) wide, and 120 micrometers with its casing. It could also be deployed in virtually invisible security monitors, or mini-robots with "autonomous vision." The compound lens can also be printed onto image sensor other than optical fibers, such as those used in digital cameras. The researchers said it only took a few hours to design, manufacture and test the camera, which yielded "high optical performances and tremendous compactness." They believe the 3D printing method -- used to create the camera -- may represent "a paradigm shift."
An anonymous reader writes from a report via CNN: Helium is an incredibly important element that is used in everything from party balloons to MRI machines -- it's even used for nuclear power. For many years, there have been global shortages of the element. For example, Tokyo Disneyland once had to suspend sales of its helium balloons due to the shortages. The shortages are expected to come to an end now that researchers from Oxford and Durham universities have discovered a "world-class" helium gas field in Tanzania's East African Rift Valley. They estimate that just one part of the reserve in Tanzania could be as large as 54 billion cubic feet (BCf), which is enough to fill more than 1.2 million medical MRI scanners. "To put this discovery into perspective, global consumption of helium is about 8 billion cubic feet (BCf) per year and the United States Federal Helium Reserve, which is the world's largest supplier, has a current reserve of just 24.2 BCf," said University of Oxford's Chris Ballentine, a professor with the Department of Earth Sciences. "Total known reserves in the USA are around 153 BCf. This is a game-changer for the future security of society's helium needs and similar finds in the future may not be far away," Ballentine added.
An anonymous reader writes:Three U.S. healthcare organisations are reportedly being held to ransom by a hacker who stole data on hundreds of thousands of patients. The hacker has also put the 650,000 records up for sale on dark web markets where stolen data is traded. Prices for the different databases range from $100,000 to $411,000. Buyers have already been found for some of the stolen data, the hacker behind the theft told news site Motherboard. No information about the size of the ransom payment sought by the data thief has emerged, although he did say it was "a modest amount compared to the damage that will be caused to the organisations when I decide to publicly leak the victims."
An anonymous reader writes: The Cyberspace Administration of China has imposed new regulation for the mobile app community, requiring that developers keep a close watch over users and keep a record of their activities. However, the proposed legislation would also prevent apps from requesting unnecessary access to users' contacts, camera, microphone and other spurious installation requests. The regulator introduced the new laws in the name of cracking down on illegal use of mobile platforms for the distribution of pornography, fraud and the spread of 'malicious' content.
A report on Fusion on Monday, which cited a number of people, claimed that Facebook was using its users' phone location to suggest people to them. The publication also noted the privacy implications of this supposed feature. At the time of publishing, Facebook had noted that location was indeed one of the signals it looks into when suggesting new friends. But the social juggernaut has since backtracked on its statement with new assurances that it is not using anyone's location. In a statement to Slashdot, the company said:We're not using location data, such as device location and location information you add to your profile, to suggest people you may know. We may show you people based on mutual friends, work and education information, networks you are part of, contacts you've imported and other factors.
Orome1 quotes a report from Help Net Security: The U.S. Customs and Border Protection agency has submitted a request to the Office of Management and Budget, asking for permission to collect travelers social media account names as they enter the country. The CBP, which is part of the U.S. Department of Homeland Security, proposes that the request "Please enter information associated with your online presence -- Provider/Platform -- Social media identifier" be added to the Electronic System for Travel Authorization (ESTA) and to the CBP Form I-94W (Nonimmigrant Visa Waiver Arrival/Departure). "It will be an optional field to request social media identifiers to be used for vetting purposes, as well as applicant contact information," the CBP noted. "Collecting social media data will enhance the existing investigative process and provide DHS greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use to better analyze and investigate the case." The public and affected agencies are asked to comment on the request within 60 days of its publication. Commenters are asked to send their comments to this address.
An anonymous reader writes: "A botnet of over 25,000 bots is at the heart of recent DDoS attacks that are ferociously attacking businesses across the world with massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites," reports Softpedia. This botnet's particularity is the fact that attacks never fluctuated and the attackers managed to keep a steady rhythm. This is not a classic botnet of infected computers that go on and off, but of compromised CCTV systems that are always on and available for attacks. The brands of CCTV DVRs involved in these attacks are the same highlighted in a report by a security researcher this winter, who discovered a backdoor in the firmware of 70 different CCTV DVR vendors. These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher and the issues were never fixed, leading to crooks creating this huge botnet.