By timothy from Slashdot's everything's-simple-to-somebody department
An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.Read Replies (0)
By timothy from Slashdot's tradeoffs-are-everywhere department
jones_supa writes: These days, the motivation to use open source software for many people is to avoid backdoors placed by intelligence organizations and to avoid software that has hidden privacy-intruding characteristics. For the operating system and userspace software, open choices are already available. The last remaining island has been the firmware included in various ROM chips in a computer. Libreboot has introduced an open BIOS, but it is not available for newer systems featuring the Intel ME or AMD PSP management features. Talos' Secure Workstation fills this need, providing a modern system with 8-core POWER8 CPU, 132 GB RAM, and open firmware. The product is currently in a pre-release phase where Raptor Engineering is trying to understand if it's possible to do a production run of the machine. If you are interested, it's worth visiting the official website. Adds an anonymous reader about the new system, which rings in at a steep $3100: "While the engineers found solace in the POWER8 architecture with being more open than AMD/Intel CPUs, they still are searching for a graphics card that is open enough to receive the FSF Respect Your Freedom certification." Update: 02/08 18:44 GMT by T : See also Linux hacker and IBM employee Stewart Smith's talk from the just-completed linux.conf.au on, in which he walks through "all of the firmware components and what they do, including the boot sequence from power being applied up to booting an operating system."Read Replies (0)
By timothy from Slashdot's hiding-with-the-other-zeros department
mikejuk writes: The Pi Zero was supposed to be available from November 26, 2015. It is now the start of February and all of the stockists, including the Pi Swag Shop, are still showing out of stock. That's two whole months, and counting, of restricted supply which is more than an initial hiccup. Of course you would expect enough to be made available initially to meet the expected demand. The Pi sells something in the region of 200,000 per month so what do you think the initial run of the Pi Zero actually was? The answer is 20,000 units. Of which 10,000 were stuck to the cover of MagPi and "given away" leaving just 10,000 in the usual distribution channels. And yet Eben Upton, founder of the Raspberry Pi Foundation, commented: "You'd think we'd be used to it by now, but we're always amazed by the level of interest in new Raspberry Pi products," Well yes, you really would think that they might be used to it by now and perhaps even prepared for it. At the time of writing the Pi Zero is still out of stock and when it is briefly in stock customers are limited to one unit.A victim of its own success, yes, but the real victims are the Raspberry Pi's competitors.Read Replies (0)
By timothy from Slashdot's soon-we'll-leak-your-mailing-address department
itwbennett writes: On Sunday, the name, title, email address, and phone number of more than 9,000 DHS employees, with titles ranging from engineers, to security specialists, program analysts, InfoSec and IT, all the way up to director level was posted on Twitter. 'The account went on to claim that an additional data dump focused on 20,000 FBI employees was next,' writes CSO's Steve Ragan. The hacker told Motherboard that the data was obtained by "compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place."Read Replies (0)
By timothy from Slashdot's listen-fellas department
An anonymous reader writes with Yahoo's report that the makers of Adblock Plus are "looking to reach out to advertisers and identify an 'acceptable' level and form of advertising on the net." That involves convincing advertisers to conform to the company's own guidelines for advertising, or an alternative path much disliked by some of the software's users — to pay the company to ignore ads that don't meet those guidelines. From the article:
Big websites can pay a fee not to be blocked. And it is these proceeds that finance the Cologne-based company and its 49-strong workforce. While Google and Amazon have paid up, others refuse.
Axel Springer, which publishers Germany's best-selling daily Bild, accuses [Adblock Plus maker] Eyeo of racketeering.
"We believe Eyeo's business model is against the law," a spokesman for Springer told AFP.
"Clearly, Eyeo's primary aim is to get its hands on a share of the advertising revenues."
Ultimately, such practices posed a threat to the professional journalism on the web, he suggested, an argument Eyeo rejects.Read Replies (0)