Censorship

Chilling Effect of the Wassenaar Arrangement On Exploit Research 30 30

Bismillah writes: Security researchers are confused as to how the export control and licensing controls covering exploits affect their work. The upcoming Wassenaar restrictions were expected to discourage publication of such research, and now it's already started to happen. Grant Wilcox, writing his dissertation for the University of Northumbria at Newcastle, was forced to take a better-safe-than-sorry approach when it came time to release the vulnerabilities he found in Microsoft's EMET 5.1. "No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement. ... Wilcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part. He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other."
Windows

First Windows 10 RTM Candidate Appears 170 170

Mark Wilson reports that the first RTM candidate for Windows 10 has been spotted: build 10176. Leaks and sources have suggested the company intends to finalize the operating system later this week, perhaps as early as July 9th. This would give Microsoft almost three weeks to distribute it to retailers and devicemakers before the July 29th launch date. "While the RTM process has been a significant milestone for previous releases of Windows, it’s more of a minor one for Windows 10. Microsoft is moving Windows 10 to a 'Windows as a service' model that means the operating system is regularly updated."
DRM

Microsoft Edge, HTML5, and DRM 140 140

An anonymous reader writes: Microsoft is building its new browser, Edge, with the intention of avoiding many of the flaws that plagued Internet Explorer over its long and tumultuous life. Part of this involves moving away from plug-ins, and Edge will not support ActiveX. Instead, they're focusing on interoperable media, and that means non-plug-in video players that meet HTML5 specs. Of course, not all video players want to disseminate their content for free, which means: DRM. Microsoft's Edge team has published a new post explaining how they'll be handling support for DRM and "premium media" in the new browser.

They say, "Windows 10 and Microsoft Edge support DASH, MSE, EME and CENC natively, and other major browsers ship implementations of MSE and CENC compliant EME. This support allows developers to build plug-in free web video apps that runs across a huge range of platforms and devices, with each MSE/EME implementation built on top of a different media pipeline and DRM provider. In the days when DRM systems used proprietary file formats and encryption methods, this variation in DRM providers by browser would have presented a significant issue. With the development and use of Common Encryption (CENC), the problem is substantially reduced because the files are compressed in standard formats and encrypted using global industry standards. The service provider issues the keys and licenses necessary to consume the content in a given browser, but the website code, content and encryption keys are common across all of them, regardless of which DRM is in use."
Graphics

Square Enix Pulls, Apologizes For Mac Version of Final Fantasy XIV 94 94

_xeno_ writes: Just over a week after Warner Bros. pulled the PC version of Batman: Arkham Knight due to bugs, Square Enix is now being forced to do the same thing with the Mac OS X version of Final Fantasy XIV (which was released at the same time as Batman: Arkham Knight). The rather long note explaining the decision apologizes for releasing the port before it was ready and blames OS X and OpenGL for the discrepancy between the game's performance on identical Mac hardware running Windows. It's unclear when (or even if) Square Enix will resume selling an OS X version — the note indicates that the development team is hopeful that "[w]ith the adoption of DirectX 11 for Mac, and the replacement of OpenGL with a new graphics API in Apple's next OS, the fundamental gap in current performance issues may soon be eliminated." (I'm not sure what "the adoption of DirectX 11 for Mac" refers to. OS X gaining DirectX 11 support is news to me — and, I suspect, Microsoft.) Given that the game supports the aging PS3 console, you'd think the developers would be able to find a way to get the same graphics as the PS3 version on more powerful Mac OS X hardware.
GUI

Qt 5.5 Released 79 79

New submitter mx+b writes: The latest version of Qt, the cross platform GUI toolkit and development platform, is out for all major platforms. Highlights include better 3D, multimedia, and web support, as well as better support for the latest OS X and Windows releases (including Windows 10) and more Linux distributions.
Windows

Windows 10 Shares Your Wi-Fi Password With Contacts 483 483

gsslay writes: The Register reports that Windows 10 will include, defaulted on, "Wi-Fi Sense" which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends. This involves Microsoft storing the wifi passwords entered into your laptop which can then be used by any other person suitably connected to you. If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.
Operating Systems

People Are Obtaining Windows 7 Licenses For the Free Windows 10 Upgrade 172 172

jones_supa writes: Windows 7 has quickly started increasing its market share of desktop operating systems, nearing 61%. If you're wondering why this is happening when Windows 10 is almost here, the reason is this: Windows 10 will be available as a free upgrade for those running Windows 7 and 8, and the new OS will have the exact same hardware requirements as its predecessor, so the majority of PCs should be able to run it just as well. Because Windows 7 was launched in 2009, a license is more affordable than for Windows 8, so many users are switching to this version to take advantage of the Windows 10 free upgrade offer.
Microsoft

New Leaked Build Is Evidence That Windows 10 Will Be Ready By July 29 302 302

Ammalgam writes: A new pre-released build of Microsoft's latest Operating System Windows 10 leaked to the internet today. The build (10151) shows a more refined and significantly faster user interface than previous versions of the product. Microsoft seem to be focused on last minute refinements of the UI at this point and the product looks almost ready for prime time. A picture gallery of Windows 10 build 10151 can be found here.
Windows

Ask Slashdot: Are Post-Install Windows Slowdowns Inevitable? 517 517

blackest_k writes: I recently reinstalled Windows 7 Home on a laptop. A factory restore (minus the shovelware), all the Windows updates, and it was reasonably snappy. Four weeks later it's running like a slug, and now 34 more updates to install. The system is clear of malware (there are very few additional programs other than chrome browser). It appears that Windows slows down Windows! Has anyone benchmarked Windows 7 as installed and then again as updated? Even better has anybody identified any Windows update that put the slug into sluggish? Related: an anonymous reader asks: Our organization's PCs are growing ever slower, with direct hard-drive encryption in place, and with anti-malware scans running ever more frequently. The security team says that SSDs are the only solution, but the org won't approve SSD purchases. It seems most disk scanning could take place after hours and/or under a lower CPU priority, but the security team doesn't care about optimization, summarily blaming sluggishness on lack of SSDs. Are they blowing smoke?
Microsoft

Samsung To Stop Blocking Automatic Windows Updates 23 23

A few days ago, we mentioned that a piece of (nominally) utility software from Samsung was blocking critical security updates. Understandably, this isn't what users typically want. The Register reports that Samsung has now back-pedaled, though, and will be issuing a patch in the next few days to fix the glitch. (Users were able to manually install the updates anyhow, but the expected, automatic updates were blocked.) However, as the Register notes: The thought of a computer manufacturer disabling Windows Update will have had the Microsoft security team on edge. But there's also Windows 10 to consider. When the new operating system comes out, Windows Update will feed in fixes continuously, and if you're not a business customer those updates are going to be coming over the wires constantly. Enterprise users get Windows Update for Business, which allows them to choose when to patch, presumably after the plebs have beta-tested them.
NASA

Touring NASA's Space Shuttle Cockpit Trainer 18 18

An anonymous reader writes: Now that the space shuttles have been retired, NASA has been shutting down and cleaning out all of the equipment dedicated to keeping them in service. One such tool was the Crew Compartment Trainer II, a full-size replica of a space shuttle cockpit. Astronauts trained on it to become familiar with the operation of many onboard systems. Just before it was removed, Ars got a chance to tour it, and took a ton of pictures in the process. Quoting: "The forward windows are surprisingly small, and visibility dead ahead is limited to a very narrow section of the window. Both the pilot and commander have fighter-style HUDs (heads-up displays), which are used mainly during landing to keep them lined up and on target with the runway. ... Bloomfield walked me through a few procedures, and it was fascinating how complex the shuttles were in some areas and how primitive they were in others. The on-board computers of course received numerous updates throughout the vehicles' lives, but even in their final iteration they wouldn't have won any speed awards."
Software

Ask Slashdot: User-Friendly, Version-Preserving File Sharing For Linux? 211 211

petherfile writes: I've been a professional with Microsoft stuff for more than 10 years and I'm a bit sick of it to be honest. The one that's got me stuck is really not where I expected it to be. You can use a combination of DFS and VSS to create a file share where users can put whatever files they are working on that is both redundant and has "previous versions" of files they can recover. That is, users have a highly available network location where they can "go back" to how their file was an hour ago. How do you do that with Linux?

This is a highly desirable situation for users. I know there are nice document management things out there that make sharepoint look silly, but I just want a simple file share, not a document management utility. I've found versioning file systems for Linux that do what Microsoft does with VSS so much better (for having previous version of files available.) I've found distributed file systems for Linux that make DFS look like a bad joke. Unfortunately, they seem to be mutually exclusive. Is there something simple I have missed?
Security

Security Researcher Drops 15 Vulnerabilities for Windows and Adobe Reader 117 117

mask.of.sanity writes: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defenses. He said, "The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far." Jurczyk published a video demonstration of the exploit for 32-bit and 64-bit systems. His slides are here [PDF].
Windows

Samsung Cripples Windows Update To Prevent Incompatible Drivers 289 289

jones_supa writes: A file called Disable_Windowsupdate.exe — probably malware, right? It's actually a "helper" utility from Samsung, for which their reasoning is: "When you enable Windows updates, it will install the Default Drivers for all the hardware no laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates." Too bad that the solution means disabling all critical security updates as well. This isn't the first time an OEM has compromised the security of its users. From earlier this year, we remember the Superfish adware from Lenovo, and system security being compromised by the LG split screen software.
Internet Explorer

HP Researchers Disclose Details of Internet Explorer Zero Day 49 49

Trailrunner7 writes: Researchers at HP's Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn't plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI's team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn't think the vulnerabilities affect enough users.

The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.
Security

Emergency Adobe Flash Patch Fixes Zero-Day Under Attack 71 71

msm1267 writes: Adobe has released an emergency patch for a Flash zero-day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks. Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year's attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.
Encryption

Ask Slashdot: Keeping Cloud Data Encrypted Without Cross-Platform Pain? 107 107

bromoseltzer writes: I use cloud storage to hold many gigs of personal files that I'd just as soon were not targets for casual data mining. (Google: I'm thinking of you.) I want to access them from Linux, Windows, and Android devices. I have been using encfs, which does the job for Linux fairly well (despite some well-known issues), but Windows and Android don't seem to have working clients. I really want to map a file system of encrypted files and encrypted names to a local unencrypted filesystem — the way encfs works. What solutions do Slashdot readers recommend? Ideal would be a competitive cloud storage service like Dropbox or Google Drive that provides trustworthy encryption with suitable clients. Is there anything like that?
Microsoft

Microsoft Attempts To Clarify the Windows 10 For Everyone Rumor 96 96

Ammalgam writes: Over the weekend, Microsoft caused a web explosion by seeming to imply that they were going to relax their licensing rules and offer Windows 10 for free to everyone. This caused an uproar of controversy online that Microsoft had to address. The company issued a statement in an attempt to clarify the Windows 10 licensing situation. The language is still a little confusing so on Windows10update.com, Onuora Amobi tries to simplify the language and sort out the distinction between users on the Windows Insider Program and non Windows Insiders.
The Military

The US Navy's Warfare Systems Command Just Paid Millions To Stay On Windows XP 192 192

itwbennett writes: The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products,' said Steven Davis, a spokesman for the Space and Naval Warfare Systems Command in San Diego. And that reliance on obsolete technology is costing taxpayers a pretty penny. The Space and Naval Warfare Systems Command, which runs the Navy's communications and information networks, signed a $9.1 million contract earlier this month for continued access to security patches for Windows XP, Office 2003, Exchange 2003 and Windows Server 2003.