Sorry, you need to enable JavaScript to visit this website.

Slashdot

Slashdot
News for nerds, stuff that matters
Updated: 18 min 45 sec ago

Password App Developer Overlooks Security Hole to Preserve Ads

Sun, 05/06/2016 - 8:30pm
An anonymous reader quotes this report from Engadget: Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue... To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat. An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."

Read more of this story at Slashdot.

DistroWatch Finally Adds Support For IPv6

Sun, 05/06/2016 - 7:31pm
We've frequently linked to DistroWatch for their coverage of Linux package and release announcements. Now an anonymous reader writes: The DistroWatch website introduced IPv6 support on Friday and the new protocol has been getting a lot of attention. "Over 8% of our traffic this weekend came from IPv6 addresses," commented DistroWatch contributor Jesse Smith. "It was a pleasant surprise, we were not expecting that many people would be using IPv6 yet." When asked why DistroWatch enabled IPv6 access to their server at this time, Smith answered: "Partly it was an experiment to see how much interest there was in IPv6. Partly it was because it is a little embarrassing (in 2016) to have a technology focused website that is not making use of IPv6."

Read more of this story at Slashdot.

ASUS Delivers Its Updates Over HTTP With No Verification

Sun, 05/06/2016 - 6:31pm
The top five PC sellers have big security holes in the third-party tools which updates their software. Now Softpedia follows up with a report that "The ASUS LiveUpdate software that comes pre-installed on all ASUS computers downloads critical BIOS and UEFI updates via plaintext HTTP and installs them without verifying the content's source or validity." An anonymous reader shares this report from developer Morgan Gangwere: "Content is delivered via ZIP archives over plain HTTP, extracted into a temporary directory and an executable run as a user in the "Administrators" NT group ("Highest Permissions" task scheduler). Softpedia adds that "The attackers wouldn't even need to mess around modifying low-level firmware code because the update process would launch anything you throw at it. This includes spyware, backdoors, remote access trojans, and anything an attacker would wish."

Read more of this story at Slashdot.

Working at Facebook Sounds Like Joining a Cult

Sun, 05/06/2016 - 5:30pm
Vanity Fair has run some excerpts from an upcoming book by a former employee that gives insight on how things work at the social network. The chapter, among other things, details Facebook CEO Mark Zuckerberg's actions when Google launched its own social networking service Google Plus. The extract finds Zuckerberg's behaviour so intense that it calls it "bordered on the psychopathic." It reads: [...] hit Facebook like a bomb. Google Plus was the great enemy's sally into our own hemisphere, and it gripped Zuck like nothing else. He declared "Lockdown," the first and only one during my time there. As was duly explained to the more recent employees, Lockdown was a state of war that dated to Facebook's earliest days, when no one could leave the building while the company confronted some threat, either competitive or technical.â [...] Rounding off another beaded string of platitudes, he changed gears and erupted with a burst of rhetoric referencing one of the ancient classics he had studied at Harvard and before. "You know, one of my favorite Roman orators ended every speech with the phrase Carthago delenda est. 'Carthage must be destroyed.' For some reason I think of that now."

Read more of this story at Slashdot.

EFF Petitioned To Investigate Windows 10 Upgrades

Sun, 05/06/2016 - 4:30pm
An anonymous reader writes: One of the most frustrating things about the ongoing stream of stories about Windows 10 upgrades is that there seems to be no way to hold Microsoft to account. Or perhaps there is: a petition asking the Electronic Frontier Foundation to investigate has now been posted on Change.org. The petition argues "people are being tricked or forced into upgrading to Windows 10 from their current, preferred version of Windows," and describes Microsoft's actions as "ignorantly unethical at best and malicious at worst."

Read more of this story at Slashdot.

New Swiss Robot Assists Travelers with Luggage

Sun, 05/06/2016 - 3:31pm
A Swiss airport is testing a robot named Leo which can carry a passenger's luggage once they're approaching the terminal. Leo's baggage compartment opens when passengers press his 'Scan & Fly' touch interface, which can also print luggage tags and display a departure time and boarding gate, before delivering their luggage to a baggage handler. The airport's head of IT said the new robot "limits the number of bags in the airport terminal, helping us accommodate a growing number of passengers without compromising the airport experience inside the terminal." And the robot's developer says it proves that robotics "hold the key to more effective, secure and smarter baggage handling and is major step towards further automating bag handling in airports."

Read more of this story at Slashdot.